Hello Oleksandr,
Please understand that I am trying to offer constructive criticism. Any time I see something that runs as root, I try to figure out why, and if possible run it as a non-privileged user. From a sysadmin point of view, I would much prefer that a piece of software that I install create a new user on my system than allow any user to run a script as root.
I see what you mean with the shadow sessions. May I suggest a second wrapper script for cases like this?
User permissions and security are rarely simple, and safeguards can quickly overwhelm the original scope of the situation. Sometimes all we can do is minimize the risk/exposure, and that is all I am looking to do here.
Thank you for your hard work on x2go.
-rob
On Tue, Oct 5, 2010 at 12:37 AM, Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> wrote:
Hello Rob, list
In multi-user environment session informations of all users are stored in one data base table. If we granting access to this table for all users, each user will be able to view or change data of other users, that's unacceptable. Using sudo we can give access for user only to his own data. It's simplest way we have found to protect data of other users. In postgresql we could use views, but not all DBMS have such mechanisms. We cannot although create single table for every user, because all users should know which DISPLAYs/ports are currently in use by other users.
Rob you are right. The user which execute sql queries not necessarily should be root. As you can see, in x2gopgwrapper.local all queries are executed with user postgres. We could make same changes in x2gopgwrapper_local and x2gopgwrapper_net, but wee need to add a new user into a system (as user "x2go" in your example). Unfortunately since x2goserver version 3_0.1-9 (http://x2go.obviously-nice.de/deb/pool-heuler/x2goserver/) there is one more reason to run x2gopgwrapper as root. Running with argument "startshadowagent" x2gopgwrapper should start x2gostartagent as user which desktop will be displayed. I don't see the simple way to do this without root privileges.
Rob Lemley schrieb:
Hey John,
I double-triple checked again, and tried a session myself that mounted my desktop with my changes. No issues.
The only script that gets called with sudo is x2gopgwrapper. It's the only script that can get called as it's the only entry added to the sudoers file.
x2gopgwrapper calls one of x2pgwrapper_local, x2pgwrapper_sqlite, or x2pgwrapper_net. That's all it does. Those scripts are a giant case blocks that only runs sql queries against a database. In the case of sqlite you need to assume the id of the sqlite database file owner. (I thought about making the file group-writable, but chose not to go that direction. With the sudoers entry and the script there's some level of protection from average-joe user mangling the database.) As for postgres, it's the same idea. It can authenticate by userid with the right entry in pg_hba.conf (?? right filename??)
The mounting and unmounting seems to be done through fuse so the only privilege needed is to be a member of the fuse group. The x2gocleansessions process started by init will unmount a fuse mounted directory if it finds a stale session, but that is running as root so there's no issue there.
Enjoy the rest of your getaway!
-rob
<snip> On Sat, Oct 2, 2010 at 9:56 AM, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
<snip> Hi, Rob. I'm on a getaway with the family and "sneaking" this in so I may be remembering the details incorrectly :)
You may want to trace all the other scripts which are invoked as part of the process, especially x2gomount_sessions and x2goumount_sessions. These may need root access - I'm not sure - John
Hey John,
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev