[X2Go-Commits] [telekinesis] 02/02: ship our own Perl-based SFTP server

git-admin at x2go.org git-admin at x2go.org
Wed Oct 1 06:16:21 CEST 2014


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository telekinesis.

commit b47dabb600d8aaad1a29384ede57641a0c046deb
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Wed Oct 1 06:15:33 2014 +0200

    ship our own Perl-based SFTP server
---
 debian/control                                     |    2 +-
 .../lib/telekinesis/server/bin/tekidata-sftpserver |   68 ++++++++++++++++++++
 .../post-start.d/000_telekinesis-server-startup    |    5 +-
 .../pre-resume.d/000_telekinesis-server-resume     |    2 +-
 4 files changed, 71 insertions(+), 6 deletions(-)

diff --git a/debian/control b/debian/control
index b1e4500..9c19c96 100644
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Depends:
  libx2go-telekinesis-server-perl (>= ${source:Version}), libx2go-telekinesis-server-perl (<< ${source:Version}.1~),
  x2goserver-extensions (>= 4.1.0.0~),
  socat,
- openssh-sftp-server (>= 1:6.6) | openssh-server (<< 1:6.6),
+ libnet-sftp-sftpserver-perl,
 Description: Telekinesis server for X2Go
  X2Go is a server based computing environment with
     - session resuming
diff --git a/server/lib/telekinesis/server/bin/tekidata-sftpserver b/server/lib/telekinesis/server/bin/tekidata-sftpserver
new file mode 100755
index 0000000..d404ef8
--- /dev/null
+++ b/server/lib/telekinesis/server/bin/tekidata-sftpserver
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Net::SFTP::SftpServer ( { log => 'local5' }, qw ( :LOG :ACTIONS ) );
+use BSD::Resource;        # for setrlimit
+
+# Security - make sure we have started this as sftp not ssh
+#unless ( scalar @ARGV == 3 and
+#         $ARGV[1] eq '-c'  and
+#         ($ARGV[2] eq '/usr/lib/telekinesis/server/bin/tekidata-sftpserver') ){
+#
+#       logError "SFTP connection attempted for application $ARGV[1], $ARGV[2] - exiting";
+#       print "\n\rYou do not have permission to login interactively to this host.\n\r\n\rPlease contact the system administrator if you believe this to be a configuration error.\n\r";
+#       exit 1;
+#}
+
+my $session_name = shift;
+my $my_home = $ENV{HOME};
+
+my $MEMLIMIT = 100 * 1024 * 1024; # 100 Mb
+
+# hard limits on process memory usage;
+setrlimit( RLIMIT_RSS,  $MEMLIMIT, $MEMLIMIT );
+setrlimit( RLIMIT_VMEM, $MEMLIMIT, $MEMLIMIT );
+
+my $debug = (defined DEBUG_USER->{uc(getpwuid($>))} and DEBUG_USER->{uc(getpwuid($>))}) ? 1 : 0;
+
+my $sftp = Net::SFTP::SftpServer->new(
+  debug               => $debug,
+  home                => "$my_home/.x2go/C-$session_name/telekinesis/remote",
+  file_perms          => 0600,
+#  on_file_sent        => \&ActionOnSent,
+#  on_file_received    => \&ActionOnReceived,
+  valid_filename_char => [ 'a' .. 'z', 'A' .. 'Z', '0' .. '9', '_', '.', '-' ],
+  follow_symlinks     => 
+  deny                => ALL,
+  allow               => [ (
+                              SSH2_FXP_OPEN,
+                              SSH2_FXP_CLOSE,
+                              SSH2_FXP_READ,
+                              SSH2_FXP_LSTAT,
+                              SSH2_FXP_STAT_VERSION_0,
+                              SSH2_FXP_FSTAT,
+                              SSH2_FXP_OPENDIR,
+                              SSH2_FXP_READDIR,
+                              SSH2_FXP_REMOVE,
+                              SSH2_FXP_STAT,
+                              SSH2_FXP_RENAME,
+                              SSH2_FXP_READLINK,
+                           )],
+  fake_ok             => [ (
+                              SSH2_FXP_SETSTAT,
+                              SSH2_FXP_FSETSTAT,
+                           )],
+);
+
+$sftp->run();
+
+sub ActionOnSent {
+  my $fileObject = shift;
+   ## Do Stuff
+}
+
+sub ActionOnReceived {
+  my $fileObject = shift;
+   ## Do Stuff
+}
diff --git a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
index 5653802..0fe5dad 100755
--- a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
+++ b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
@@ -30,10 +30,7 @@ export DISPLAY=:$(echo $X2GO_SESSIONINFO | cut -d "|" -f3 | sed -e "s/[^0-9\-]//
 
 # launch Telekinesis server (if supported)
 if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then
-	# FIXME: for a short fraction of time the below socket opening allows an attacker on localhost
-	#        to sshfs into the local machine for the user who has opened this socket. This
-	#        needs to be fixed/changed!!!
-	(socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)&
+	(socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/telekinesis/server/bin/tekidata-sftpserver";)&
 	(telekinesis-server -setDEBUG=1 -setBINDTOPORT=${TEKICTRL_PORT} > ~/.x2go/C-${X2GO_SESSION}/telekinesis-server.log;)&
 	(sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )&
 fi
diff --git a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
index 4bad305..63b1475 100755
--- a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
+++ b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
@@ -28,7 +28,7 @@ TEKIDATA_LOCK="$HOME/.x2go/C-${X2GO_SESSION}/telekinesis-sftp.pid"
 
 # if Telekinesis server is in use for this session, try to resume it
 if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then
-	(socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)&
+	(socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"lib/telekinesis/server/bin/tekidata-sftpserver";)&
 	tekicmd -setSESSIONRESUME=1  -setX2GOSID=${X2GO_SESSION}
 	(sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )&
 fi

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/telekinesis.git


More information about the x2go-commits mailing list