X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#372: [X2Go-Dev] Bug#372:  Bug#372: x2goadmin writes to users homes
Reply-To: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>, 372@bugs.x2go.org
Resent-From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 16 Dec 2013 14:18:01 +0000
Resent-Message-ID: <handler.372.B372.138720276222428@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 372
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by 372-submit@bugs.x2go.org id=B372.138720276222428
          (code B ref 372); Mon, 16 Dec 2013 14:18:01 +0000
Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:06:02 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 381 seconds by postgrey-1.34 at ymir; Mon, 16 Dec 2013 15:06:02 CET
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id 3584E5DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:06:02 +0100 (CET)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id ECA986803AC;
	Mon, 16 Dec 2013 14:59:40 +0100 (CET)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id D46882BC0D6; Mon, 16 Dec 2013 14:59:40 +0100 (CET)
Date: Mon, 16 Dec 2013 14:59:40 +0100
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 372@bugs.x2go.org,
	x2go-dev@lists.berlios.de
Cc: Reinhard Tartler <siretart@gmail.com>, o.schneyder@phoca-gmbh.de
Message-ID: <20131216135940.GF24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
 <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> Hi Reinhard,
> 
> On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> 
> >Package: x2goserver
> >Severity: serious
> >
> >Hi,
> >
> >my understanding of the x2goadmin code [code], end of sub add_user, is
> >that the code tries to write the sql password in users homes. This
> >will fail for installations that have the user homes on NFS with the
> >option "rootsquash" mounted.
> >
> >I set the severity to "serious" because I imagine that this is a
> >rather common scenario.
> >
> >Also, this approach has another problem: Imagine you want to give
> >access to the unix group "staff"? According to the documentation, you
> >can use the options "--addgroup" and "--rmgroup" for this. What if a
> >new employee joins the company later and wants to use x2go? In this
> >case you need to call x2godbadmin for this new user again, which is
> >suboptimal.
> >
> >Is there really no way to get around generated user passwords?

There is a way that could work: If configured correctly, postgresql can
use GSSAPI (Kerberos) Authentication. That way, the user is
authenticated using his login ticket cache which is created anyways.
If necessary, one could also provide a keyfile for the cleanup-cronjob
so that it can at least access the database with sufficient permissions. 

But I have never tried this with x2go and don't know if it would work.



Ciao,

Alexander Wuerstlein.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:21:12 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.