On 11-01-20 14:48, Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de> wrote:
On 11-01-20 11:06, Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> wrote:
Am 20.01.2011 10:24, schrieb Moritz Struebe:
Hi, Morning,
Besides that, one of our admins did quite a few security patches to avoid x2gowrapper having to run as root. At the moment this only works for Postgres. None the less I must say that I'm not happy running x2gowrapper, which is easy to exploit using SQL-Injections, as root. It should at least do a "sudo -u x2go" or similar. This user only needs access to the database. That way worst case the db is corrupted and not the whole system. You are quite right about pgwrapper. Changing "sudo" to "sudo -u x2go" is on top of our todo list and will be made in the next version of x2goserver. But I don't think, that it is so easy to use x2gowrapper to do something bad with a system. Sure, if you can show me a working exploit, I will put all other things I have to do on ice and concentrate on this problem. In all cases I'll change behavior of x2goserver very soon. Also, in /usr/bin/x2golistsessions line 31, the perl system() function is used together with sudo in an insecure way. I'm currently not totally sure, how this can be used to execute arbitrary commands as root but it surely looks very suspicious.
Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable to get root in 2 ways:
Ciao,
Alexander Wuerstlein.