X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version 4.1.0.3-0~1708~ubuntu16.04.1

Full log


đź”— View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#1465: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.
Reply-To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 1465@bugs.x2go.org
Resent-From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 04 May 2020 16:45:01 +0000
Resent-Message-ID: <handler.1465.B1465.158861044014979@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 1465
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
References: <b0f7f18d-b027-712a-9fec-5b91773d13c0@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <1869583.Jh6TSF2MMF@hex> <2807081.Gr0nKVqjWH@hex>
Received: via spool by 1465-submit@bugs.x2go.org id=B1465.158861044014979
          (code B ref 1465); Mon, 04 May 2020 16:45:01 +0000
Received: (at 1465) by bugs.x2go.org; 4 May 2020 16:40:40 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D47205DAC1
	for <1465@bugs.x2go.org>; Mon,  4 May 2020 18:40:36 +0200 (CEST)
Received: from [192.168.0.15] ([78.43.58.112]) by mrelayeu.kundenserver.de
 (mreue109 [212.227.15.145]) with ESMTPSA (Nemesis) id
 1N8onQ-1j2cHS22fG-015pzm for <1465@bugs.x2go.org>; Mon, 04 May 2020 18:40:36
 +0200
To: 1465@bugs.x2go.org
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Autocrypt: addr=X2Go-ML-1@baur-itcs.de; prefer-encrypt=mutual; keydata=
 xsBNBFLfOiwBCACzIiDVwWVRvuMzgSAvXRFRaPaZOSB8s84PG1oGLfmqhwzF44vj1Xv4tcKD
 mvu0TsLTksOkvop8WwGYeeU8lDaxEG1zyN8SOu1WU/FPEKw2jITRox8yIrSkUsMkWYuxdjv/
 9XcAh9qaPsHP7E1jD6/wVZuYZkuX6W41Nxt06VsvDGCfrbQh4ya7w1IiSnoQeIHNNQVN9f3j
 xcHLj5S5YriSCThtbFCdr3AJXfF5iMolu8kLgAXM0bH1C7PxAjM/pQjWmdMVN/Y+uXXzcMO8
 8aQ0f0q3QeGWxCAP2xwBapUfP6LHDRPp/tV7P7ji8wKlabrSGdv0M9Qd9pn/YCYQE0ZdABEB
 AAHNJlN0ZWZhbiBCYXVyIDxwb3N0bWFzdGVyQHN0ZWZhbmJhdXIuZGU+wsCCBBMBAgAsAhsj
 BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4ACGQEFAlwtWmgFCRK0IbcACgkQbt30GM2+URkj
 nwgAixhVoMxijCsh9jxxCUYBj7lC5HYhJmlAB+bZOfl1XI8xqMLw8YGECfu0VSe++FlaOAuc
 gArofqu79E2+wKxPaqW2lC94eKR1+kgkDOJyqckYj2Xmyi+vDfrOWjbyawIwiq5FUW2CB6zv
 nkTr68ZQ43mAVC1zz2tpAikn2Af4/OdHwUBzSAOpUt4rDbXDe93WW34XuyG2RDma6kE1Cr0u
 ilqvzKOz5SYp5ASmCyaA0wCzs7fjTy2KuMlOCSFRzwPJpzddr8rS9ZiTLdia/BZvShBEjOq4
 MZHWYv+RGK5RB4eDzw0KbPszXRJBUdXiZIcI0jqbC57Ht64ok3lXquXp987ATQRS3zosAQgA
 4KPXmGU1XE8CTRJ/4m/f8MTri3JfEvGJTerWwC2hBuXHGWrSBmmRNAdJHzNTvq5IoR9tQ6Cb
 Nrqxf6alr/v34Vr2bUg0s+jlK9TWOkVLAFoz6zytm/2BrRBIZ5So6Ymfc6efwsScsHOI++wi
 pzqELkpluqtXysb13RsBVLxBdp5TZCVPjCc9pLWjudfjEagQt2oJgtO2WndasrKvoZYkfRi6
 oSCK9B84YjNJoRF00LdK3n7K3SBvj4UPSl+ygzLVaD+3ZdIlbhX+bfn/Vp/10xdJ+/U8Fr7l
 7umrBKr17D8eO3mRYMGY9w1qc+pfNGOR76GIbPWj2tPVaBD9nmUaowARAQABwsBlBBgBAgAP
 AhsMBQJcLVqtBQkStCH9AAoJEG7d9BjNvlEZInkIAIcchwZxurIpwJJR8qMMXD+RSvj7mY55
 VIXOKUX0uAUTEoJTzFcqbdGkzcJB9y0NlUo9dv4chPT21M61y0bjJjhaDUshCLa1+YyFSSWp
 GBOKrLIsWusqC9zVwgf7TtjVmXt23jZwoDWjXoMlg9eQONMi5Z4u+lDOyPKD+lGJAcjJkQsI
 zL9hha3vuhmUclxgdALTJWzQBp+Y7u9QDub4uqf/TyuDpYASiP0winBRfTug+XjP5YZjU//P
 07H9WhiUCsHp6L9j3QzvrovVy2zz0j7JhyhW3e957vHz2skkSVv3QGtHMswcgK3XaQ9YdgWO
 ELHmBhevaIcJIxDvTBl3pYQ=
Message-ID: <d6f7e2cb-b9f3-2789-15bb-634b1f08c1b2@baur-itcs.de>
Date: Mon, 4 May 2020 18:40:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <1869583.Jh6TSF2MMF@hex>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:Curli2ov2Sdu+4O/L21mvWYjLZzfVJcBCcqIysZXGzT0e/IIo+7
 2OMyZqAydNjx5ZWfIzh6Y3T02GfYrVDcVsR0ypVqIOBSJKq9KjAoSQrySL1FdMVnFGE6/Rf
 Qoe7Dz/e+ao/BgChsOyxocqp1McJ9j6d4xb1CkyEplDiONYa+NWtCJ+7jla+iU31RoVQ9kD
 C1BTIG8I96Dmq3DekWB4A==
X-UI-Out-Filterresults: notjunk:1;V03:K0:+lhty0W6vN8=:7Yzc74l2Kg4DKcxkFACBHp
 j7S9WySNP0dbIvqI8kfKfRT90SwRZ4onpeADxkZGn+SwJ6sr1ledKhUzxfDgpBxOO25UDCV3c
 88NsyUeUoV1pUOTkbBd7JjQnIxhWFF71KYLhEwudwLhuGjIREHy3vJa0v3Vcu+V8JYVxB2+b5
 p5e/S7NBMe9Y6j2lqkoeEAHo1jqdQpxFNL3iWqG8K+azsPuW+/eBzbdp7pR8xwN852ntYxgSO
 muVL/g7FGToQrdwDPUv8wR/D+SwEy6BJi4QFB56YF2LP38XroF6N/AoSGhJ9IywH3L0aVUjsS
 X0iQadVMHrNZ2JRZtG1rNh3e6F97AXUDykbOe2wysiDW7XP/545xKQh99m7cm+mA14dcoyAw4
 L4TZ5UILRots3iznibk1j/x1iDDDwZv87L4Nf5YtvFcx3Vn3Cgc8d3kaHKOdcfXi3Q1QZ584R
 ztiRkqihuD+bqCc1nr4dGnkuxfwue9EUipjbQbGdxIo7Dn4FaBhtpCm3J+R1e78f1qo+fIRuF
 NqgBxd3d118kYxR6ZOc8TBJdxd2gVphcdUc9cPXSMYeDYZ3JNITyWMNLWjX8QAd8Dj3FUGnD8
 u+aPAY6IaxiLYVEg7ncaqfDF14HZPA47Ch1//1YJ+ST7Rv2YDKlHRlgajb6GuTz149TF0fgHW
 CmriMrafmK8MiX2A9yTPD9uFlX6U637LlubbaoOybajIcYwdsMELt08hw/AChXqPb16KjpECP
 DkdTpEweT5l0vTVg6s5w0TpFmdfXeF8AuNs5RcOVG9iXfBNvFfpy2hUI4kOhiz0hSoShD4aQF
 N4N+c/R60qnmMf9Ct6DN8KN5QjxScgmadUkEM71jEY1PK9Hqn6JuI2g3LByj54z/KkD07kE
Am 04.05.20 um 18:00 schrieb Vladislav Kurz:
> I know that redesigning the whole calculation as web application would be much 
> better. But if protection against 80% of users can be done with 20% effort, I 
> would do it. You say that 100 % protection is not possible, so there is no 
> reason to do anything...

