Am 22.04.20 um 18:20 schrieb Vladislav Kurz:
[skipping the rbash part because I haven't really used that ever]
I also found a nice feature "published applications" https://wiki.x2go.org/doku.php/wiki:advanced:published-applications It would be nice, if the x2go server had a config option, allowing users to run only the "published applications", or use some other list of allowed commands.
That is impossible.
X2Go follows the Unix principle: Do *one* thing, and do it right.
The one place where you define which users are allowed to run applications is the file system and its executable permissions.
Anything X2Go would try place on top of that would be bound to fail, as it can easily bypassed by a user running X2Go with a custom configuration, or SSHing into the machine with ssh -X, thus bypassing X2Go entirely.
A bit more than 5 years ago, in
<https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=666>
I wrote:
SECURITY NOTICE
Users are advised to not misinterpret X2GoServer's Published Application Mode as a security feature. Even when using Published Application Mode, it is still possible for users to locally configure an X2GoClient with any setting they want, and use that to connect. So if you're trying to keep users from running a certain application on the host, using Published Application Mode to "lock" the configuration is the *wrong* way. The users will still be able to run that application by creating their own, local configuration file and using that. To keep users from running an application on the server, you have to use *filesystem permissions*. In the simplest case, this means setting chmod 750 or 550 on the particular application on the host, and making sure the users in question are not the owner and also not a member of the group specified for the application.
This still stands. It seems, however, like that notice only got appended to the X2GoBroker man page, but nowhere to X2GoServer's documentation.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243