X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version 4.1.0.3-0~1708~ubuntu16.04.1

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.
Reply-To: Vladislav Kurz <vladislav.kurz@webstep.net>, 1465@bugs.x2go.org
Resent-From: Vladislav Kurz <vladislav.kurz@webstep.net>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 22 Apr 2020 16:25:01 +0000
Resent-Message-ID: <handler.1465.B.158757243423648@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 1465
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.158757243423648
          (code B); Wed, 22 Apr 2020 16:25:01 +0000
Received: (at submit) by bugs.x2go.org; 22 Apr 2020 16:20:34 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.2
Received: from mail.webstep.net (mail.webstep.net [195.201.172.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 2620F5DAF0
	for <submit@bugs.x2go.org>; Wed, 22 Apr 2020 18:20:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=webstep.net
	; s=dkim; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:
	Date:Subject:To:From:In-Reply-To:References:Sender:Reply-To:Cc:Content-ID:
	Content-Description; bh=CqS1JyKvsRe13uX2XMimmpn6IjVHe3pqewhCH37z9s0=; b=fNiLq
	NSg/EFKCFfYZPWqeFhJOIj8mOeserc3UPw2Wxjizhnz3+Vy56dcX+cYH+aCITFbdEE5cFANHrbGIY
	mzHjs3w66isH9bamgjQDYbKp20Vlmhc8yNVqjJuKZMXDj7b9Aizc5f7sLktKs0RLYsxY++xKHqxW1
	KkSkzBB+50s4=;
Received: from ip-89-102-32-92.net.upcbroadband.cz ([89.102.32.92]:33926 helo=hex.localnet)
	by mail.webstep.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <vladislav.kurz@webstep.net>)
	id 1jRI6v-0001iJ-NC
	for submit@bugs.x2go.org; Wed, 22 Apr 2020 18:20:29 +0200
From: Vladislav Kurz <vladislav.kurz@webstep.net>
To: submit@bugs.x2go.org
Date: Wed, 22 Apr 2020 18:20:29 +0200
Message-ID: <2807081.Gr0nKVqjWH@hex>
User-Agent: KMail/5.2.3 (Linux/4.9.0-12-amd64; KDE/5.28.0; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

Package: x2goserver
Version: 4.1.0.3-0~1708~ubuntu16.04.1
Severity: wishlist

Hello all,

we are using x2go to run a single application on remote server, and we want to 
lock all other access as much as possible. Essentially, we'd like to ensure 
that even if the user connects via SSH, he could start only one (or limited 
set) of applications.

I found this guide https://wiki.x2go.org/doku.php/wiki:security:rbash but it 
seems to be somewhat outdated. I followed the instructions, created the 
wrapper command, set up the symlinks, and configured ssh, but then I get this 
error: Connection failed. rbash: bash: command not found

Apparently x2go client is trying to execute "bash /usr/bin/x2goruncommand" 
instead of just "x2goruncommand". If I add bash to the path with allowed 
commands, it starts working. But it makes the whole use of rbash pointless.
Also it allows me to run anything via x2go anyway - as x2goruncommand is a 
bash script, it escapes the restrictions of rbash.

Is it possible to update that wiki page with current requirements - what 
commands are necessary in $PATH for restricted shell ? I found that at least 
nxagent should be there too. And to modify the login sequence so that bash is 
not needed in $PATH ? BTW is that defined on server or client? Where exactly?

I also found a nice feature "published applications"
https://wiki.x2go.org/doku.php/wiki:advanced:published-applications
It would be nice, if the x2go server had a config option, allowing users to run 
only the "published applications", or use some other list of allowed commands.

So far my attempts at limiting the access to other applications was not very 
successful. There's a lot of stuff needed internally by x2go, so I cannot just 
remove execute bit from many commands in (/usr)/bin/

Thanks for any advice or hotfix.
Best Regards

Vladislav Kurz

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Apr 24 18:04:29 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.