This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 7f0f216383f8729306a685693b58d473e41d216b Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Thu Apr 2 16:02:44 2015 +0200 x2gobroker-ssh: When agent query mode is set to LOCAL, Execute x2gobroker-agent via sudo as group "X2GOBROKER_DAEMON_GROUP". (Fixes: #835). --- Makefile | 8 ++++++-- debian/changelog | 3 +++ debian/rules | 2 ++ debian/x2gobroker-ssh.install | 1 + lib/x2gobroker-agent.pl | 9 ++++++--- x2gobroker-ssh.sudo | 3 +++ x2gobroker.spec | 1 + x2gobroker/agent.py | 16 ++++++++++++++-- 8 files changed, 36 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 29e4303..025eb07 100755 --- a/Makefile +++ b/Makefile @@ -141,14 +141,18 @@ install: "${DESTDIR}${BINDIR}/x2gobroker-daemon" ${INSTALL_PROGRAM} sbin/x2gobroker-daemon-debug \ "${DESTDIR}${SBINDIR}/" - + # x2gobroker-ssh mkdir -p "${DESTDIR}${BINDIR}" "${DESTDIR}${SBINDIR}" \ - "${DESTDIR}${MANDIR}/man1" + "${DESTDIR}${ETCDIR}/sudoers.d" \ + "${DESTDIR}${MANDIR}/man1" ${INSTALL_FILE} man/man1/x2gobroker-ssh.1* \ "${DESTDIR}${MANDIR}/man1" ${INSTALL_PROGRAM} bin/x2gobroker-ssh \ "${DESTDIR}${BINDIR}/" + ${INSTALL_FILE} x2gobroker-ssh.sudo \ + "${DESTDIR}${ETCDIR}/sudoers.d/" + mv "${DESTDIR}${ETCDIR}/sudoers.d/x2gobroker-ssh.sudo" "${DESTDIR}${ETCDIR}/sudoers.d/x2gobroker-ssh" # x2gobroker-wsgi mkdir -p "${DESTDIR}${ETCDIR}" "${DESTDIR}/etc/logrotate.d" diff --git a/debian/changelog b/debian/changelog index 3d4759e..88e28c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -312,6 +312,9 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low auto-detect the client-side DPI value and use that for the X2Go session. (Fixes: #834). - Add run-optional-script support to SSH broker. + - x2gobroker-ssh: When agent query mode is set to LOCAL, Execute + x2gobroker-agent via sudo as group "X2GOBROKER_DAEMON_GROUP". (Fixes: + #835). * debian/control: + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. diff --git a/debian/rules b/debian/rules index a899e11..af8f246 100755 --- a/debian/rules +++ b/debian/rules @@ -34,7 +34,9 @@ include /usr/share/cdbs/1/class/python-distutils.mk common-binary-indep:: mkdir -p debian/tmp/usr cp pam/x2gobroker.Debian pam/x2gobroker + cp x2gobroker-ssh.sudo x2gobroker-ssh clean:: rm -f pam/x2gobroker rm -f lib/x2gobroker-agent + rm -f x2gobroker-ssh diff --git a/debian/x2gobroker-ssh.install b/debian/x2gobroker-ssh.install index dc75192..834efe0 100644 --- a/debian/x2gobroker-ssh.install +++ b/debian/x2gobroker-ssh.install @@ -1 +1,2 @@ bin/x2gobroker-ssh usr/bin/ +x2gobroker-ssh etc/sudoers.d/ diff --git a/lib/x2gobroker-agent.pl b/lib/x2gobroker-agent.pl index 0403d28..249a62d 100755 --- a/lib/x2gobroker-agent.pl +++ b/lib/x2gobroker-agent.pl @@ -31,6 +31,9 @@ if ($ENV{"SSH_ORIGINAL_COMMAND"} =~ m/\/usr\/.*\/x2go\/x2gobroker-agent\ .*/ ) { @ARGV = @ARGV[1..$#ARGV]; } +my $username=shift or die; +my $mode=shift or die; + my @available_tasks = ( "availabletasks", "addauthkey", @@ -75,6 +78,9 @@ sub InitX2GoUser #} } } + if (($ENV{"SUDO_USER"}) && ("$ENV{'SUDO_USER'}" ne "$username")) { + die "You cannot execute x2gobroker-agent for any other user except you!"; + } } sub AddAuthKey @@ -137,9 +143,6 @@ $< = $>; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{'PATH'} = '/bin:/usr/bin'; -my $username=shift or die; -my $mode=shift or die; - if($mode eq 'ping') { print "OK\n"; diff --git a/x2gobroker-ssh.sudo b/x2gobroker-ssh.sudo new file mode 100644 index 0000000..f438968 --- /dev/null +++ b/x2gobroker-ssh.sudo @@ -0,0 +1,3 @@ +# Allow members of group x2gobroker-users to execute any /usr/lib/x2go/x2gobroker-agent +%x2gobroker-users ALL=(:x2gobroker) NOPASSWD: /usr/lib/x2go/x2gobroker-agent + diff --git a/x2gobroker.spec b/x2gobroker.spec index 2349217..6658515 100644 --- a/x2gobroker.spec +++ b/x2gobroker.spec @@ -765,6 +765,7 @@ fi %defattr(-,root,root) %attr(04550,x2gobroker,x2gobroker-users) %_bindir/x2gobroker-ssh %_mandir/man1/x2gobroker-ssh.1* +%_sysconfdir/sudoers.d/x2gobroker-ssh %files wsgi diff --git a/x2gobroker/agent.py b/x2gobroker/agent.py index bf7ecfe..ef6024a 100644 --- a/x2gobroker/agent.py +++ b/x2gobroker/agent.py @@ -129,11 +129,23 @@ def _call_local_broker_agent(username, task, cmdline_args=[], logger=None): if logger is None: logger = logger_broker - cmd_line = [ + cmd_line = [] + + try: + if os.stat("/usr/local/bin/x2gobroker-ssh").st_gid in os.getgroups(): + cmd_line.append(["sudo", "-g", x2gobroker.defaults.X2GOBROKER_DAEMON_GROUP]) + except OSError: + try: + if os.stat("/usr/bin/x2gobroker-ssh").st_gid in os.getgroups(): + cmd_line.extend(["sudo", "-g", x2gobroker.defaults.X2GOBROKER_DAEMON_GROUP]) + except OSError: + pass + + cmd_line.extend([ '{x2gobroker_agent_binary}'.format(x2gobroker_agent_binary=x2gobroker.defaults.X2GOBROKER_AGENT_CMD), '{username}'.format(username=username), '{task}'.format(task=task), - ] + ]) for cmdline_arg in cmdline_args: cmd_line.append('{arg}'.format(arg=cmdline_arg)) -- Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git