Am 04.05.20 um 16:36 schrieb Ulrich Sibiller:
Well, there a things a user requires for the app to run but must now get into his hands. Think about a special plugin that does some calculation. Or think about a license file that he requires for his application to start. Believe me, license-wise you'll find the oddest conditions where chmod'ing them away is not an option (we had one license software that requires the user to have WRITE access to the license file...).
That's third-party stupidity. Here, however, the issue is with their very own "product" design.
[...]
Well, depending on the app this might be possible - or not.
- the application cannot start other apps like an xterm or a shell on user request
And that is particularly hard, as experience shows. Even a "file chooser" dialog from a standard GUI toolkit that you use for selecting a data file will usually offer you a right-click option with "execute".
Well, I have not seen "execute" yet, but I have seen "open in file manager" and the like. This could be covered with SELinux.
Messy, messy, messy.
Navigate to the xterm binary (path traversal via ../../../ and the like is another problem to keep in mind, even if you're able to hide critical directories from view) and there's your shell. One such item that you forget about, and boom - you've been exploited.
Like in every other situation you are not safe if there are bugs in the software. So this is - with the exception of the x2go code itself
- negligible here.
Not so fast. This is code that is usually not part of the application itself, but part of a framework like Qt. You're importing their bugs.
[...]
Yes, that risk is always there. Putting your data at a network attached machines brings them to risk. You as the user decide if you are ready to take the risk or not.
The situation here is a bit different: The *user* totally doesn't mind if the intellectual property is available like that. The owner, however, does ...
Then all we'd need was
- a restricted ssh-key that only allows for the commands that are required for the x2go session handling
Which doesn't work out of the box. You can specify exactly one command. To be able to use more than one, you need a wrapper script on the host that is set as forced command, which then parses $SSH_ORIGINAL_COMMAND. These scripts are notoriously bad to maintain, error-prone, and while they work with scripted commands (e.g. running an automated rsync job with varying target directories), they suck hard for interactive use.
Well, there's no interactive use here, it is just the session setup. I have written such scripts. It is doable.
Then there's an update to the X2Go package that introduces a subtle change, and boom, your script fails. Users start to complain and you are in a hurry to find out what the cause is. Chances are that in your panic, you don't think of the wrapper as the probable culprit.
It's a royal pain in the ass. I've been there. Which is why my statement stands:
To me, it sounds like a horrible kludge that is bound to collapse rather sooner than later, and it would only offer a false sense of security.
Well, as long as you know what your application can do and what not it should be handable.
And here's the next catch: They intend to use Libreoffice as their single published application. Which allows the user to write their own macros in Libreoffice Basic. Which allows them to read binary files and do things with them. Like convert them to a bunch of QR codes and display them. So to do the things that need to be done, they (the owners) are depending on an executable which the user can do so much more with than they want it to do. And there's no way to limit that, other than to refrain from using Libreoffice as a front-end.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243