From unknown Mon Apr 20 01:43:11 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#372: [X2Go-Dev] Bug#372: x2goadmin writes to users homes Reply-To: Mike Gabriel , 372@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 16 Dec 2013 07:48:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 372 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by 372-submit@bugs.x2go.org id=B372.138717927516995 (code B ref 372); Mon, 16 Dec 2013 07:48:02 +0000 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 07:34:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 385835DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 08:34:35 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D3C3AC38; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A8E503C04F; Mon, 16 Dec 2013 08:34:34 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhaRH+X7QOL8; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 785243C02A; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 16 Dec 2013 07:34:34 +0000 Date: Mon, 16 Dec 2013 07:34:34 +0000 Message-ID: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> From: Mike Gabriel To: Reinhard Tartler , 372@bugs.x2go.org Cc: o.schneyder@phoca-gmbh.de References: In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 213.178.75.58 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_90GagPUWvFr4ZipUbb0qGg6"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_90GagPUWvFr4ZipUbb0qGg6 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Reinhard, On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > Package: x2goserver > Severity: serious > > Hi, > > my understanding of the x2goadmin code [code], end of sub add_user, is > that the code tries to write the sql password in users homes. This > will fail for installations that have the user homes on NFS with the > option "rootsquash" mounted. > > I set the severity to "serious" because I imagine that this is a > rather common scenario. > > Also, this approach has another problem: Imagine you want to give > access to the unix group "staff"? According to the documentation, you > can use the options "--addgroup" and "--rmgroup" for this. What if a > new employee joins the company later and wants to use x2go? In this > case you need to call x2godbadmin for this new user again, which is > suboptimal. > > Is there really no way to get around generated user passwords? > > [code] > http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin I install x2goserver on the file servers and run x2godbadmin there daily in a cron job. If you have distributed file servers, one should test for the $HOME to be accessible in x2godbadmin. If needed, we could split out x2godbadmin from the x2goserver package and provide it as a standalone package. As this is a workaround and not a solution to your question above, let's see if Alex has a comment on this. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_90GagPUWvFr4ZipUbb0qGg6 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSrq0JAAoJEJr0azAldxsxQR0P/Rsm943/Vjup2CrzcnD+gR0Y zgC1RGh9B8eQMrdH3wvZMuyb9OkaEkyBxqbrS+akA8E3CoRuiEbn5e5uvzwvHt0k hTIelki4HhKZiwLw7yAFFooJ8yIDEZuSMkbQQKDEXBA2AansBSV2Jhpk7UcTL/zy km0fy9Y/QzoOX/qQNu/i1NS3Krw2IvYjwnvqFyN8Dmm/02Jo3IN4GQ438w6wn2BA eP+b9j5uLWaohETbnECgJuOFIJifx/7wEvEAu0x+gZMFyTjuZgD1viOPxEmaMSwd kSwdMkAxt7WVXOAAY4wAyv8q08Rn8F4/2FWXLslclWNdaWUfRX9hWzSXOcH7keDX xaxNX0d3VAjrKpdgioqn0xwJJxJQRI6vbslocE7qI67PETGtfQeBMhBzeCL5KKM3 95ZLTOjTUIiblIIPuDO0jfcy68cSi+K7f8yZkmOHvL5pn0UpVymLWHmp2M/SvAc/ JvaK4qEYyoFXKvUeAcgnDbS3UtDrbg6RKhG9GuJlWsqsRz1LK+OTx9oXmE+OL3zi 4uiaPqSpwxjwYSWk8sCApMo4ESbRVVswJ4OtA5hLexkcgmkeTos1xFtrqk1oR2AP jzsmGs4F37qRnc+dqamky1JHAbnn17d2be5oQlLZgeoPLe8ijnT7hVpszG7yxPz7 q1QwhKOXRsPGpmTh1jW+ =YRDh -----END PGP SIGNATURE----- --=_90GagPUWvFr4ZipUbb0qGg6--