X2Go Bug report logs - #1550
X2Go/Server/DB/SQLite3.pm: Reads shadow entry ($pass) but it is never used

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Paul Menzel <pmenzel@molgen.mpg.de>

Date: Wed, 2 Jun 2021 11:40:02 UTC

Severity: normal

Found in version 4.1.0.3

Full log


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 2 Jun 2021 11:38:19 +0000
From pmenzel@molgen.mpg.de  Wed Jun  2 13:38:15 2021
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=3.0 tests=BAYES_00,KHOP_HELO_FCRDNS,
	SPF_HELO_NONE,URIBL_BLOCKED,WEIRD_QUOTING autolearn=no
	autolearn_force=no version=3.4.2
Received: from mx1.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 6D7445DAFA
	for <submit@bugs.x2go.org>; Wed,  2 Jun 2021 13:38:13 +0200 (CEST)
Received: from [192.168.0.7] (ip5f5aef1a.dynamic.kabel-deutschland.de [95.90.239.26])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: pmenzel)
	by mx.molgen.mpg.de (Postfix) with ESMTPSA id 788CE61E646EF
	for <submit@bugs.x2go.org>; Wed,  2 Jun 2021 13:38:12 +0200 (CEST)
To: submit@bugs.x2go.org
From: Paul Menzel <pmenzel@molgen.mpg.de>
Subject: X2Go/Server/DB/SQLite3.pm: Reads shadow entry ($pass) but it is never
 used
Message-ID: <b4f29d48-cdaa-0198-517a-7568b3a17ab5@molgen.mpg.de>
Date: Wed, 2 Jun 2021 13:38:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Package: x2goserver
Version: 4.1.0.3


Dear X2Go folks,


We noticed, that every two seconds our “shadow server” (similar to NIS) 
gets a request for the shadow line of the x2go user [1].

Tracing this reveals:

     x2gocleansessio-3593    [112] .... 2334059.441996: sys_clone 
<-system_call_exception
               <...>-468193  [120] .... 2334059.538048: sys_clone 
<-system_call_exception
               <...>-468194  [128] .... 2334059.539367: sys_clone 
<-system_call_exception
     x2golistsession-468193  [120] .... 2334059.542178: sys_clone 
<-system_call_exception
     libx2go-server--468196  [136] .... 2334059.656827: tcp_connect 
<-tcp_v4_connect
     x2gocleansessio-3593    [112] .... 2334059.695737: sys_clone 
<-system_call_exception
               <...>-468197  [128] .... 2334059.793699: sys_clone 
<-system_call_exception
            x2gopath-468198  [137] .... 2334059.794604: sys_clone 
<-system_call_exception
       x2gogetstatus-468197  [128] .... 2334059.797066: sys_clone 
<-system_call_exception
               <...>-468200  [097] .... 2334059.912926: tcp_connect 
<-tcp_v4_connect

    /sys/kernel/debug/tracing# ps -fp 3593
    UID          PID    PPID  C STIME TTY          TIME CMD
    root        3593       1  0 May06 ?        00:36:27 /usr/bin/perl 
/usr/sbin/x2gocleansessions

and (for example the first `libx2go-server-db-sqlite3-wrapper`) → 
`/usr/share/perl5/X2Go/Server/DB/SQLite3.pm` contains:

        my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, 
$homedir, $shell, $expire) = getpwnam($x2gouser);
        my $dbfile="$homedir/x2go_sessions";

> The getpwnam() function returns a pointer to a structure containing the
> broken-out fields of the record in the password database (e.g., the lo‐
> cal password file /etc/passwd, NIS, and LDAP) that matches the username
> name.

Reading `/usr/share/perl5/X2Go/Server/DB/SQLite3.pm` [2] it looks like, 
the variable `$pass` is never used?

```
sub init_db
{
	# retrieve home dir of x2gouser
	my $x2gouser='x2gouser';
	my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, 
$shell, $expire) = getpwnam($x2gouser);
	my $dbfile="$homedir/x2go_sessions";
	my 
$dbh=DBI->connect("dbi:SQLite:dbname=$dbfile","","",{sqlite_use_immediate_transaction 
=> 1, AutoCommit => 1, }) or die $_;

	# on SLE 11.x the sqlite_busy_timeout function does not exist, trying 
to work around that...
	if ( $dbh->can('sqlite_busy_timeout') )
	{
		$dbh->sqlite_busy_timeout( 2000 );
	}
	return $dbh;
}
```


Kind regards,

Paul


[1]: 
https://salsa.debian.org/debian-remote-team/x2goserver/-/blob/master/x2goserver/sbin/x2gocleansessions#L166
[2]: 
https://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=X2Go/Server/DB/SQLite3.pm;h=e6fb22b884c869dc14c6471a99ba31a5d45a6c30;hb=HEAD#l64


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 08:30:22 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.