X2Go Bug report logs - #728
point out that X2GoServer's Published Application

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>

To: submit@bugs.x2go.org

Subject: point out that x2gobroker is not a security feature

Date: Fri, 07 Nov 2014 00:50:55 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: x2gobroker
Severity: wishlist

Please add a prominent note to x2gobroker's man page that it is *not*
intended as a security feature - a user can still launch x2goclient
without the broker parameter and set it to run any executable the user
has exec permission for on the server.

As always, group membership and file permissions *MUST* (MUST as
defined in RFC2119 https://www.ietf.org/rfc/rfc2119.txt) be used to
limit a user's access to executables on the server.

- -Stefan

- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXAlfAAoJEG7d9BjNvlEZ+eAH/06sGKiAbYx5Lzf5ehEZcM/R
5lumXu0SOVHsCIen/KRAHP+MQ+wvGngNawo0PZsJBZyhvHQ/SeUMrotR3MSPFB3S
ZDYvznt4LEfBbKbm4uabBmFOiSndFaFlyZzwt95z/SrAdaLidphUXlkTI0Mu5UOI
qVQbZWtBUNmEF+I1MalAvpGCZ+JK3BpSg88Y7XDqZvQfTcUUBxr9MGWBxKL5CHlK
Lt6jIZzXdxX+RWK7SmA5zYpUCG7yZcR6EzSnq7U1cDqW3XNG/QvddvS4IL04/u/U
068Tl/gHhKr3vquDjyMjXnuP8TbBFuTmDb6qbJeyY+UrC/n5kmXIlFRrBkZPnKM=
=ej1y
-----END PGP SIGNATURE-----

Message #10 received at 666@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 666@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#666: point out that x2gobroker is not a security feature

Date: Thu, 08 Jan 2015 23:44:24 +0000

[Message part 1 (text/plain, inline)]

Hi Stefan,

On  Fr 07 Nov 2014 00:50:55 CET, Stefan Baur wrote:

> Package: x2gobroker
> Severity: wishlist
>
> Please add a prominent note to x2gobroker's man page that it is *not*
> intended as a security feature - a user can still launch x2goclient
> without the broker parameter and set it to run any executable the user
> has exec permission for on the server.
>
> As always, group membership and file permissions *MUST* (MUST as
> defined in RFC2119 https://www.ietf.org/rfc/rfc2119.txt) be used to
> limit a user's access to executables on the server.
>
> - -Stefan

Do you think you could write down such an additional note for the man  
page and send it back to this bug (in plain text)?

I will work that text into the man page then.

Thanks,
Mike

PS: if you will, tag this bug with "patch" once you have sent that  
text passage...

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 666@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 666@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#666: point out that x2gobroker is not a security feature

Date: Fri, 09 Jan 2015 11:24:14 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Control: tag -1 patch
Control: clone -1 -2
Control: retitle -2 point out that X2GoServer's Published Application
Mode is not a security feature
Control: tag -2 patch
Control: severity -2 wishlist
Control: package -2 x2goserver


> Do you think you could write down such an additional note for the
> man page and send it back to this bug (in plain text)?

> I will work that text into the man page then.

> PS: if you will, tag this bug with "patch" once you have sent that 
> text passage...


@Mike#1, I tried to clone and retitle this bug for X2GoServer's
Published Application Mode.  Please verify that this worked.

- -Stefan

This is the notice for X2GoBroker. For X2GoServer's PAM, see below.

SECURITY NOTICE

Users are advised to not misinterpret X2GoBroker's capabilites as a
security feature.  Even when using X2GoBroker, it is still possible
for users to locally configure an X2GoClient with any setting they
want, and use that to connect.  So if you're trying to keep users from
running a certain application on the host, using X2GoBroker to "lock"
the configuration is the *wrong* way.  The users will still be able to
run that application by creating their own, local configuration file
and using that.  To keep users from running an application on the
server, you have to use *filesystem permissions*.  In the simplest
case, this means setting chmod 750 or 550 on the particular
application on the host, and making sure the users in question are not
the owner and also not a member of the group specified for the
application.


Notice for X2GoServer's PAM (Published Application Mode) is here:

SECURITY NOTICE

Users are advised to not misinterpret X2GoServer's Published
Application Mode as a security feature.  Even when using Published
Application Mode, it is still possible for users to locally configure
an X2GoClient with any setting they want, and use that to connect.  So
if you're trying to keep users from running a certain application on
the host, using Published Application Mode to "lock" the configuration
is the *wrong* way.  The users will still be able to run that
application by creating their own, local configuration file and using
that.  To keep users from running an application on the server, you
have to use *filesystem permissions*.  In the simplest case, this
means setting chmod 750 or 550 on the particular application on the
host, and making sure the users in question are not the owner and also
not a member of the group specified for the application.




- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUr6xOAAoJEG7d9BjNvlEZMQ4IAJWMnnvvfP8RyN+nc52Se2ue
A2uA5K6XAl7+vXajF+v/LNnkWsqowE0Z/Z5MGdzfpAPblHRF4qjVqUmcGLAK0lfH
wauk9MxlmV3M+W+0wUoVbjlHcuCWs3USoefqw4ncLXMoYiokSOnmgY4wFzaRWSi9
yu7WeO9JQyphTODQoHGydDjVPiez00eOrW4cFGBccljr+O1wMjXe5fTK4igILEfd
UYcLcCqSLuR/E0q7kL4ja8M+1ZaTkqcS2971pnBXF+xdBRDYe9HTBTDJC8XOyIwB
z9zvEbQ5We3dc8H+ZJY12DVhgmAiTi53S2MF81NPrEJ41la1Wri8eV5oLy6aNDE=
=BVtu
-----END PGP SIGNATURE-----

Message #28 received at 728@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 728-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 728@bugs.x2go.org

Subject: X2Go issue (in src:x2goserver) has been marked as pending for release

Date: Thu, 5 Feb 2015 12:42:50 +0100 (CET)

tag #728 pending
fixed #728 4.0.1.19
thanks

Hello,

X2Go issue #728 (src:x2goserver) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=7fed553

The issue will most likely be fixed in src:x2goserver (4.0.1.19).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 7fed5538087dcb3ef76128f1830a61b0fc3cbdd9
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Thu Feb 5 12:41:58 2015 +0100

    Add man page for x2gogetapps. Weave into that a security / disclaimer message as proposed by Stefan Baur. (Fixes: #728).

diff --git a/debian/changelog b/debian/changelog
index 1839221..d58144d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -71,6 +71,8 @@ x2goserver (4.0.1.19-0x2go1) UNRELEASED; urgency=medium
       that. Works around a too-old DBD::SQLite package on SLE 11.x.
     - Legacy for applications (and X2Go scripts) that expect $SSH_CLIENT to be
       set in the X2Go session's environment. (Fixes: #644).
+    - Add man page for x2gogetapps. Weave into that a security / disclaimer
+      message as proposed by Stefan Baur. (Fixes: #728).
   * debian/control:
     + Add D (x2goserver): libfile-which-perl.
     + Add C (x2goserver: x2godesktopsharing (<< 3.1.1.2-0~). (Fixes: #700).

Message #40 received at 728@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>

To: 728-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 728@bugs.x2go.org

Subject: X2Go issue (in src:x2goserver) has been marked as closed

Date: Tue, 24 Feb 2015 21:54:15 +0100 (CET)

close #728
thanks

Hello,

we are very hopeful that X2Go issue #728 reported by you
has been resolved in the new release (4.0.1.19) of the
X2Go source project »src:x2goserver«.

You can view the complete changelog entry of src:x2goserver (4.0.1.19)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goserver.

    http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=49c91751e560ad09ab4490cc3bd6687509c05755;hp=724d2eefe399485a71e79c705a0aad125e853230

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goserver.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goserver
Version: 4.0.1.19-0x2go1
Status: RELEASE
Date: Tue, 24 Feb 2015 21:49:22 +0100
Fixes: 405 632 633 638 644 664 668 671 672 675 676 678 697 698 700 712 715 727 728 770
Changes: 
 x2goserver (4.0.1.19-0x2go1) RELEASED; urgency=medium
 .
   [ Mike Gabriel ]
   * New upstream version (4.0.1.19):
     - Use File::Which to detect if sshfs command is available
       before trying to mount a client-side folder.
     - Be a bit more tolerant when trying to detect if a
       desktop icon is to be removed (using regexp, not
       eq).
     - Xsession script: Prevent bash failures when sourcing external bash
       scripts beyond our scope. (Fixes: #632, #675).
     - x2gogetapps: Support scanning of sub-directories when searching for
       .desktop files. We allow to dive down one level into subdirs, we on
       purpose do not recursively dive into the complete subtree. (Fixes: #633).
     - Make man2html an optional tool. Don't fail if it is missing on the
       build system (required for openSUSE/SLES builds).
     - Fix x2goserver-xsession/Makefile on SUSE. Detect SUSE distro and create
       Xsession related directory symlinks (xinitrc.d and Xclients.d).
     - Hack for x2goserver-xsession/Makefile during SUSE builds. If
       directoy /usr/share/doc/packages/brp-check-suse is present, the build env
       is also considered to be a SUSE system.
     - Trigger Xsession code for SUSE systems (look for /etc/SUSE-brand or
       /etc/SuSE-release for SUSE system recognition). (Fixes: #671).
     - x2gosqlitewrapper.c: Fix rpmlint error: no-return-in-nonvoid-function.
       Return the exitcode of execve().
     - Fix gramma in error message (in x2goresume-session).
     - x2gocleansessions: Call x2gormforward also on terminated sessions. This
       will make sure that re-assigned ports are really available on new session
       startup.
     - x2golistsessions(_root): Only update session state in session DB if
       x2goagent's state file really exists. This addresses a problem that occurs
       when x2golistsessions gets called via an x2gobroker-agent. The
       x2golistsessions script may show session states (--all-servers) of
       sessions on other servers that have session states files on their remote
       /tmp dirs. These files are not accessible for that x2golistsessions script
       and should simply be ignored. (Fixes: #638).
     - Provide pam_namespace support for has_agent_state_file() function.
     - Fix missing session list output if state file does not exist on the
       machine that runs x2golistsessions(_root).
     - Accept more verbose "DENY" output from x2godesktopsharing.
     - Make sure that all "su"-to-user-contexts use /bin/sh for wrapping around
       the executed command (in x2gocleansessions and x2golistsessions_root).
     - Also enforce /bin/sh as shell in su command in x2goprint.
     - README.i18n: Add file that explains the translation workflow for
       this package. Thanks to Mark Pedersen-Cook for drafting this file.
     - Make SSH agent forwarding work after having reconnected via SSH and
       having resumed a session. (Fixes: #672). Thanks to Robert Siemer for
       coming up with that idea.
     - Fix cross-user X2Go Desktop Sharing after being broken by implementing
       clipboard mode feature (and probably other code changes).
     - Document session startup / resumption failures (and their reasons) in
       server-side log output.
     - Handle AD domain users gracefully when X2Go is used with SQLite DB
       backend. (Fixes: #664).
     - Improve sanitizer, use 'x2gosid' sanitizer for session IDs everywhere.
       Drop unused 'pnixusername' sanitizer in 4.0.1.x release of X2Go Server.
     - Allow usernames in session IDs of length 48 chars.
     - Start sshfs with a timeout of 30 seconds (because it never finishes if
