This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository telekinesis. commit b47dabb600d8aaad1a29384ede57641a0c046deb Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Wed Oct 1 06:15:33 2014 +0200 ship our own Perl-based SFTP server --- debian/control | 2 +- .../lib/telekinesis/server/bin/tekidata-sftpserver | 68 ++++++++++++++++++++ .../post-start.d/000_telekinesis-server-startup | 5 +- .../pre-resume.d/000_telekinesis-server-resume | 2 +- 4 files changed, 71 insertions(+), 6 deletions(-) diff --git a/debian/control b/debian/control index b1e4500..9c19c96 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,7 @@ Depends: libx2go-telekinesis-server-perl (>= ${source:Version}), libx2go-telekinesis-server-perl (<< ${source:Version}.1~), x2goserver-extensions (>= 4.1.0.0~), socat, - openssh-sftp-server (>= 1:6.6) | openssh-server (<< 1:6.6), + libnet-sftp-sftpserver-perl, Description: Telekinesis server for X2Go X2Go is a server based computing environment with - session resuming diff --git a/server/lib/telekinesis/server/bin/tekidata-sftpserver b/server/lib/telekinesis/server/bin/tekidata-sftpserver new file mode 100755 index 0000000..d404ef8 --- /dev/null +++ b/server/lib/telekinesis/server/bin/tekidata-sftpserver @@ -0,0 +1,68 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Net::SFTP::SftpServer ( { log => 'local5' }, qw ( :LOG :ACTIONS ) ); +use BSD::Resource; # for setrlimit + +# Security - make sure we have started this as sftp not ssh +#unless ( scalar @ARGV == 3 and +# $ARGV[1] eq '-c' and +# ($ARGV[2] eq '/usr/lib/telekinesis/server/bin/tekidata-sftpserver') ){ +# +# logError "SFTP connection attempted for application $ARGV[1], $ARGV[2] - exiting"; +# print "\n\rYou do not have permission to login interactively to this host.\n\r\n\rPlease contact the system administrator if you believe this to be a configuration error.\n\r"; +# exit 1; +#} + +my $session_name = shift; +my $my_home = $ENV{HOME}; + +my $MEMLIMIT = 100 * 1024 * 1024; # 100 Mb + +# hard limits on process memory usage; +setrlimit( RLIMIT_RSS, $MEMLIMIT, $MEMLIMIT ); +setrlimit( RLIMIT_VMEM, $MEMLIMIT, $MEMLIMIT ); + +my $debug = (defined DEBUG_USER->{uc(getpwuid($>))} and DEBUG_USER->{uc(getpwuid($>))}) ? 1 : 0; + +my $sftp = Net::SFTP::SftpServer->new( + debug => $debug, + home => "$my_home/.x2go/C-$session_name/telekinesis/remote", + file_perms => 0600, +# on_file_sent => \&ActionOnSent, +# on_file_received => \&ActionOnReceived, + valid_filename_char => [ 'a' .. 'z', 'A' .. 'Z', '0' .. '9', '_', '.', '-' ], + follow_symlinks => + deny => ALL, + allow => [ ( + SSH2_FXP_OPEN, + SSH2_FXP_CLOSE, + SSH2_FXP_READ, + SSH2_FXP_LSTAT, + SSH2_FXP_STAT_VERSION_0, + SSH2_FXP_FSTAT, + SSH2_FXP_OPENDIR, + SSH2_FXP_READDIR, + SSH2_FXP_REMOVE, + SSH2_FXP_STAT, + SSH2_FXP_RENAME, + SSH2_FXP_READLINK, + )], + fake_ok => [ ( + SSH2_FXP_SETSTAT, + SSH2_FXP_FSETSTAT, + )], +); + +$sftp->run(); + +sub ActionOnSent { + my $fileObject = shift; + ## Do Stuff +} + +sub ActionOnReceived { + my $fileObject = shift; + ## Do Stuff +} diff --git a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup index 5653802..0fe5dad 100755 --- a/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup +++ b/server/lib/x2go/extensions/post-start.d/000_telekinesis-server-startup @@ -30,10 +30,7 @@ export DISPLAY=:$(echo $X2GO_SESSIONINFO | cut -d "|" -f3 | sed -e "s/[^0-9\-]// # launch Telekinesis server (if supported) if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then - # FIXME: for a short fraction of time the below socket opening allows an attacker on localhost - # to sshfs into the local machine for the user who has opened this socket. This - # needs to be fixed/changed!!! - (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)& + (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/telekinesis/server/bin/tekidata-sftpserver";)& (telekinesis-server -setDEBUG=1 -setBINDTOPORT=${TEKICTRL_PORT} > ~/.x2go/C-${X2GO_SESSION}/telekinesis-server.log;)& (sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )& fi diff --git a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume index 4bad305..63b1475 100755 --- a/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume +++ b/server/lib/x2go/extensions/pre-resume.d/000_telekinesis-server-resume @@ -28,7 +28,7 @@ TEKIDATA_LOCK="$HOME/.x2go/C-${X2GO_SESSION}/telekinesis-sftp.pid" # if Telekinesis server is in use for this session, try to resume it if [ -n "$TEKICTRL_PORT" ] && [ "x$TEKICTRL_PORT" != "x-1" ]; then - (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"/usr/lib/sftp-server -R";)& + (socat -W "$TEKIDATA_LOCK" TCP4-LISTEN:${TEKIDATA_PORT},reuseaddr,bind=127.0.0.1 EXEC:"lib/telekinesis/server/bin/tekidata-sftpserver";)& tekicmd -setSESSIONRESUME=1 -setX2GOSID=${X2GO_SESSION} (sleep 20; ss -nl | egrep "^LISTEN.*127.0.0.1:$TEKIDATA_PORT.*" 1>/dev/null && kill -9 $(cat "$TEKIDATA_LOCK" | sed -e 's/[^0-9]*//g'); )& fi -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/telekinesis.git