[X2Go-Dev] Bug#1100: xterm's shell started from x2goclient has wrong PATH

Mark Dixon m.c.dixon at leeds.ac.uk
Tue Oct 11 16:17:07 CEST 2016 

Package: x2goclient
Version: 4.0.5.1

When an xterm is started via the x2goclient (either using the Published 
Applications feature, or asking for a 'Single application' of 'Terminal'), 
the PATH environment variable in the environment given to the user is not 
set as expected.

What I see from the xterm's shell:

   $ echo $PATH
   /usr/local/bin:/usr/bin:/bin:/opt/puppetlabs/bin:/apps/bin

What I see from an ordinary ssh login:

   $ echo $PATH
   /apps/mpi/bin:/apps/developers/libraries/openmpi/2.0.0/1/intel-16.0.2/bin:/apps/developers/compilers/intel/16.0.2/1/default/compilers_and_libraries_2016.2.181/linux/bin/intel64:/apps/developers/compilers/intel/16.0.2/1/default/debugger_2016/gdb/intel64_mic/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/opt/puppetlabs/bin:/apps/bin

This seems to be triggered by the fix for bug #336 (commit 4eb1fd1), which 
introduced the following characters into the launch commands in 
src/sshprocess.cpp:

   export PATH=\"/usr/local/bin:/usr/bin:/bin\";

This causes a problem because the login scripts are sourced both before 
and after the PATH is overridden. The way that some ordinary login scripts 
are written behave badly in this situation - here are some examples on our 
CentOS 7 system:

Example 1, /etc/profile.d/qt.sh (from OS package qt3-3.3.8b-51.el7.x86_64) 
contains:

   # Qt initialization script (sh)

   # In multilib environments there is a preferred architecture, 64 bit over 32 bit in x86_64,
   # ppc64. When a conflict is found between two packages corresponding with different arches,
   # the installed file is the one from the preferred arch. This is very common for executables
   # in /usr/bin, for example. If the file /usr/bin/foo is found  in an x86_64 package and in
   # an i386 package, the executable from x86_64 will be installe

   if [ -z "${QTDIR}" ]; then

   case `uname -m` in
      x86_64 | ia64 | s390x | ppc64)
         QT_PREFIXES="/usr/lib64/qt-3.3 /usr/lib/qt-3.3" ;;
      * )
         QT_PREFIXES="/usr/lib/qt-3.3 /usr/lib64/qt-3.3" ;;
   esac

   for QTDIR in ${QT_PREFIXES} ; do
     test -d "${QTDIR}" && break
   done
   unset QT_PREFIXES

   if ! echo ${PATH} | /bin/grep -q $QTDIR/bin ; then
      PATH=$QTDIR/bin:${PATH}
   fi

   QTINC="$QTDIR/include"
   QTLIB="$QTDIR/lib"

   export QTDIR QTINC QTLIB PATH

   fi

The first time this runs, PATH, QTDIR and the rest of the QT environment 
is set normally. PATH is then overridden by the x2go client. The second 
time this runs, $QTDIR is not a zero length string, so $QTDIR/bin is not 
added back to the PATH.

This explains why /usr/lib64/qt-3.3/bin does not appear in xterm's bash 
PATH environment variable.


Example 2, /etc/profile.d/modules.sh

We have the 'module' command installed (http://modules.sourceforge.net/) 
and doing something like this:

   # Setup 'module' environment
   case "$0" in
       -bash|bash|*/bash) . /apps/Modules/default/init/bash ;;
          -ksh|ksh|*/ksh) . /apps/Modules/default/init/ksh ;;
             -sh|sh|*/sh) . /apps/Modules/default/init/sh ;;
                       *) . /apps/Modules/default/init/sh ;;  # default for scripts
   esac

Followed by /etc/profile.d/zz_modules.sh with:

   # Load default module 'user'
   module load user

The first time this runs, PATH, the rest of the module environment and the 
default module are set/loaded normally, including LOADEDMODULES (which 
keeps track of what modules are loaded). PATH is then overridden by the 
x2goclient. The second time this runs, modules.sh runs normally, but the 
module load command in zz_modules.sh doesn't do anything as LOADEDMODULES 
tells it that it has already loaded 'user'. PATH remains incorrect, 
although other environment variables (LD_LIBRARY_PATH, etc.) are correct.


To be honest, I don't understand the logic of the bug that originally 
prompted the change, #336. If an attacker has access to the user's account 
on the remote system, there are endless possibilities for them to 
infiltrate the x2go client with arbitrary data.

Additionally, the fix for #336 unexpectedly limits the number of places a 
system administrator is permitted to install x2go.

Can someone help, please? Getting rid of overriding the server-side PATH 
in the client, or other solution, would allow us to offer x2go to our 
users, which would be really cool.

Thanks,

Mark

More information about the x2go-dev mailing list