As previously explained, there is probably no need to code the whole
application as a web app.  All you need should need, in my opinion, is a
frontend (GUI+X2Go, or Web, doesn't matter), proper input sanitizing,
and libreoffice in headless mode.

*.ods files are ZIP archives, so you can unzip them like so:

unzip samplecalc.ods

Archive:  samplecalc.ods
 extracting: mimetype
 extracting: Thumbnails/thumbnail.png
   creating: Configurations2/accelerator/
   creating: Configurations2/popupmenu/
   creating: Configurations2/toolpanel/
   creating: Configurations2/menubar/
   creating: Configurations2/images/Bitmaps/
   creating: Configurations2/toolbar/
   creating: Configurations2/floater/
   creating: Configurations2/statusbar/
   creating: Configurations2/progressbar/
  inflating: content.xml
  inflating: meta.xml
  inflating: styles.xml
  inflating: manifest.rdf
  inflating: settings.xml
  inflating: META-INF/manifest.xml

You would then use xmlstarlet to modify the fields in content.xml.  Or
even simpler (but dirty), put some unique placeholders there and use sed
to replace them with your sanitized user-provided values.

Zip it all back together, and run:

soffice --convert-to pdf samplecalc.ods  --headless

This gives you a samplecalc.pdf that you can open in a PDF viewer or web
browser.

Or you could provide your users with a template *.ods with identical
fields, but lacking the formulas.

Have them fill out the fields in their "dumb" copy, then read the field
contents into your template and provide them with the output.  Either as
PDF or as *.ods again - with the value fields, but lacking the formulas
again.

No need to rape X2Go code for this.  In fact, it's probably safer and
saner to run all this on a web server.

-Stefan


-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Aug 13 12:26:15 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.