X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version

Full log

Message #53 received at 1465@bugs.x2go.org (full text, mbox, reply):

Received: (at 1465) by bugs.x2go.org; 4 May 2020 16:00:48 +0000
From vladislav.kurz@webstep.net  Mon May  4 18:00:44 2020
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_40,DKIM_SIGNED,
	autolearn_force=no version=3.4.2
Received: from mail.webstep.net (mail.webstep.net [])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id B26EE5DAC1
	for <1465@bugs.x2go.org>; Mon,  4 May 2020 18:00:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=webstep.net
	; s=dkim; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:
	Content-Description; bh=KRWJHIwGvEEQQ/R3MEGpjEIMgVYpO8VcBIi/f2ZpjgA=; b=ZvkDq
Received: from ip-89-102-32-92.net.upcbroadband.cz ([]:60482 helo=hex.localnet)
	by mail.webstep.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <vladislav.kurz@webstep.net>)
	id 1jVdWM-0005sc-Gr
	for 1465@bugs.x2go.org; Mon, 04 May 2020 18:00:42 +0200
From: Vladislav Kurz <vladislav.kurz@webstep.net>
To: 1465@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.
Date: Mon, 04 May 2020 18:00:42 +0200
Message-ID: <1869583.Jh6TSF2MMF@hex>
User-Agent: KMail/5.2.3 (Linux/4.9.0-12-amd64; KDE/5.28.0; x86_64; ; )
In-Reply-To: <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de>
References: <b0f7f18d-b027-712a-9fec-5b91773d13c0@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Dne pondělí 4. května 2020 17:01:10 CEST, Stefan Baur napsal(a):
> And here's the next catch: They intend to use Libreoffice as their
> single published application.  Which allows the user to write their own
> macros in Libreoffice Basic.  Which allows them to read binary files and
> do things with them.  Like convert them to a bunch of QR codes and
> display them.  So to do the things that need to be done, they (the
> owners) are depending on an executable which the user can do so much
> more with than they want it to do.  And there's no way to limit that,
> other than to refrain from using Libreoffice as a front-end.
> -Stefan

With full respect to the users, if they were capable of that, they would 
probably be able to write similar spreadsheet from scratch (and have some 
other job).

I know that redesigning the whole calculation as web application would be much 
better. But if protection against 80% of users can be done with 20% effort, I 
would do it. You say that 100 % protection is not possible, so there is no 
reason to do anything...

All I want is to close this one obvious hole:
ssh somewhere "cat file" > file

I cannot remove exec bit from /bin/cat, cause it is required to set up x2go 
session. If the rbash guide I referenced at the beginning worked, this would 
be possible.

Best regards
Vladislav Kurz

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Aug 13 12:14:42 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.