Hello x2go devs,
I've noticed that although you seem to have solved the security flaws in the database access the preinst script in the repository for lenny [1] has not been updated since late 2009. It still contains the command to give all users sudo root permissions on the x2togowrapper.
I would appreciate to know some kind of time frame when you are planning to integrate the update into your repository, because we're planning to install x2go on around 50 hosts of a PC pool at the RWTH Aachen University. Since we do not want to go through the process of checking out new sources, building them and installing them now and then on every machine, we would like to use the deb-repository with apt-get and not some git based source repository.
Furthermore I've got a rather special question. On a current test-system we have replaced the x2gousers group by a custom group that each user that should be allowed to use x2go already is included in. We have decided to do so, because our we do not want to add additional groups. Since you are going to change this specific line in the sudoers file, I wonder if this is still possible. If you are just replacing the semantics of "everybody in x2gousers gets root for /usr/bin/x2gopgwrapper" by "everybody in x2gousers gets $someSpecialX2goUser for /usr/bin/x2gopgwrapper" (where $someSpecialX2goUser is a user that is just allowed to access the databases) the should be easily possible, shouldn't it?
And last but not least: You're doing a very good piece of work :)
Thanks in advance for your help.
With regards,
Kevin Möllering
[1] http://x2go.obviously-nice.de/deb/pool-lenny/x2goserver/
Mike Gabriel schrieb:
Hi Alex,
On Do 20 Jan 2011 17:26:28 CET "John A. Sullivan III" wrote:
Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable to get root in 2 ways:
- in the current git version, set 'startshadowagent' as the first parameter. Choose the 11th parameter in a way such that SHADOW_USER is set to 'root'. Set the second parameter ($CLIENT) to something like 'foo ; rm -fr /'. Profit.
- in the git as well as the stable version, when the database is sqlite: the x2gopgwrapper_sqlite runs as root meaning that any sql injection into sqlite would run as root. One possible injection would set the sqlite output file to /etc/shadow (via .output /etc/shadow) and overwrite it with a customized version including a new root password chosen by the attacker. Profit.
I see, thank you Alexander. We'll fix it as quick as possible. Regards, <snip> It has probably been roughly a year but I had posted some changes we made because we were very uncomfortable calling PostgreSQL as postgres. In fact, we combined it with our vserver work and eventually used user
On Thu, 2011-01-20 at 16:17 +0100, Oleksandr Shneyder wrote: based schemas so we could use a single database for any number of X2Go Servers - John
John sent these patches (with docs!!!) to the list on 20100702. I had taken a look at them then and they looked quite promising. They are definitely worth looking at to address this issue.
Cheerio, Mike
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev