x2go-bugs February 2011

x2go-bugs@lists.x2go.org

1 participants
50 discussions

[Tickets #25] x2goprint in NFS4/Kerberos environments
by bugs＠x2go.org 25 Feb '11

25 Feb '11

Ticket-URL: http://code.x2go.org/horde4/whups/ticket/?id=25 ------------------------------------------------------------------------------ Ticket | 25 Erstellt Von | mike.gabriel(a)das-netzwerkteam.de Zusammenfassung | x2goprint in NFS4/Kerberos environments Warteschlange | x2goprint Version | HEAD Typ | Bug Status | Unconfirmed Priorität | 1. Low Zuständige | ------------------------------------------------------------------------------ mike.gabriel(a)das-netzwerkteam.de (2011-02-02 13:26) hat geschrieben: x2goprint uses sudo to place PDF (print queue) files as user root into the home directory of the server-side user. If the user's home directory is mounted via NFS4/Krb5 (sec=krb5i or sec=krb5p), the superuser root cannot access the user's home directory. Thus, the x2goprint jobs cannot be placed into the user's home dir and x2goprint will fail.

1 3

[Tickets #39] Bug in dropbox
by bugs＠x2go.org 23 Feb '11

23 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=39 ------------------------------------------------------------------------------ Ticket | 39 Created By | dick.kniep(a)lindix.nl Summary | Bug in dropbox Queue | pyhoca-gui Version | HEAD Type | Bug State | Unconfirmed Priority | 1. Low Operating System | 4 Owners | ------------------------------------------------------------------------------ dick.kniep(a)lindix.nl (2011-02-22 15:33) wrote: I have taken a look at the code and it looks like the object is not what you expect, but I do not immediately see what is going wrong opgwrapper insertmount dick-53-1298383001_stRTERMINAL_dp24 "/tmp/dick_media/disk/_home_dick" 127.0.0.1', 'result: INSERT 0 1', 'inserted,', 'sshfs -o IdentityFile=/home/dick/.x2go/ssh/key.z29045,UserKnownHostsFile=/home/dick/.x2go/ssh/key.z29045.ident dick(a)127.0.0.1:"/home/dick" "/tmp/dick_media/disk/_home_dick" -p 30003', 'mount /home/dick ok', 'fname: /home/dick/Desktop/_home_dick(sshfs-disk)', ''] pyhoca-gui[26132] (x2godropboxqueue-pylib) NOTICE: processing incoming X2go dropbox job: dick_groepen.xls Exception in thread Thread-18: Traceback (most recent call last): File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner self.run() File "/usr/lib/python2.6/threading.py", line 484, in run self.__target(*self.__args, **self.__kwargs) File "/home/dick/x2go/pyhoca-gui/x2go/dropbox.py", line 214, in x2go_dropboxjob_handler dropbox_action.profile_name = parent_thread.profile_name AttributeError: 'unicode' object has no attribute 'profile_name'

