X2Go Bug report logs - #728
point out that X2GoServer's Published Application

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#666: [X2Go-Dev] Bug#666: point out that x2gobroker is not a security feature
Reply-To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 666@bugs.x2go.org
Resent-From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 09 Jan 2015 10:25:01 +0000
Resent-Message-ID: <handler.666.B666.14207989895657@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 666
X-X2Go-PR-Package: x2gobroker
X-X2Go-PR-Keywords: 
Received: via spool by 666-submit@bugs.x2go.org id=B666.14207989895657
          (code B ref 666); Fri, 09 Jan 2015 10:25:01 +0000
Received: (at 666) by bugs.x2go.org; 9 Jan 2015 10:23:09 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 7181A5DEA9
	for <666@bugs.x2go.org>; Fri,  9 Jan 2015 11:23:07 +0100 (CET)
Received: from [192.168.0.3] ([188.105.114.135]) by mrelayeu.kundenserver.de
 (mreue101) with ESMTPSA (Nemesis) id 0LfzrP-1XSkG90hCd-00paEm; Fri, 09 Jan
 2015 11:23:06 +0100
Message-ID: <54AFAC4E.8060103@baur-itcs.de>
Date: Fri, 09 Jan 2015 11:24:14 +0100
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 666@bugs.x2go.org
References: <20150108234424.Horde.ofgocuZ8EobF8khVLgaqLg2@mail.das-netzwerkteam.de>
In-Reply-To: <20150108234424.Horde.ofgocuZ8EobF8khVLgaqLg2@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Provags-ID:  V03:K0:lSDPjNFXCkJVt9gh08FNB6INTZAIIcnwxMT1ytLfoCsHVdBvcpY
 i4nMEKkx1sYMkWfeg6LY7Zw9Npg3VRPFE0qa1mgoc01MsUoXixytnDViC534LKV/np0gCQg
 XZaloxdurTmzSOzbwosPTW86XlIJcbkG117z7E9s/GV0w2WuIYHEpCmCDKp15N1N2lZW88F
 9ZjoQbpOVpUSg2uzev97Q==
X-UI-Out-Filterresults: notjunk:1;

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Control: tag -1 patch
Control: clone -1 -2
Control: retitle -2 point out that X2GoServer's Published Application
Mode is not a security feature
Control: tag -2 patch
Control: severity -2 wishlist
Control: package -2 x2goserver


> Do you think you could write down such an additional note for the
> man page and send it back to this bug (in plain text)?

> I will work that text into the man page then.

> PS: if you will, tag this bug with "patch" once you have sent that 
> text passage...


@Mike#1, I tried to clone and retitle this bug for X2GoServer's
Published Application Mode.  Please verify that this worked.

- -Stefan

This is the notice for X2GoBroker. For X2GoServer's PAM, see below.

SECURITY NOTICE

Users are advised to not misinterpret X2GoBroker's capabilites as a
security feature.  Even when using X2GoBroker, it is still possible
for users to locally configure an X2GoClient with any setting they
want, and use that to connect.  So if you're trying to keep users from
running a certain application on the host, using X2GoBroker to "lock"
the configuration is the *wrong* way.  The users will still be able to
run that application by creating their own, local configuration file
and using that.  To keep users from running an application on the
server, you have to use *filesystem permissions*.  In the simplest
case, this means setting chmod 750 or 550 on the particular
application on the host, and making sure the users in question are not
the owner and also not a member of the group specified for the
application.


Notice for X2GoServer's PAM (Published Application Mode) is here:

SECURITY NOTICE

Users are advised to not misinterpret X2GoServer's Published
Application Mode as a security feature.  Even when using Published
Application Mode, it is still possible for users to locally configure
an X2GoClient with any setting they want, and use that to connect.  So
if you're trying to keep users from running a certain application on
the host, using Published Application Mode to "lock" the configuration
is the *wrong* way.  The users will still be able to run that
application by creating their own, local configuration file and using
that.  To keep users from running an application on the server, you
have to use *filesystem permissions*.  In the simplest case, this
means setting chmod 750 or 550 on the particular application on the
host, and making sure the users in question are not the owner and also
not a member of the group specified for the application.




- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUr6xOAAoJEG7d9BjNvlEZMQ4IAJWMnnvvfP8RyN+nc52Se2ue
A2uA5K6XAl7+vXajF+v/LNnkWsqowE0Z/Z5MGdzfpAPblHRF4qjVqUmcGLAK0lfH
wauk9MxlmV3M+W+0wUoVbjlHcuCWs3USoefqw4ncLXMoYiokSOnmgY4wFzaRWSi9
yu7WeO9JQyphTODQoHGydDjVPiez00eOrW4cFGBccljr+O1wMjXe5fTK4igILEfd
UYcLcCqSLuR/E0q7kL4ja8M+1ZaTkqcS2971pnBXF+xdBRDYe9HTBTDJC8XOyIwB
z9zvEbQ5We3dc8H+ZJY12DVhgmAiTi53S2MF81NPrEJ41la1Wri8eV5oLy6aNDE=
=BVtu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.