Hi, Morning,
I am testing PyHoca. One of the problems a came around is, that the client checks whether I am in the x2go group - which I'm not. I also noticed that some other security-checks are done in the client. I believe this is dangerous, because administrators might think that these are real security checks, while they can easily be circumvented. I believe these check must be done server-side. That way they can also easily be adjusted by administrators.
Besides that, one of our admins did quite a few security patches to avoid x2gowrapper having to run as root. At the moment this only works for Postgres. None the less I must say that I'm not happy running x2gowrapper, which is easy to exploit using SQL-Injections, as root. It should at least do a "sudo -u x2go" or similar. This user only needs access to the database. That way worst case the db is corrupted and not the whole system.
Cheers Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty