X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


Message #30 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:40:27 +0000
From snalwuer@stud.informatik.uni-erlangen.de  Mon Dec 16 15:40:26 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id A79565DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 794C768057D;
	Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 720EA2BC0D6; Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Date: Mon, 16 Dec 2013 15:40:26 +0100
From: Alexander Wuerstlein <arw@cs.fau.de>
To: Reinhard Tartler <siretart@gmail.com>
Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de,
	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>,
	x2go-dev@lists.berlios.de
Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes
Message-ID: <20131216144026.GG24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
 <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
 <20131216135940.GF24005@cip.informatik.uni-erlangen.de>
 <CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> snalwuer@cip.informatik.uni-erlangen.de> wrote:
> >
> > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > > Hi Reinhard,
> > >
> > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > >
> > > >Package: x2goserver
> > > >Severity: serious
> > > >
> > > >Hi,
> > > >
> > > >my understanding of the x2goadmin code [code], end of sub add_user, is
> > > >that the code tries to write the sql password in users homes. This
> > > >will fail for installations that have the user homes on NFS with the
> > > >option "rootsquash" mounted.
> > > >
> > > >I set the severity to "serious" because I imagine that this is a
> > > >rather common scenario.
> > > >
> > > >Also, this approach has another problem: Imagine you want to give
> > > >access to the unix group "staff"? According to the documentation, you
> > > >can use the options "--addgroup" and "--rmgroup" for this. What if a
> > > >new employee joins the company later and wants to use x2go? In this
> > > >case you need to call x2godbadmin for this new user again, which is
> > > >suboptimal.
> > > >
> > > >Is there really no way to get around generated user passwords?
> >
> > There is a way that could work: If configured correctly, postgresql can
> > use GSSAPI (Kerberos) Authentication. That way, the user is
> > authenticated using his login ticket cache which is created anyways.
> > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > so that it can at least access the database with sufficient permissions.
> 
> That would be an option if you are OK to break passwordless ssh key
> authentication logins.
> 
> If you really wanted to go the kerberos route, you would have to create
> special db principals that can only access the db, and stash a passwordless
> keyfile in the users home.

Yes, that is correct. One more thing that could also work, but is ugly,
would be 'ident' authentication in postgresql. But that would of course
mean that one needs a sufficiently trustable identd on all machines.



Ciao,

Alexander Wuerstlein.


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 15:43:48 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.