[X2go-dev] sudo permissions?

Rob Lemley roblemley at gmail.com
Sun Oct 3 05:22:37 CEST 2010


Hey John,

I double-triple checked again, and tried a session myself that mounted
my desktop with my changes. No issues.

The only script that gets called with sudo is x2gopgwrapper. It's the
only script that can get called as it's the only entry added to the
sudoers file.

x2gopgwrapper calls one of x2pgwrapper_local, x2pgwrapper_sqlite, or
x2pgwrapper_net. That's all it does. Those scripts are a giant case
blocks that only runs sql queries against a database.  In the case of
sqlite you need to assume the id of the sqlite database file owner. (I
thought about making the file group-writable, but chose not to go that
direction. With the sudoers entry and the script there's some level of
protection from average-joe user mangling the database.) As for
postgres, it's the same idea. It can authenticate by userid with the
right entry in pg_hba.conf (?? right filename??)

The mounting and unmounting seems to be done through fuse so the only
privilege needed is to be a member of the fuse group.  The
x2gocleansessions process started by init will unmount a fuse mounted
directory if it finds a stale session, but that is running as root so
there's no issue there.

Enjoy the rest of your getaway!

-rob


<snip>
On Sat, Oct 2, 2010 at 9:56 AM, John A. Sullivan III
<jsullivan at opensourcedevel.com> wrote:
> <snip>
> Hi, Rob.  I'm on a getaway with the family and "sneaking" this in so I
> may be remembering the details incorrectly :)
>
> You may want to trace all the other scripts which are invoked as part of
> the process, especially x2gomount_sessions and x2goumount_sessions.
> These may need root access - I'm not sure - John
>

Hey John,



More information about the x2go-dev mailing list