[X2Go-Commits] [telekinesis] 02/02: ship our own Perl-based SFTP server
git-admin at x2go.org
git-admin at x2go.org
Wed Oct 1 06:16:21 CEST 2014
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository telekinesis.
commit b47dabb600d8aaad1a29384ede57641a0c046deb
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Wed Oct 1 06:15:33 2014 +0200
ship our own Perl-based SFTP server
---
debian/control | 2 +-
.../lib/telekinesis/server/bin/tekidata-sftpserver | 68 ++++++++++++++++++++
.../post-start.d/000_telekinesis-server-startup | 5 +-
.../pre-resume.d/000_telekinesis-server-resume | 2 +-
4 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/debian/control b/debian/control
index b1e4500..9c19c96 100644
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Depends:
libx2go-telekinesis-server-perl (>= ${source:Version}), libx2go-telekinesis-server-perl (<< ${source:Version}.1~),
x2goserver-extensions (>= 4.1.0.0~),
socat,
- openssh-sftp-server (>= 1:6.6) | openssh-server (<< 1:6.6),
+ libnet-sftp-sftpserver-perl,
Description: Telekinesis server for X2Go
X2Go is a server based computing environment with
- session resuming
diff --git a/server/lib/telekinesis/server/bin/tekidata-sftpserver b/server/lib/telekinesis/server/bin/tekidata-sftpserver
new file mode 100755
index 0000000..d404ef8
--- /dev/null
+++ b/server/lib/telekinesis/server/bin/tekidata-sftpserver
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Net::SFTP::SftpServer ( { log => 'local5' }, qw ( :LOG :ACTIONS ) );
+use BSD::Resource; # for setrlimit
+
+# Security - make sure we have started this as sftp not ssh
+#unless ( scalar @ARGV == 3 and
+# $ARGV[1] eq '-c' and
+# ($ARGV[2] eq '/usr/lib/telekinesis/server/bin/tekidata-sftpserver') ){
+#
+# logError "SFTP connection attempted for application $ARGV[1], $ARGV[2] - exiting";
+# print "\n\rYou do not have permission to login interactively to this host.\n\r\n\rPlease contact the system administrator if you believe this to be a configuration error.\n\r";
+# exit 1;
+#}
+
+my $session_name = shift;
+my $my_home = $ENV{HOME};
+
+my $MEMLIMIT = 100 * 1024 * 1024; # 100 Mb
+
+# hard limits on process memory usage;
+setrlimit( RLIMIT_RSS, $MEMLIMIT, $MEMLIMIT );
+setrlimit( RLIMIT_VMEM, $MEMLIMIT, $MEMLIMIT );
+
+my $debug = (defined DEBUG_USER->{uc(getpwuid($>))} and DEBUG_USER->{uc(getpwuid($>))}) ? 1 : 0;
+
+my $sftp = Net::SFTP::SftpServer->new(
+ debug => $debug,
+ home => "$my_home/.x2go/C-$session_name/telekinesis/remote",
+ file_perms => 0600,
+# on_file_sent => \&ActionOnSent,
+# on_file_received => \&ActionOnReceived,
+ valid_filename_char => [ 'a' .. 'z', 'A' .. 'Z', '0' .. '9', '_', '.', '-' ],
+ follow_symlinks =>
+ deny => ALL,
+ allow => [ (
+ SSH2_FXP_OPEN,
+ SSH2_FXP_CLOSE,
+ SSH2_FXP_READ,
+ SSH2_FXP_LSTAT,
+ SSH2_FXP_STAT_VERSION_0,
+ SSH2_FXP_FSTAT,
+ SSH2_FXP_OPENDIR,
+ SSH2_FXP_READDIR,
+ SSH2_FXP_REMOVE,
+ SSH2_FXP_STAT,
+ SSH2_FXP_RENAME,
+ SSH2_FXP_READLINK,
+ )],
+ fake_ok => [ (
+ SSH2_FXP_SETSTAT,
+ SSH2_FXP_FSETSTAT,
+ )],
+);
+
+$sftp->run();
+
+sub ActionOnSent {
+ my $fileObject = shift;
+ ## Do Stuff
+}
+
+sub ActionOnReceived {
+ my $fileObject = shift;
+ ## Do Stuff
+}
diff --git a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
index 5653802..0fe5dad 100755
--- a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
+++ b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup
@@ -30,10 +30,7 @@ export DISPLAY=:$(echo $X2GO_SESSIONINFO | cut -d "|" -f3 | sed -e "s/[^0-9\-]//
# launch Telekinesis server (if supported)
if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then
- # FIXME: for a short fraction of time the below socket opening allows an attacker on localhost
- # to sshfs into the local machine for the user who has opened this socket. This
- # needs to be fixed/changed!!!
- (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)&
+ (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/telekinesis/server/bin/tekidata-sftpserver";)&
(telekinesis-server -setDEBUG=1 -setBINDTOPORT=${TEKICTRL_PORT} > ~/.x2go/C-${X2GO_SESSION}/telekinesis-server.log;)&
(sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )&
fi
diff --git a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
index 4bad305..63b1475 100755
--- a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
+++ b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume
@@ -28,7 +28,7 @@ TEKIDATA_LOCK="$HOME/.x2go/C-${X2GO_SESSION}/telekinesis-sftp.pid"
# if Telekinesis server is in use for this session, try to resume it
if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then
- (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)&
+ (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"lib/telekinesis/server/bin/tekidata-sftpserver";)&
tekicmd -setSESSIONRESUME=1 -setX2GOSID=${X2GO_SESSION}
(sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )&
fi
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/telekinesis.git
More information about the x2go-commits
mailing list