X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#372: [X2Go-Dev] Bug#372: x2goadmin writes to users homes
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 372@bugs.x2go.org
Resent-From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 16 Dec 2013 07:48:02 +0000
Resent-Message-ID: <handler.372.B372.138717927516995@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 372
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by 372-submit@bugs.x2go.org id=B372.138717927516995
          (code B ref 372); Mon, 16 Dec 2013 07:48:02 +0000
Received: (at 372) by bugs.x2go.org; 16 Dec 2013 07:34:35 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 385835DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 08:34:35 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D3C3AC38;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A8E503C04F;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id fhaRH+X7QOL8; Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 785243C02A;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 16 Dec 2013
 07:34:34 +0000
Date: Mon, 16 Dec 2013 07:34:34 +0000
Message-ID: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Reinhard Tartler <siretart@gmail.com>, 372@bugs.x2go.org
Cc: o.schneyder@phoca-gmbh.de
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
In-Reply-To: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 213.178.75.58
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_90GagPUWvFr4ZipUbb0qGg6";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Reinhard,

On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:

> Package: x2goserver
> Severity: serious
>
> Hi,
>
> my understanding of the x2goadmin code [code], end of sub add_user, is
> that the code tries to write the sql password in users homes. This
> will fail for installations that have the user homes on NFS with the
> option "rootsquash" mounted.
>
> I set the severity to "serious" because I imagine that this is a
> rather common scenario.
>
> Also, this approach has another problem: Imagine you want to give
> access to the unix group "staff"? According to the documentation, you
> can use the options "--addgroup" and "--rmgroup" for this. What if a
> new employee joins the company later and wants to use x2go? In this
> case you need to call x2godbadmin for this new user again, which is
> suboptimal.
>
> Is there really no way to get around generated user passwords?
>
> [code]  
> http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

I install x2goserver on the file servers and run x2godbadmin there  
daily in a cron job.

If you have distributed file servers, one should test for the $HOME to  
be accessible in x2godbadmin.

If needed, we could split out x2godbadmin from the x2goserver package  
and provide it as a standalone package.

As this is a workaround and not a solution to your question above,  
let's see if Alex has a comment on this.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:14:41 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.