From unknown Sun May 17 06:00:08 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#685: user x2gobroker can evoke any command on X2Go Servers Reply-To: Mike Gabriel , 685@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Tue, 02 Dec 2014 16:15:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 685 X-X2Go-PR-Package: python-x2gobroker X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.14175367519950 (code B); Tue, 02 Dec 2014 16:15:02 +0000 Received: (at submit) by bugs.x2go.org; 2 Dec 2014 16:12:31 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 8294C5E0DB for ; Tue, 2 Dec 2014 17:12:29 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 24A8D1B99 for ; Tue, 2 Dec 2014 17:12:29 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 0ECE73BA21 for ; Tue, 2 Dec 2014 17:12:29 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WO6vlrqCLJyr for ; Tue, 2 Dec 2014 17:12:28 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id C91203BA20 for ; Tue, 2 Dec 2014 17:12:28 +0100 (CET) Received: from p5B3B8969.dip0.t-ipconnect.de (p5B3B8969.dip0.t-ipconnect.de [91.59.137.105]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 02 Dec 2014 16:12:28 +0000 Date: Tue, 02 Dec 2014 16:12:28 +0000 Message-ID: <20141202161228.Horde.s0pU6H-pvmZNUvWheV4xMw4@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 91.59.137.105 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_AEwAIPRoCLn_6R0NDHFAdg1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_AEwAIPRoCLn_6R0NDHFAdg1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: python-x2gobroker Severity: important Version: 0.0.3.0-preview Currently, x2gobroker-pubkeyauthorizer received SSH public keys from=20=20 the=20X2Go Session Broker. Those key are stored as-is into=20=20 ~x2gobroker/.ssh/authorized_keys. However,=20we need to add a force_command option into those pubkey=20=20 lines,=20so that only x2gobroker-agent can be called via X2Go Session=20=20 Broker. At=20the moment user x2gobroker@x2gobroker-machine can issue arbitrary=20= =20 commands=20on the X2Go Server (which is not really painful, but should=20= =20 be=20avoided in general). Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_AEwAIPRoCLn_6R0NDHFAdg1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUfeTsAAoJEJr0azAldxsxAewP/Rc2rhfCEy6f6dK5Wmc8xYfT HqzJEv5QRllla2t3/GRnDU/Mp4ClbNY2ZwGYqsH4o4oz0IOtfksF25BROr75/bC4 PeOd4/25Bv/3tpJnzm2jX2wTeOLiozBcbw3pEIrB1TAs9WKgVrkP539Q2PSFE2z9 gsF9R8eI6A2vhkQstFj1AosI5ImepEsGZo5cIvLIvnEZdkUtPaVaPfYKptjqSRKW v5omTUNqxfZZsfU7Zziuwv6Re5Cwn+6iYzbqUzImeobCFH6hfQR3LRu0gCHJ063d 6xwuYDYqnXIRcb5S1g+dxMsQuEmpx3v74QG6INifnk2UcpjF3neOWuZnv6j1Il8l jRZCl5Z5Bl5LW9jK/3bF5JXW8zIiQ0b8tBTeShyJKubvtU5BFLFJQG0SeNo1ss16 v/Ch7MhDvjYK7XBvLwfZWCHgYoKLbm0TA9V0CohJYlklU2kJA3F/tVfQaQM0n9sd 8saVZ3ov0/jNP8sSX2x1gst7lt+Ur5brL+vtnktczfxosq7WU5xVfNycNl5o0Kto bbIIKayJ0I+WkR8vk8BofXIes+pdmDEIYOT0G4WPNC64pyKlnoEQ2E3Rzo0eWTmt RfP3IjxB2lOOHqBUMLL05ddzgNa+PWZG92g2kTu6ATK2SrXMv8a2x8lloqPLuMcx 9kWHGhPyuZqNyWZG41Qx =WpFR -----END PGP SIGNATURE----- --=_AEwAIPRoCLn_6R0NDHFAdg1--