X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version 4.1.0.3-0~1708~ubuntu16.04.1

Full log


đź”— View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#1465: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.
Reply-To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 1465@bugs.x2go.org
Resent-From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 04 May 2020 14:10:01 +0000
Resent-Message-ID: <handler.1465.B1465.1588601227887@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 1465
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
References: <b0f7f18d-b027-712a-9fec-5b91773d13c0@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <556ee27c-521d-be03-5a43-08843247b4fb@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <2471789.PIXMQkQJa5@hex> <2807081.Gr0nKVqjWH@hex>
Received: via spool by 1465-submit@bugs.x2go.org id=B1465.1588601227887
          (code B ref 1465); Mon, 04 May 2020 14:10:01 +0000
Received: (at 1465) by bugs.x2go.org; 4 May 2020 14:07:07 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.2
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 2BE245DAC1
	for <1465@bugs.x2go.org>; Mon,  4 May 2020 16:07:00 +0200 (CEST)
Received: from [192.168.0.15] ([78.43.58.112]) by mrelayeu.kundenserver.de
 (mreue108 [212.227.15.145]) with ESMTPSA (Nemesis) id
 1N3sVq-1j5NhL3IZs-00zowm for <1465@bugs.x2go.org>; Mon, 04 May 2020 16:06:59
 +0200
To: 1465@bugs.x2go.org
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Autocrypt: addr=X2Go-ML-1@baur-itcs.de; prefer-encrypt=mutual; keydata=
 xsBNBFLfOiwBCACzIiDVwWVRvuMzgSAvXRFRaPaZOSB8s84PG1oGLfmqhwzF44vj1Xv4tcKD
 mvu0TsLTksOkvop8WwGYeeU8lDaxEG1zyN8SOu1WU/FPEKw2jITRox8yIrSkUsMkWYuxdjv/
 9XcAh9qaPsHP7E1jD6/wVZuYZkuX6W41Nxt06VsvDGCfrbQh4ya7w1IiSnoQeIHNNQVN9f3j
 xcHLj5S5YriSCThtbFCdr3AJXfF5iMolu8kLgAXM0bH1C7PxAjM/pQjWmdMVN/Y+uXXzcMO8
 8aQ0f0q3QeGWxCAP2xwBapUfP6LHDRPp/tV7P7ji8wKlabrSGdv0M9Qd9pn/YCYQE0ZdABEB
 AAHNJlN0ZWZhbiBCYXVyIDxwb3N0bWFzdGVyQHN0ZWZhbmJhdXIuZGU+wsCCBBMBAgAsAhsj
 BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4ACGQEFAlwtWmgFCRK0IbcACgkQbt30GM2+URkj
 nwgAixhVoMxijCsh9jxxCUYBj7lC5HYhJmlAB+bZOfl1XI8xqMLw8YGECfu0VSe++FlaOAuc
 gArofqu79E2+wKxPaqW2lC94eKR1+kgkDOJyqckYj2Xmyi+vDfrOWjbyawIwiq5FUW2CB6zv
 nkTr68ZQ43mAVC1zz2tpAikn2Af4/OdHwUBzSAOpUt4rDbXDe93WW34XuyG2RDma6kE1Cr0u
 ilqvzKOz5SYp5ASmCyaA0wCzs7fjTy2KuMlOCSFRzwPJpzddr8rS9ZiTLdia/BZvShBEjOq4
 MZHWYv+RGK5RB4eDzw0KbPszXRJBUdXiZIcI0jqbC57Ht64ok3lXquXp987ATQRS3zosAQgA
 4KPXmGU1XE8CTRJ/4m/f8MTri3JfEvGJTerWwC2hBuXHGWrSBmmRNAdJHzNTvq5IoR9tQ6Cb
 Nrqxf6alr/v34Vr2bUg0s+jlK9TWOkVLAFoz6zytm/2BrRBIZ5So6Ymfc6efwsScsHOI++wi
 pzqELkpluqtXysb13RsBVLxBdp5TZCVPjCc9pLWjudfjEagQt2oJgtO2WndasrKvoZYkfRi6
 oSCK9B84YjNJoRF00LdK3n7K3SBvj4UPSl+ygzLVaD+3ZdIlbhX+bfn/Vp/10xdJ+/U8Fr7l
 7umrBKr17D8eO3mRYMGY9w1qc+pfNGOR76GIbPWj2tPVaBD9nmUaowARAQABwsBlBBgBAgAP
 AhsMBQJcLVqtBQkStCH9AAoJEG7d9BjNvlEZInkIAIcchwZxurIpwJJR8qMMXD+RSvj7mY55
 VIXOKUX0uAUTEoJTzFcqbdGkzcJB9y0NlUo9dv4chPT21M61y0bjJjhaDUshCLa1+YyFSSWp
 GBOKrLIsWusqC9zVwgf7TtjVmXt23jZwoDWjXoMlg9eQONMi5Z4u+lDOyPKD+lGJAcjJkQsI
 zL9hha3vuhmUclxgdALTJWzQBp+Y7u9QDub4uqf/TyuDpYASiP0winBRfTug+XjP5YZjU//P
 07H9WhiUCsHp6L9j3QzvrovVy2zz0j7JhyhW3e957vHz2skkSVv3QGtHMswcgK3XaQ9YdgWO
 ELHmBhevaIcJIxDvTBl3pYQ=
Message-ID: <e7a20f2f-d72e-f011-6e39-269ca732db8b@baur-itcs.de>
Date: Mon, 4 May 2020 16:06:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <2471789.PIXMQkQJa5@hex>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:dZwkUOseqarsCLwfQmEol8XI22yN5aHm9iVboEINQTun0b05Ppa
 LpyDNiFVXeahL7Rwrt0CtEavATng8hfHzcITgCN0pXBaabFahpg6SrwmO6+6GTG28W1DwVj
 vyIQw46RwxM1WP4qBV6AGit6azeZr/dDn2fULB1/fQ7DQ2SOAJubTFCLNDGOHkXSPvOMdCF
 fHhozYFZhwfT35ZzldbXA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:30Yx9zGWFOI=:dNavMXqnT5wbsFkdh91MpN
 mqARamymWvR0788eiqGKEs0dL0m4c35rwwP5KtOn43ZGiYjbIqThrxW1KlUKI2wJOFuxm5tKh
 D3/0lfPFbLP6a/s2JemxO15IBGBPtOMYG3/TkR/+/sGSLrJ8PrAsn6BwzTYQX6jO3ipWXn30S
 hxEsH4RE9KHf89hW8L/fM/+r7stnjdMYOECXNPLAgkM8Ki1I4lJIF7JDlw2pKdI6VZS0OJTzj
 NrD0xquUSG57ek71xyf0ga092gl70tz1HBxnNGk0LsBVJvHG65r6S9CMOmoVFhcmjd2gAAcRs
 Wo35JlvFMsakeD6pD7oXNTI+30lz9XiuuBB6tysyJlMFdULNAv6h1H+aHgXS6nbyOL2f4S9lr
 St1LF4c3DVJTq0lkVPURFrmBsH0F1SDP3BFAICsfXIEXO5ZEJ5+iQviSLYHsUNPszu890RE/x
 c/KwyV8NHYyQ2g3nwWxYoyvGlPM/RAOgrrU+JdSUXz+NnNGKOjY/tcB1+AknV9IDbuup5bTkJ
 vb96cOsFGvBSyPkf/+Ib83LJow1thGCMch9uTMPRjtBfVIAmX5K9LzcvRlhTRXNiYKMaAydR0
 1Z1+ZIcWkQqV87jnJcBxAJnNdSPmjXT20/OW4cN1MP5vbPHCHUuOIFAOipq92dYhBedt0Ask/
 BeJv4yUgLnuz+qluoHa5o8zKfB8h2n03/A2sVKjdLAuqAS0JtyxnWtZ3BsdDjwfxMzTECFnPp
 mKKtvLzQcj/ucOemZGSSTzlClln6VMdzs9SleLQQtgZQtzTzY/J6bXSFjeANM/VVRoXUMNx/I
 tY6sspo0XfRlBAq50XVnGtge+HcXJuws2LKi6YjEB9H5J7AQ0Oc1ZY/YUq3/JiC59BijptH
Am 04.05.20 um 15:34 schrieb Vladislav Kurz:
> Hello,
> 
> I'm not sure If I should post to @bugs.x2go.org or x2go-dev mailing list.