1 5

[Tickets #41] Security setup
by bugs＠x2go.org 22 Feb '11

22 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=41 ------------------------------------------------------------------------------ Ticket | 41 Created By | dick.kniep(a)lindix.nl Summary | Security setup Queue | pyhoca-gui Version | HEAD Type | Enhancement State | New Priority | 2. Medium Owners | ------------------------------------------------------------------------------ dick.kniep(a)lindix.nl (2011-02-22 17:25) wrote: Hi Mike, Included is a description about the way the server can be configured in such a way that the security is OK. In your config it was still possible for a competent user to add a command to the ssh command. With the included config that possibility is also closed. I would suggest that this lindix -> x2go -> (preliminary) report Felix C. Stegerman <flx(a)obfusk.net> 2011-01-18 16:36 -- === TODO === # {{{1 * wrapper * analysis * users, files/dirs, keys, ... * ... meta !!! * bash/perl code quality * bugs * ... # }}}1 -- === Situation (Example) === # {{{1 Provider: lindix Apps: cvix, appX, appY Services: x2goserver [ -> ssh ] === Clients, Users & Apps === # {{{2 Client Users Apps ------ ----- ---- foo alice, bob cvix bar chris, dan cvix baz emma, fred, greg appX User Apps ---- ---- dan appX fred appY # }}}2 === Posix Groups & Users === # {{{2 Group Users ----- ----- x2gotunnel foo, bar, baz x2gousers alice, bob, chris, dan, emma, fred, greg ( x2gosftp alice-sftp, bob-sftp, ... ) ( alice-sftp alice-sftp, alice ) ( bob-sftp bob-sfsp, bob ) ( ... ... ) # }}}2 # }}}1 === CAVEATS === # {{{1 * All configuration examples should be double-checked and tested before being used in a production environment. * It is not clear to me how the various ports/protocols/services are secured. It seems to me that: * Other users (on the client) can access forwarded (server) ports. * Users with server access (e.g. via SSH port forwarding) can access ports used by others. * Unless: port/protocol/service access is authenticated/restricted/controlled. * Unknown: is the X/nx port/service secured (e.g. with xauth)? * Unknown: are the sound/fs/printer/... ports/services secured? * A firewall (e.g. shorewall) may be needed to prevent users from accessing ports used by others. * The rules in /etc/security/access.conf apply to all PAM configurations using pam_access (with the default configuration file), not just SHH. It may therefore be necessary to use separate configuration files. The relevant examples assume that pam_access is used only for SSH (or that the configuration is compatible with all uses of pam_access). See pam_access(8). * ... # }}}1 === Server (Changes) === # {{{1 === SSH (+ PAM) === # {{{2 === Notes === # {{{3 * With a little effort, it is possible to run two instances of sshd: one for normal ssh (administrative) access, and one for x2go. <<See Notes>> # TODO # }}}3 ,----[ /etc/ssh/sshd_config ] # {{{3 >> ->| Port 2222 | Protocol 2 ->| # ListenAddress ... | | HostKey /etc/ssh/ssh_host_rsa_key | HostKey /etc/ssh/ssh_host_dsa_key | | UsePrivilegeSeparation yes | | KeyRegenerationInterval 3600 | ServerKeyBits 768 | | SyslogFacility AUTH | LogLevel INFO | | LoginGraceTime 120 | PermitRootLogin no | StrictModes yes | | RSAAuthentication no | PubkeyAuthentication yes | ->| # AuthorizedKeysFile %h/.ssh/authorized_keys >> ..| AuthorizedKeysFile /etc/ssh-keys/%u/authorized_keys | | IgnoreRhosts yes | RhostsRSAAuthentication no | HostbasedAuthentication no | IgnoreUserKnownHosts yes | | PermitEmptyPasswords no | ChallengeResponseAuthentication no ->| PasswordAuthentication no | >> ->| AllowGroups wheel x2gotunnel x2gousers x2gosftp | ->| X11Forwarding no | X11DisplayOffset 10 | PrintMotd no | PrintLastLog yes | TCPKeepAlive yes | | AcceptEnv LANG LC_* | ->| # Subsystem sftp /usr/lib/openssh/sftp-server >> ..| Subsystem sftp internal-sftp | ->| UsePAM yes | ->| Match Group x2gotunnel ..| AllowTcpForwarding no ..| ForceCommand /bin/false ..| PasswordAuthentication no >> ..| PermitOpen localhost:2222 ..| X11Forwarding no | ->| Match Group x2gousers >> ..| # AllowTcpForwarding no >> ..| ForceCommand /usr/local/bin/x2go-ssh-wrapper ..| PasswordAuthentication yes >> ..| # PermitOpen localhost:30001 localhost:30002 ... ..| X11Forwarding no | ->| Match Group x2gosftp ..| AllowTcpForwarding no >> ..| ChrootDirectory /home/__sftp__/%u ..| ForceCommand internal-sftp ..| PasswordAuthentication yes ..| X11Forwarding no `---- # }}}3 ,----[ /etc/pam.d/sshd ] # {{{3 | ... | | # account required pam_access.so ++| account required pam_access.so | | ... `---- # }}}3 ,----[ /etc/security/access.conf ] # {{{3 | ... | >> ++| + : x2gotunnel : ALL ++| + : x2gousers x2gosftp : localhost | ++| - : ALL EXCEPT wheel : ALL `---- # }}}3 # }}}2 === x2go SSH Wrapper === # {{{2 See <../bin/x2go-ssh-wrapper>. # }}}2 # }}}1 === Analyses === # {{{1 === python-x2go === # {{{2 ... # }}}2 === x2goserver === # {{{2 ,----[ (relevant) files ] # {{{3 | INSTALL ?| debian/README.Debian ?| debian/changelog ?| debian/compat ?| debian/control ?| debian/copyright ?| debian/dirs ?| debian/docs ?| debian/init.d | debian/preinst ?| debian/rules ?| sql | x2gocleansessions | x2gocmdexitmessage | x2gocreatebase.sh | x2gogetservers | x2golistsessions | x2golistsessions_root | x2golistsessions_sql | x2gomountdirs | x2gopgwrapper | x2gopgwrapper_local | x2gopgwrapper_net | x2gopgwrapper_sqlite | x2goresume-session | x2goruncommand ?| x2goserver.conf | x2gosessionlimit | x2goshowblocks | x2gosqlite.sh | x2gostartagent | x2gosuspend-agent | x2gosuspend-session | x2goterminate | x2goterminate-session | x2goumount | x2goumount_session `---- # }}}3 ... # }}}2 # }}}1 === Packages === # {{{1 === Notes === # {{{2 * Dependencies considered extraneous to this report have been omitted. # }}}2 === Server === # {{{2 x2goserver [x2go] -> x2goagent [x2go] -> nxcompext [x2go] -> nxcomp [x2go] -> nxcompshad [x2go] -> sudo, openssh-server, openssh-client [!?], sshfs [!?] # }}}2 === Client === # {{{2 pyhoca-gui [gabriel] -> python-x2go [gabriel] -> nxproxy [x2go] -> nxcomp [x2go] -> python (>= 2.6), python-gevent, python-paramiko, python-cups -> python-argparse, python-notify, python-setproctitle, python-wxtools # }}}2 # }}}1 === Remarks === # {{{1 This report is based on: * Information provided by Dick Kniep. * Searching the Internet. * The sshd_config man page (and others). * My (preliminary) analysis of: Package Version Status ------- ------- ------ python-x2go 0.0.31(-0~nwt1) TODO x2goclient 3.01(-5) Done/Sufficient x2goserver 3.0.1(-5) TODO/Unfinished # }}}1 -- vim: set ft= tw=70 sw=2 sts=2 et fdm=marker:

