X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version 4.1.0.3-0~1708~ubuntu16.04.1

Full log


Message #8 received at 1465-quiet@bugs.x2go.org (full text, mbox, reply):

Received: (at 1465-quiet) by bugs.x2go.org; 3 May 2020 20:43:41 +0000
From X2Go-ML-1@baur-itcs.de  Sun May  3 22:43:33 2020
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.2
Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 4E7BA5DAC1
	for <1465-quiet@bugs.x2go.org>; Sun,  3 May 2020 22:43:33 +0200 (CEST)
Received: from [192.168.0.15] ([78.43.58.112]) by mrelayeu.kundenserver.de
 (mreue109 [212.227.15.145]) with ESMTPSA (Nemesis) id
 1MTznQ-1jddAM1SGQ-00QzK0 for <1465-quiet@bugs.x2go.org>; Sun, 03 May 2020
 22:43:32 +0200
To: 1465-quiet@bugs.x2go.org
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Subject: Bug#1465: Allow running with restricted shell (rbash), or limit
 applications that can be run.
Autocrypt: addr=X2Go-ML-1@baur-itcs.de; prefer-encrypt=mutual; keydata=
 xsBNBFLfOiwBCACzIiDVwWVRvuMzgSAvXRFRaPaZOSB8s84PG1oGLfmqhwzF44vj1Xv4tcKD
 mvu0TsLTksOkvop8WwGYeeU8lDaxEG1zyN8SOu1WU/FPEKw2jITRox8yIrSkUsMkWYuxdjv/
 9XcAh9qaPsHP7E1jD6/wVZuYZkuX6W41Nxt06VsvDGCfrbQh4ya7w1IiSnoQeIHNNQVN9f3j
 xcHLj5S5YriSCThtbFCdr3AJXfF5iMolu8kLgAXM0bH1C7PxAjM/pQjWmdMVN/Y+uXXzcMO8
 8aQ0f0q3QeGWxCAP2xwBapUfP6LHDRPp/tV7P7ji8wKlabrSGdv0M9Qd9pn/YCYQE0ZdABEB
 AAHNJlN0ZWZhbiBCYXVyIDxwb3N0bWFzdGVyQHN0ZWZhbmJhdXIuZGU+wsCCBBMBAgAsAhsj
 BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4ACGQEFAlwtWmgFCRK0IbcACgkQbt30GM2+URkj
 nwgAixhVoMxijCsh9jxxCUYBj7lC5HYhJmlAB+bZOfl1XI8xqMLw8YGECfu0VSe++FlaOAuc
 gArofqu79E2+wKxPaqW2lC94eKR1+kgkDOJyqckYj2Xmyi+vDfrOWjbyawIwiq5FUW2CB6zv
 nkTr68ZQ43mAVC1zz2tpAikn2Af4/OdHwUBzSAOpUt4rDbXDe93WW34XuyG2RDma6kE1Cr0u
 ilqvzKOz5SYp5ASmCyaA0wCzs7fjTy2KuMlOCSFRzwPJpzddr8rS9ZiTLdia/BZvShBEjOq4
 MZHWYv+RGK5RB4eDzw0KbPszXRJBUdXiZIcI0jqbC57Ht64ok3lXquXp987ATQRS3zosAQgA
 4KPXmGU1XE8CTRJ/4m/f8MTri3JfEvGJTerWwC2hBuXHGWrSBmmRNAdJHzNTvq5IoR9tQ6Cb
 Nrqxf6alr/v34Vr2bUg0s+jlK9TWOkVLAFoz6zytm/2BrRBIZ5So6Ymfc6efwsScsHOI++wi
 pzqELkpluqtXysb13RsBVLxBdp5TZCVPjCc9pLWjudfjEagQt2oJgtO2WndasrKvoZYkfRi6
 oSCK9B84YjNJoRF00LdK3n7K3SBvj4UPSl+ygzLVaD+3ZdIlbhX+bfn/Vp/10xdJ+/U8Fr7l
 7umrBKr17D8eO3mRYMGY9w1qc+pfNGOR76GIbPWj2tPVaBD9nmUaowARAQABwsBlBBgBAgAP
 AhsMBQJcLVqtBQkStCH9AAoJEG7d9BjNvlEZInkIAIcchwZxurIpwJJR8qMMXD+RSvj7mY55
 VIXOKUX0uAUTEoJTzFcqbdGkzcJB9y0NlUo9dv4chPT21M61y0bjJjhaDUshCLa1+YyFSSWp
 GBOKrLIsWusqC9zVwgf7TtjVmXt23jZwoDWjXoMlg9eQONMi5Z4u+lDOyPKD+lGJAcjJkQsI
 zL9hha3vuhmUclxgdALTJWzQBp+Y7u9QDub4uqf/TyuDpYASiP0winBRfTug+XjP5YZjU//P
 07H9WhiUCsHp6L9j3QzvrovVy2zz0j7JhyhW3e957vHz2skkSVv3QGtHMswcgK3XaQ9YdgWO
 ELHmBhevaIcJIxDvTBl3pYQ=
Message-ID: <2d88f21b-ed72-d7f6-0932-8f1d0a981701@baur-itcs.de>
Date: Sun, 3 May 2020 22:43:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:iHqaIRVMbqGnJQVHEfhZecX0APYwGC8l0Mlcp9Y6PfVwKUdvXsH
 CMGyIN71zn0mFbiPa0h1HJN0mtrElNVwhfIigBFGItk+LDhH7LET9pA23fLyFVmtgEN5sji
 OggSMhlNiREZlxAxZECoSNI00RYIPSTghIUYhJhfDTJ1lHwYSC/kplU+XUPjBECVW3Vs+OZ
 AXVv66rb7R5Zzy5CDCdBw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:8NDTzN9bNus=:auqv9KLc0YcuD6Zfs5GILm
 ZdpYxTyNYnb6qD43rAIphbA+9qWToGbzyTJsCxsj0tt38P7L6kYE7Sw+VqCff93GqvcVrvLnr
 E0BfXltEBa4WLwe8iHf4NyVXehupGamcgwqL0vCeiMH0V6lCIQ/MsCPtD6jW5KqJnHTtwhHuM
 eDxsG0ml3ad7x40DfThS3l6rRaQrLfdHzC3Fym+Cdmd7icrm1IRcSOYJszx0Hbfjo4QoOqKIz
 kRrjPEcLGh6MD0O6HT3q+UNmzzlwwJtUqmX69qWerujVisYnbRp9dlAksQmBaNvDX53zo8DXP
 /tBH1QCwfrWnjTqHL1NEwkMFEBEdDRGavDTvcBECJ2M3NjjxO6t4AUNCgWA0/ItX73xlY7sX+
 xjEXtIhHycvAHw9dDErkHcRnRrv7mkjDiNtzH/aDlG8sfculVepHgBS3JtAKjwigJuM78JGBS
 QwsAYrFJFfWjHR+l5Z3Fj3J7T55+ouJg5oFUWRGGxNmsbj2+YbDPW2WsOho1n0qIl7vvY7l4m
 IpmhQP7LZmMMGu3iDSUnx6GN00U8iRbTW60xEfZrJ5dkXJfSdGijYixrz0nVKEr7kK532E4EH
 5Z3TWws7JEHtQnbN7l2FI0pzhj8nhgLvWAIrz9DbpoaT3IQQbKr6n/YyQ74sbUAyGjqehdDae
 WzIVrCSrNUJvXwj08XPwemST9l30Xz4E1PsxbUgS6zaRDgVrK++t2Jd9Y3aoxC7SKCtMFNON5
 aqO1DFox/RdR2B3H3NtupoP1K4zwiB+BHNBzmTpeqGNC8YmlIaNBoT0z6kB1HfXSxy1ibkW8y
 ckgv70RyQJIc67YfqNfBDn9qKljtccCkZ70rkDqQi8mnZvQlFJeNAfNYb4RFL4+rjC3A6gn
Am 22.04.20 um 18:20 schrieb Vladislav Kurz:

[skipping the rbash part because I haven't really used that ever]

> > I also found a nice feature "published applications"
> > https://wiki.x2go.org/doku.php/wiki:advanced:published-applications
> > It would be nice, if the x2go server had a config option, allowing
users to run
> > only the "published applications", or use some other list of allowed
commands.

That is impossible.

X2Go follows the Unix principle: Do *one* thing, and do it right.

The one place where you define which users are allowed to run
applications is the file system and its executable permissions.

Anything X2Go would try place on top of that would be bound to fail, as
it can easily bypassed by a user running X2Go with a custom
configuration, or SSHing into the machine with ssh -X, thus bypassing
X2Go entirely.

A bit more than 5 years ago, in

<https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=666>

I wrote:

SECURITY NOTICE

Users are advised to not misinterpret X2GoServer's Published
Application Mode as a security feature.  Even when using Published
Application Mode, it is still possible for users to locally configure
an X2GoClient with any setting they want, and use that to connect.  So
if you're trying to keep users from running a certain application on
the host, using Published Application Mode to "lock" the configuration
is the *wrong* way.  The users will still be able to run that
application by creating their own, local configuration file and using
that.  To keep users from running an application on the server, you
have to use *filesystem permissions*.  In the simplest case, this
means setting chmod 750 or 550 on the particular application on the
host, and making sure the users in question are not the owner and also
not a member of the group specified for the application.

This still stands.  It seems, however, like that notice only got
appended to the X2GoBroker man page, but nowhere to X2GoServer's
documentation.

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 14:05:08 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.