On Mon, Jul 18, 2011 at 15:04:59 (CEST), Mike Gabriel wrote:
Then we should also make sure, no one can su to the x2gouser, shouldn't we? Or at least make sure that x2gouser cannot change permissions on that file? How that?
Something like this should do it:
-r-sr-sr-x 1 x2gouser x2gousers 5388 2011-07-18 00:12 /usr/bin/x2gosqlitewrapper* -rwxr-xr-x 1 root root 10094 2011-07-18 00:02 /usr/lib/x2go/x2gosqlitewrapper.pl*
btw, this commit seems very wrong to me: http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=82c6545adef362a9...
The real uid must never be the same as the effective user id. How else is the script supposed to find out what what user called the script? The point of the script is to ensure that each user can only add and remove entries for their *own* sessions, and cannot muck around with sessions from other users, doesn't it?
Your patch removed a very important saftey sanity check. If you removed it because it failed for you, then you now have allowed every user to delete any session, even from other users. Or even worse.
-- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4