       something is wrong with the client-side TCP socket). Also remove/unmount
       mountpoints erroneously registered sshfs mountpoints if sshfs command
       times out. Furthermore, print errors to STDERR (not STDOUT). (Fixes:
       #405).
     - Handle execution of ss command from Perl script x2golistdesktops in a way
       that not only works on Debian, but also on Fedora et al. (Fixes: #727).
     - Provide legacy support for old File::Path packages in x2godbadmin.
       (Fixes: #715).
     - Fix wrong evocation of x2gosyslog ("error" -> "err").
     - Use "undef $dbh" instead of "$dbh->disconnect()". Fixes SQLite3 issues on
       SLE 11.x.
     - Only call $dbh->sqlite_busy_timeout() if the $dbh object is capable of
       that. Works around a too-old DBD::SQLite package on SLE 11.x.
     - Legacy for applications (and X2Go scripts) that expect $SSH_CLIENT to be
       set in the X2Go session's environment. (Fixes: #644).
     - Add man page for x2gogetapps. Weave into that a security / disclaimer
       message as proposed by Stefan Baur. (Fixes: #728).
   * debian/control:
     + Add D (x2goserver): libfile-which-perl.
     + Add C (x2goserver: x2godesktopsharing (<< 3.1.1.2-0~). (Fixes: #700).
     + Bump Standards: to 3.9.6. No changes needed.
     + Don't depend on libdb-pg-perl for armhf builds. (Fixes: #712). Thanks to
       Heinrich Schuchardt for providing information on this.
     + Upgrade to D again (bin:package x2goserver): xfonts-base (Fixes: #770).
   * debian/x2goserver.docs:
     + Install README.i18n file into bin:package x2goserver.
   * x2goserver.spec:
     + Add to R: perl(File::Which).
     + Additionally adapt to building on openSUSE/SLES.
     + No shell expansion possible in obs-build, detect perl version only for
       non-SUSE builds.
     + Add to R: x2goserver-xsession.
     + Don't mention /etc/x2go/x2gosql/sql twice (directly and with wildcard).
     + No %{_sysconfdir}/x2go/Xclients.d on SUSE systems.
     + Use %{_localstatedir} instead of %{_sharedstatedir}.
     + Use proper if... then... clauses.
     + For SUSE builds: Add to R: shadow (useradd, groupadd).
     + Replace historical "egrep" with "grep -E".
     + Systemd support for SUSE >= 12.10.
     + Set %defattr macro for every bin:package.
     + SUSE and Fedora/RHEL have different package group names.
     + Add x2goserver-rpmlintrc file to handle some rpmlint errors and warnings.
     + SUSE has openssh, but no openssh-server.
     + Add to R (x2goserver): perl-X2Go-Server.
     + Add to R (diverse): perl(Config::Simple), perl(Switch) and
       perl(Capture::Tiny).
     + Add to R (x2goserver): perl(File::BaseDir).
     + Don't hard-code /var/lib/ in $HOME path of to-be-created user
       "x2gouser".
     + Add to BR: findutils.
     + For Fedora-like systems, don't make x2goserver bin:package authoritative
       for non-X2Go directories. (Fixes: #676).
     + Remove macro call %systemd_pre for Fedora/EPEL-7 builds. No such macro in
       Fedora/RHEL7. (Fixes: 698).
     + Create system user x2gouser with $HOME in /var/lib/x2go. (Fixes: #697).
     + Always set BuildRoot: parameter.
     + BuildRequires: SUSE <= 11.3 has xorg-x11, not xinit.
     + Requires (x2goserver-xsession): SUSE <= 11.3 has xorg-x11, not xinit.
     + No Bashisms in scriptlets.
     + rpmlint requires shared-mime-info at build time on SLE <= 11.3.
     + "%set_permissions" / "%verify_permissions" macros are not know in SLE <=
       11.3. Using "%run permissions" and "%verify permissions" instead.
     + On SUSE, add permissions.d/x2goserver.
     + Fix SQLite wrapper permissions (02775 -> 02755)
     + Use if then clauses for creating user/group x2goprint.
 .
   [ Matthew L. Dailey ]
   * New upstream version (4.0.1.19):
     - x2gocleansessions: Redirect stdin, stdout and stderr to /dev/null, test
       for the existence of the file descriptor before issuing the close,
       only capture the file descriptor backreference in the regex and
       send any close failures to syslog. (Fixes: #678).
 .
   [ Lars Wendler ]
   * New upstream version (4.0.1.19):
     - Use "printf" instead of "echo -n". (Fixes: #668).

Send a report that this bug log contains spam.