[X2go-dev] x2go security Issues

Kevin Moellering kevinmoellering at lavabit.com
Mon Feb 14 10:23:57 CET 2011


Hello x2go devs,

I've noticed that although you seem to have solved the security flaws in 
the database access the preinst script in the repository for lenny [1] 
has not been updated since late 2009. It still contains the command to 
give all users sudo root permissions on the x2togowrapper.

I would appreciate to know some kind of time frame when you are planning 
to integrate the update into your repository, because we're planning to 
install x2go on around 50 hosts of a PC pool at the RWTH Aachen 
University. Since we do not want to go through the process of checking 
out new sources, building them and installing them now and then on every 
machine, we would like to use the deb-repository with apt-get and not 
some git based source repository.

Furthermore I've got a rather special question. On a current test-system 
  we have replaced the x2gousers group by a custom group that each user 
that should be allowed to use x2go already is included in. We have 
decided to do so, because our we do not want to add additional groups.
Since you are going to change this specific line in the sudoers file, I 
wonder if this is still possible.
If you are just replacing the semantics of "everybody in x2gousers gets 
root for /usr/bin/x2gopgwrapper" by "everybody in x2gousers gets 
$someSpecialX2goUser for /usr/bin/x2gopgwrapper" (where 
$someSpecialX2goUser is a user that is just allowed to access the 
databases) the should be easily possible, shouldn't it?

And last but not least: You're doing a very good piece of work :)

Thanks in advance for your help.

With regards,

Kevin Möllering




[1] http://x2go.obviously-nice.de/deb/pool-lenny/x2goserver/

Mike Gabriel schrieb:
> Hi Alex,
> 
> On Do 20 Jan 2011 17:26:28 CET "John A. Sullivan III" wrote:
> 
>> On Thu, 2011-01-20 at 16:17 +0100, Oleksandr Shneyder wrote:
>>> Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
>>>
>>> > Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable
>>> > to get root in 2 ways:
>>> > - in the current git version, set 'startshadowagent' as the first
>>> >   parameter. Choose the 11th parameter in a way such that 
>>> SHADOW_USER is
>>> >   set to 'root'. Set the second parameter ($CLIENT) to something like
>>> >   'foo ; rm -fr /'. Profit.
>>> > - in the git as well as the stable version, when the database is 
>>> sqlite:
>>> >   the x2gopgwrapper_sqlite runs as root meaning that any sql injection
>>> >   into sqlite would run as root. One possible injection would set the
>>> >   sqlite output file to /etc/shadow (via .output /etc/shadow) and
>>> >   overwrite it with a customized version including a new root password
>>> >   chosen by the attacker. Profit.
>>>
>>> I see, thank you Alexander. We'll fix it as quick as possible.
>>> Regards,
>> <snip>
>> It has probably been roughly a year but I had posted some changes we
>> made because we were very uncomfortable calling PostgreSQL as postgres.
>> In fact, we combined it with our vserver work and eventually used user
>> based schemas so we could use a single database for any number of X2Go
>> Servers - John
> 
> John sent these patches (with docs!!!) to the list on 20100702. I had 
> taken a look at them then and they looked quite promising. They are 
> definitely worth looking at to address this issue.
> 
> Cheerio,
> Mike
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> X2go-dev mailing list
> X2go-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev





More information about the x2go-dev mailing list