[X2Go-Dev] Bug#835: x2gobroker-ssh: cannot execute x2gobroker-agent if agent-query-mode is set to LOCAL

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Thu Apr 2 15:22:40 CEST 2015 

Package: x2gobroker-ssh
Severity: important
Version: 0.0.3.0-preview

x2gobroker-ssh cannot execute x2gobroker-agent if agent-query-mode is  
set to LOCAL.

Reason:

/usr/bin/x2gobroker-ssh is installed with these permissions:

-r-sr-x--- 1 x2gobroker <x2gobroker-users> 6168 Apr  1 06:24  
/usr/bin/x2gobroker-ssh

That means: only users that are members of the POSIX group  
<x2gobroker-users> (in Debian/Ubuntu, this is configurable via  
DebConf) can launch a fully featured X2Go Session Broker instance via  
SSH brokerage.

A user that is member of group <x2gobroker-users> launches  
x2gobroker-ssh and the process permissions are these:

   real uid: <uidNumber-of-the-user>
   real gid: <gidNumber-if-the-user>
   effective uid: x2gobroker
   effective gid: <gidNumber-if-the-user>

So, the setuid flag on /usr/bin/x2gobroker-ssh changes the effective  
user ID, but not the effective group ID.

If agent-query-mode is set to LOCAL, x2gobroker-ssh directly calls  
/usr/lib/x2go/x2gobroker-agent (via subprocess.Popen) and fails,  
because of insufficient priveleges:

-rwsr-x--- 1 root x2gobroker 6168 Apr  2 06:39 /usr/lib/x2go/x2gobroker-agent

Only users that are members of POSIX group "x2gobroker" can launch the  
x2gobroker-agent script (and gain root priveleges). In a sane  
environment, no user is member of this group (except the user  
"x2gobroker").

Solution:
---------

(root at medoc) {~} # cat /etc/sudoers.d/x2gobroker-ssh
# Allow members of group x2gobroker-users to execute any  
/usr/lib/x2go/x2gobroker-agent
%x2gobroker-users	ALL=(:x2gobroker) /usr/lib/x2go/x2gobroker-agent

If the user launching x2gobroker-ssh is member of the group  
<x2gobroker-users>, then the LOCAL query to the x2gobroker-agent is  
run via sudo. If the evoking user is not a member of the  
<x2gobroker-users> group, then no sudo gets used (e.g. for executing  
the x2gobroker-agent via agent-query-mode SSH or via agent-query-mode  
through the http broker implementation.

A patch is in prep and should be committed soon.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150402/d63aa3a1/attachment.pgp>

More information about the x2go-dev mailing list