X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#372: x2goadmin writes to users homes
Reply-To: Reinhard Tartler <siretart@gmail.com>, 372@bugs.x2go.org
Resent-From: Reinhard Tartler <siretart@gmail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Sun, 15 Dec 2013 00:18:02 +0000
Resent-Message-ID: <handler.372.B.138706641729982@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 372
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.138706641729982
          (code B); Sun, 15 Dec 2013 00:18:02 +0000
Received: (at submit) by bugs.x2go.org; 15 Dec 2013 00:13:37 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-qe0-f47.google.com (mail-qe0-f47.google.com [209.85.128.47])
	by ymir (Postfix) with ESMTPS id BDC715DB20
	for <submit@bugs.x2go.org>; Sun, 15 Dec 2013 01:13:36 +0100 (CET)
Received: by mail-qe0-f47.google.com with SMTP id t7so2841159qeb.20
        for <submit@bugs.x2go.org>; Sat, 14 Dec 2013 16:13:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=luLV9ChP8jliT01wZJHpxPykyGU6hPb67EYJddK0IM4=;
        b=rWyzctlGLIRlcOYpLR2zljqTim5F4r0tInkHl3UCSA5jjZlzKfFVxjHScLfvTvfSeO
         bewmaxy7ugYq7Z7zCuou02V/O2xab9akRzmTZg9E1DAE7eOsH5IrH2fch9l+txsmDrs6
         uVFdXRrxI/wxO0xC3SlXZYYtQ4xG9UyiswGS00e2Zk3fBy9eleZaF1mnH2ZAdiF1jxmK
         7Z0YNs/CgaKTbOJG90kTFAefOvglLWVdgZ7izBdVeoj/XKYfMH3qQ2okvW0sGZkOznul
         NB/9nRc2Tz2vHNnQjQAdR7zr0Pu+zlFFEgQCWm71eU38TANYmIkGXWh8oVDrQk6H1qqn
         8FkA==
MIME-Version: 1.0
X-Received: by 10.224.37.1 with SMTP id v1mr18881441qad.29.1387066415425; Sat,
 14 Dec 2013 16:13:35 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Sat, 14 Dec 2013 16:13:35 -0800 (PST)
Date: Sat, 14 Dec 2013 19:13:35 -0500
Message-ID: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
From: Reinhard Tartler <siretart@gmail.com>
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=ISO-8859-1
Package: x2goserver
Severity: serious

Hi,

my understanding of the x2goadmin code [code], end of sub add_user, is
that the code tries to write the sql password in users homes. This
will fail for installations that have the user homes on NFS with the
option "rootsquash" mounted.

I set the severity to "serious" because I imagine that this is a
rather common scenario.

Also, this approach has another problem: Imagine you want to give
access to the unix group "staff"? According to the documentation, you
can use the options "--addgroup" and "--rmgroup" for this. What if a
new employee joins the company later and wants to use x2go? In this
case you need to call x2godbadmin for this new user again, which is
suboptimal.

Is there really no way to get around generated user passwords?

[code] http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

-- 
regards,
    Reinhard

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 11:10:05 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.