1 3

[Tickets #34] Config-options for more ldap-settings
by bugs＠x2go.org 16 Feb '11

16 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=34 ------------------------------------------------------------------------------ Ticket | 34 Created By | schulz(a)math.uni-goettingen.de Summary | Config-options for more ldap-settings Queue | x2goclient-qt Version | 3.0.1.17 Type | Enhancement State | New Priority | 1. Low Owners | ------------------------------------------------------------------------------ schulz(a)math.uni-goettingen.de (2011-02-04 14:48) wrote: ldap-settings for the ldap-backend should have some more options, which otherwise have to be hacked in the client. 1) authentication-credentials for ldap-access 2) searchbase for nodes and perhaps a different searchbase for settings

1 1

[Tickets #38] Re: Dependency based booting in Squeeze
by bugs＠x2go.org 16 Feb '11

16 Feb '11

1 0

[Tickets #38] Re: Dependency based booting in Squeeze
by bugs＠x2go.org 16 Feb '11

16 Feb '11

1 0

[Tickets #31] loadbalancing broken; there is only one ssh-connection (with the firstserver)
by bugs＠x2go.org 09 Feb '11

09 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=31 ------------------------------------------------------------------------------ Ticket | 31 Created By | schulz(a)math.uni-goettingen.de Summary | loadbalancing broken; there is only one ssh-connection | (with the firstserver) Queue | x2goclient-qt Version | 3.0.1.17 Type | Bug State | Unconfirmed Priority | 3. High Operating System | 1 Owners | ------------------------------------------------------------------------------ schulz(a)math.uni-goettingen.de (2011-02-03 20:45) wrote: After upgrading to 3.0.1.17 i realized, that loadbalancing between several servers doesn't happen anymore. Then i tried to debug and fix the problem: There is only one mastersshconnection to the firstserver it seems, and for example listing of the sessions per server is done all the way on the same server resulting in duplicate entries for example for resuming a session. Also there is always only the firstserver selected as server to connect to, due to the same reason. Unfornately i wasn't able to fix it today, because i didn't understood well enough how your ssh-connections work. Prioity is high, because it brokes a setup with multiple servers

1 2

[Tickets #35] Re: [PATCH] cleanup
by bugs＠x2go.org 07 Feb '11

07 Feb '11

1 0

[Tickets #35] Re: [PATCH] cleanup
by bugs＠x2go.org 07 Feb '11

07 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=35 ------------------------------------------------------------------------------ Ticket | 35 Updated By | Mike Gabriel <mike.gabriel(a)das-netzwerkteam.de> Summary | [PATCH] cleanup -Queue | zzz - reported-via-mail +Queue | x2go-tce -Version | +Version | 1.0.1 -Type | Bug +Type | Enhancement -State | Unconfirmed +State | Assigned -Priority | 1. Low +Priority | 1. Low Owners | ------------------------------------------------------------------------------

1 0

[Tickets #32] db_getservers doesn't parse output correctly
by bugs＠x2go.org 03 Feb '11

03 Feb '11

Ticket URL: http://code.x2go.org/horde4/whups/ticket/?id=32 ------------------------------------------------------------------------------ Ticket | 32 Created By | schulz(a)math.uni-goettingen.de Summary | db_getservers doesn't parse output correctly Queue | x2goserver Version | 3.0.99 Type | Bug State | Unconfirmed Priority | 2. Medium Operating System | 1 Owners | ------------------------------------------------------------------------------ schulz(a)math.uni-goettingen.de (2011-02-03 20:52) wrote: the function db_getservers /usr/lib/x2go/x2godbwrapper.pm only parses the first column of the sql-output resulting only in servernames but not the counts of the sessions. This breaks sorting the servers for loadbalancing regarding number of sessions per host. fix is simple: 426c425 < @strings[$i++]=@data[0]; --- > @strings[$i++]=@data[0].' '.@data[1];

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

x2go-bugs February 2011