From unknown Wed Apr 29 13:06:57 2026
X-Loop: owner@bugs.x2go.org
Subject: Bug#835: x2gobroker-ssh: cannot execute x2gobroker-agent if agent-query-mode is set to LOCAL
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 835@bugs.x2go.org
Resent-From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 02 Apr 2015 13:25:01 +0000
Resent-Message-ID: <handler.835.B.142798096326365@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 835
X-X2Go-PR-Package: x2gobroker-ssh
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.142798096326365
          (code B); Thu, 02 Apr 2015 13:25:01 +0000
Received: (at submit) by bugs.x2go.org; 2 Apr 2015 13:22:43 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 1F0315DAD1
	for <submit@bugs.x2go.org>; Thu,  2 Apr 2015 15:22:42 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id AB3AD3D3
	for <submit@bugs.x2go.org>; Thu,  2 Apr 2015 15:22:41 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id F04E63C173
	for <submit@bugs.x2go.org>; Thu,  2 Apr 2015 15:22:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ReLNbWgRUMDS for <submit@bugs.x2go.org>;
	Thu,  2 Apr 2015 15:22:40 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 7B1E73BE7E
	for <submit@bugs.x2go.org>; Thu,  2 Apr 2015 15:22:40 +0200 (CEST)
Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de
 [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Thu, 02 Apr 2015 13:22:40 +0000
Date: Thu, 02 Apr 2015 13:22:40 +0000
Message-ID: <20150402132240.Horde.YvyFyWtaWF1i5VjrhgSNow2@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: de,en
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 178.62.101.154
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_mwM9hAZYZ1nQSMXcdtDteQ1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0

This message is in MIME format and has been PGP signed.

--=_mwM9hAZYZ1nQSMXcdtDteQ1
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: x2gobroker-ssh
Severity: important
Version: 0.0.3.0-preview

x2gobroker-ssh cannot execute x2gobroker-agent if agent-query-mode is=20=20
set=20to LOCAL.

Reason:

/usr/bin/x2gobroker-ssh is installed with these permissions:

-r-sr-x--- 1 x2gobroker <x2gobroker-users> 6168 Apr  1 06:24=20=20
/usr/bin/x2gobroker-ssh

That=20means: only users that are members of the POSIX group=20=20
<x2gobroker-users>=20(in Debian/Ubuntu, this is configurable via=20=20
DebConf)=20can launch a fully featured X2Go Session Broker instance via=20=
=20
SSH=20brokerage.

A user that is member of group <x2gobroker-users> launches=20=20
x2gobroker-ssh=20and the process permissions are these:

   real uid: <uidNumber-of-the-user>
   real gid: <gidNumber-if-the-user>
   effective uid: x2gobroker
   effective gid: <gidNumber-if-the-user>

So, the setuid flag on /usr/bin/x2gobroker-ssh changes the effective=20=20
user=20ID, but not the effective group ID.

If agent-query-mode is set to LOCAL, x2gobroker-ssh directly calls=20=20
/usr/lib/x2go/x2gobroker-agent=20(via subprocess.Popen) and fails,=20=20
because=20of insufficient priveleges:

-rwsr-x--- 1 root x2gobroker 6168 Apr  2 06:39 /usr/lib/x2go/x2gobroker-age=
nt

Only users that are members of POSIX group "x2gobroker" can launch the=20=
=20
x2gobroker-agent=20script (and gain root priveleges). In a sane=20=20
environment,=20no user is member of this group (except the user=20=20
"x2gobroker").

Solution:
---------

(root@medoc)=20{~} # cat /etc/sudoers.d/x2gobroker-ssh
# Allow members of group x2gobroker-users to execute any=20=20
/usr/lib/x2go/x2gobroker-agent
%x2gobroker-users=09ALL=3D(:x2gobroker) /usr/lib/x2go/x2gobroker-agent

If the user launching x2gobroker-ssh is member of the group=20=20
<x2gobroker-users>,=20then the LOCAL query to the x2gobroker-agent is=20=20
run=20via sudo. If the evoking user is not a member of the=20=20
<x2gobroker-users>=20group, then no sudo gets used (e.g. for executing=20=
=20
the=20x2gobroker-agent via agent-query-mode SSH or via agent-query-mode=20=
=20
through=20the http broker implementation.

A patch is in prep and should be committed soon.

Mike
--=20

DAS-NETZWERKTEAM
mike=20gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x=
fb

--=_mwM9hAZYZ1nQSMXcdtDteQ1
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJVHUKgAAoJEJr0azAldxsxFFcP/A4y9Pc8iGUWOWGhu1fTJ7ln
1nRGHk5v96d6IXUC0XEeM7TSSYZrUN9XciiIHy5oeryLhuBgy2M/m12xUsHhcvWD
oB5TK1iRZFu3588o/Ht5HCAhxwbQ/hn8GZej78++ZZWOtRmbIsrh3rE6Xi0ywCz8
Z9lxrvYrsHfxjs4TNycJJ521VwDWONTsvjiskmCUlpcQ8Z8aW+yDtVY7FNwHzNT6
34CoyDTJ7M4SAtSSO3nNQUhKLyNdzMhi+fBiZ/2KE20zu+FiVL6gHHA1o3lxOloT
c1N+n2lg2YuE6R50F60Gq65sFPcXOG59qA/KctLMbDNNfqjl9TBtz1hlVUu7n4Le
VG0oQ4VYO9x8UUr8YlK0UfhtNQY6cHgE6Mj5zTH2mWN37B01ghIRxJsETBu3i+UW
j4eoBqpKvgD9GnTPAd4S6zv6IJpTQzCCcyCxvC+mg9407BsgMl7kC5FUGAakVciu
EHib0BKFYh4e0qUshutYyayiyPizBNNZCRTeF1xjEdPSLWCUQAFJtppgdT2HKOk5
5jlZ/q8HJJ/+A0FpTYqtoLJ1qqtINbZqXkUcTciGUJS/jpvv1cdwbkC6VxWtza2s
El3KXaOelp8ui9akyNwBpHmUWs9wDd+qaePxea3HQ4BBOd6S6iYERbOTdH2fKuoS
qSJI5wNz5Ty2EfgtJvzc
=SF9J
-----END PGP SIGNATURE-----

--=_mwM9hAZYZ1nQSMXcdtDteQ1--