From unknown Thu Mar 28 14:21:58 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#835: x2gobroker-ssh: cannot execute x2gobroker-agent if agent-query-mode is set to LOCAL Reply-To: Mike Gabriel , 835@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Thu, 02 Apr 2015 13:25:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 835 X-X2Go-PR-Package: x2gobroker-ssh X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.142798096326365 (code B); Thu, 02 Apr 2015 13:25:01 +0000 Received: (at submit) by bugs.x2go.org; 2 Apr 2015 13:22:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 1F0315DAD1 for ; Thu, 2 Apr 2015 15:22:42 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id AB3AD3D3 for ; Thu, 2 Apr 2015 15:22:41 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id F04E63C173 for ; Thu, 2 Apr 2015 15:22:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ReLNbWgRUMDS for ; Thu, 2 Apr 2015 15:22:40 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 7B1E73BE7E for ; Thu, 2 Apr 2015 15:22:40 +0200 (CEST) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Thu, 02 Apr 2015 13:22:40 +0000 Date: Thu, 02 Apr 2015 13:22:40 +0000 Message-ID: <20150402132240.Horde.YvyFyWtaWF1i5VjrhgSNow2@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_mwM9hAZYZ1nQSMXcdtDteQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_mwM9hAZYZ1nQSMXcdtDteQ1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: x2gobroker-ssh Severity: important Version: 0.0.3.0-preview x2gobroker-ssh cannot execute x2gobroker-agent if agent-query-mode is=20=20 set=20to LOCAL. Reason: /usr/bin/x2gobroker-ssh is installed with these permissions: -r-sr-x--- 1 x2gobroker 6168 Apr 1 06:24=20=20 /usr/bin/x2gobroker-ssh That=20means: only users that are members of the POSIX group=20=20 =20(in Debian/Ubuntu, this is configurable via=20=20 DebConf)=20can launch a fully featured X2Go Session Broker instance via=20= =20 SSH=20brokerage. A user that is member of group launches=20=20 x2gobroker-ssh=20and the process permissions are these: real uid: real gid: effective uid: x2gobroker effective gid: So, the setuid flag on /usr/bin/x2gobroker-ssh changes the effective=20=20 user=20ID, but not the effective group ID. If agent-query-mode is set to LOCAL, x2gobroker-ssh directly calls=20=20 /usr/lib/x2go/x2gobroker-agent=20(via subprocess.Popen) and fails,=20=20 because=20of insufficient priveleges: -rwsr-x--- 1 root x2gobroker 6168 Apr 2 06:39 /usr/lib/x2go/x2gobroker-age= nt Only users that are members of POSIX group "x2gobroker" can launch the=20= =20 x2gobroker-agent=20script (and gain root priveleges). In a sane=20=20 environment,=20no user is member of this group (except the user=20=20 "x2gobroker"). Solution: --------- (root@medoc)=20{~} # cat /etc/sudoers.d/x2gobroker-ssh # Allow members of group x2gobroker-users to execute any=20=20 /usr/lib/x2go/x2gobroker-agent %x2gobroker-users=09ALL=3D(:x2gobroker) /usr/lib/x2go/x2gobroker-agent If the user launching x2gobroker-ssh is member of the group=20=20 ,=20then the LOCAL query to the x2gobroker-agent is=20=20 run=20via sudo. If the evoking user is not a member of the=20=20 =20group, then no sudo gets used (e.g. for executing=20= =20 the=20x2gobroker-agent via agent-query-mode SSH or via agent-query-mode=20= =20 through=20the http broker implementation. A patch is in prep and should be committed soon. Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_mwM9hAZYZ1nQSMXcdtDteQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVHUKgAAoJEJr0azAldxsxFFcP/A4y9Pc8iGUWOWGhu1fTJ7ln 1nRGHk5v96d6IXUC0XEeM7TSSYZrUN9XciiIHy5oeryLhuBgy2M/m12xUsHhcvWD oB5TK1iRZFu3588o/Ht5HCAhxwbQ/hn8GZej78++ZZWOtRmbIsrh3rE6Xi0ywCz8 Z9lxrvYrsHfxjs4TNycJJ521VwDWONTsvjiskmCUlpcQ8Z8aW+yDtVY7FNwHzNT6 34CoyDTJ7M4SAtSSO3nNQUhKLyNdzMhi+fBiZ/2KE20zu+FiVL6gHHA1o3lxOloT c1N+n2lg2YuE6R50F60Gq65sFPcXOG59qA/KctLMbDNNfqjl9TBtz1hlVUu7n4Le VG0oQ4VYO9x8UUr8YlK0UfhtNQY6cHgE6Mj5zTH2mWN37B01ghIRxJsETBu3i+UW j4eoBqpKvgD9GnTPAd4S6zv6IJpTQzCCcyCxvC+mg9407BsgMl7kC5FUGAakVciu EHib0BKFYh4e0qUshutYyayiyPizBNNZCRTeF1xjEdPSLWCUQAFJtppgdT2HKOk5 5jlZ/q8HJJ/+A0FpTYqtoLJ1qqtINbZqXkUcTciGUJS/jpvv1cdwbkC6VxWtza2s El3KXaOelp8ui9akyNwBpHmUWs9wDd+qaePxea3HQ4BBOd6S6iYERbOTdH2fKuoS qSJI5wNz5Ty2EfgtJvzc =SF9J -----END PGP SIGNATURE----- --=_mwM9hAZYZ1nQSMXcdtDteQ1--