This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository x2gobroker. from b4d53b6 If non-load-balanced session profiles reference a non-reachable host, hand-back the system's hostname to X2Go Client / Python X2Go. new 6652693 Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666). The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 2 ++ man/man1/x2gobroker.1 | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) -- Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 6652693c1fe47dbc53f84db84fab34f70485951a Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Mar 30 16:57:56 2015 +0200 Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666). --- debian/changelog | 2 ++ man/man1/x2gobroker.1 | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 8ac74a1..a0640e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -283,6 +283,8 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low - man pages: Update date. - If non-load-balanced session profiles reference a non-reachable host, hand-back the system's hostname to X2Go Client / Python X2Go. + - Add security notice / disclaimer to x2gbroker.1 man page as suggested + by Stefan Baur. (Fixes: #666). * debian/control: + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. diff --git a/man/man1/x2gobroker.1 b/man/man1/x2gobroker.1 index cadb4e1..4f00a48 100644 --- a/man/man1/x2gobroker.1 +++ b/man/man1/x2gobroker.1 @@ -108,11 +108,26 @@ Directory where stdout/stderr will be redirected after having daemonized (defaul If started as root, drop privileges to uid X2GO_DAEMON_USER and gid X2GO_DAEMON_GROUP (as configured in \fI/etc/x2go/broker/defaults.conf\fR on systemd systems or \fI/etc/defaults/python-x2gobroker\fR on SystemV systems). +.SH SECURITY NOTICE / DISCLAIMER +Users are advised to not misinterpret X2Go Session Broker's capabilites as a +security feature. Even when using X2Go Session Broker, it is still possible for +users to locally configure an X2Go Client with any settings they want, and +use that to connect. So if you're trying to keep users from running a +certain application on the host, using X2Go Session Broker to "lock" the +configuration is the *wrong* way. The users will still be able to run +that application by creating their own, local configuration file and +using that. +.PP +To keep users from running an application on the server, you have to use +\fIfilesystem permissions\fR on the X2Go Server. In the simplest case, +this means setting chmod 750 or 550 on the particular application on the +host, and making sure the users in question are not the owner and also +not a member of the group specified for the application. .SH "FILES" /etc/x2go/x2gobroker.conf, /etc/x2go/broker/* (configuration files) .PP /etc/default/python-x2gobroker, /etc/default/x2gobroker-daemon (environment for X2Go Session -Broker when run as a standalone daemon) +Broker when run as a standalone daemon via SystemV or upstart) .PP /var/log/x2gobroker/* (log files of X2Go Session Broker) .SH "SEE ALSO" -- Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
-
git-admin@x2go.org