[X2go-dev] x2go security Issues

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Thu Jan 20 11:05:21 CET 2011


Am 20.01.2011 10:24, schrieb Moritz Struebe:
> Hi,
> Morning,
> 
> I am testing PyHoca. One of the problems a came around is, that the
> client checks whether I am in the x2go group - which I'm not. I also
> noticed that some other security-checks are done in the client. I
> believe this is dangerous, because administrators might think that these
> are real security checks, while they can easily be circumvented. I
> believe these check must be done server-side. That way they can also
> easily be adjusted by administrators.
> 
> Besides that, one of our admins did quite a few security patches to
> avoid x2gowrapper having to run as root. At the moment this only works
> for Postgres. None the less I must say that I'm not happy running
> x2gowrapper, which is easy to exploit using SQL-Injections, as root. It
> should at least do a "sudo -u x2go" or similar. This user only needs
> access to the database. That way worst case the db is corrupted and not
> the whole system.
> 
> Cheers
> Morty

Hello Moritz,

I can't say nothing about PyHoca, but x2goclient make those checks not.

You are quite right about pgwrapper. Changing "sudo" to "sudo -u x2go"
is on top of our todo list and will be made in the next version of
x2goserver. But I don't think, that it is so easy to use x2gowrapper to
do something bad with a system. Sure, if you can show me a working
exploit, I will put all other things I have to do on ice and concentrate
on this problem. In all cases I'll change behavior of x2goserver very soon.

Regards,
alex
-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110120/87115231/attachment.pgp>


More information about the x2go-dev mailing list