Since you opened a bug report, use <1465@bugs.x2go.org>, that way, all
the right things (TM) will happen automagically.


> I have to explain it. The protected thing is openoffice sheet with some complex 
> formulas. The formulas should be protected from viewing by openoffice somehow 
> (that was not my task so I did not really check that in detail). Users fill in 
> input data, get the results, and can print them via CUPS to PDF (or paper). We 
> do not want them to get the sheet and use it elsewhere. They are allowed to 
> make work copies of the sheet within the protected environment, but should not 
> be able to get it out.

And that's your design flaw that you need to fix.

You really need to separate the logic from the data, so the users can't
access it.

You could, for example, try using stored procedures in a database, and
use Libreoffice or a Web browser as the GUI front end for the database
access.

Or you could try using Libreoffice in headless mode, by querying
parameters from the users in a script, properly sanitizing them
(whitelist the allowed input characters, instead of blacklisting
potentially troublesome ones), then passing them on to be inserted in a
template of your spreadsheet, and automatically print the result to a
PDF.  That way, the users won't be in direct contact with your precious
formulas, but only with a script you wrote (which would then call
libreoffice under a user id that has permission to access the
spreadsheet), and with a PDF viewer.

If the users have access to Libreoffice, and to your spreadsheet, they
*will* be able to come up with a way to copy your file.  And if it is
formula by formula using a QR code or OCR.

For example, Libreoffice Basic - the Macro language used by Libreoffice
that any user can write macros in - allows raw file I/O.
So it would be possible to read your spreadsheet file byte-by-byte
(bypassing any Libreoffice-internal protections it may have), encode it
in a QR code (current Libreoffice even has its own QR encoder built in),
then scan that code on the client, and save the result as a file.
And once it is stored on the attacker's machine, they can brute-force
their way into whatever protection you tried to apply, until they see
your formulas.

There is NO WAY of making it safe if you don't separate formulas and
data from each other.  X2Go won't help you.  Switching to a different
remote access solution won't help you.  Switching operating systems
won't help you.  Your problem is not X2Go, but how mighty and versatile
Libreoffice is.

You're trying to mitigate a severe security/privacy flaw in your basic
design with kludgy workarounds, instead of fixing it properly.  This is
hopeless and won't end well.

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Aug 13 11:44:15 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.