Dne neděle 3. května 2020 22:41:31 CEST, Stefan Baur napsal(a):
Am 22.04.20 um 18:20 schrieb Vladislav Kurz:
[skipping the rbash part because I haven't really used that ever]
I also found a nice feature "published applications" https://wiki.x2go.org/doku.php/wiki:advanced:published-applications It would be nice, if the x2go server had a config option, allowing users to run only the "published applications", or use some other list of allowed commands. That is impossible.
X2Go follows the Unix principle: Do *one* thing, and do it right.
The one place where you define which users are allowed to run applications is the file system and its executable permissions.
Hello,
that's what I tried - limit execution by permissions, or using rbash - in short it is a bash that allows you to run only executables in your $PATH. But I failed. x2go itself requires executable permissions on a lot of stuff to set up the session. Is there any authoritative source on what executables are required for x2go to work?
What we need is to block users from copying files from the x2go server. So we have to deny /bin/cat or /bin/dd to be invoked via ssh. But x2go will not connect without /bin/cat being executable.
Anything X2Go would try place on top of that would be bound to fail, as it can easily bypassed by a user running X2Go with a custom configuration, or SSHing into the machine with ssh -X, thus bypassing X2Go entirely.
Would it be possible to make some sort of wrapper that could be set as user's shell that will allow only establishing x2go session? Something like setting x2goruncommand as users shell? Something like scponly. Then one could focus on blocking only x-applications like xterm, etc.
Best Regards Vladislav Kurz