Hi all, I have had another look at x2godesktopsharing and I would propose a change of group membership for users who are allowed to use x2godesktopsharing. Formerly, this was group ,,x2gousers''. I would like to propose a rename to ,,x2godesktopsharing''. A patch for this is attached below. A possible question is if we want to migrate users in group x2gousers to this group during package upgrade. Greets, Mike ------------------------- commit 4cf4a0b2dad35e92ddaac712c9d2b6f513cd4a46 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Aug 2 15:18:54 2011 +0200 System group for x2godesktopsharing change from x2gousers -> x2godesktopsharing. diff --git a/debian/changelog b/debian/changelog index b8c5bf1..7d7a7eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ x2godesktopsharing (3.0.1.3-0~x2go1) UNRELEASED; urgency=low * Fix incomplete DENY statement in main.cpp. + * System group for x2godesktopsharing change from x2gousers -> + x2godesktopsharing. -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Mon, 13 Jun 2011 20:39:33 +0200 diff --git a/debian/x2godesktopsharing.postinst b/debian/x2godesktopsharing.postinst index 2f7b721..1d55fba 100755 --- a/debian/x2godesktopsharing.postinst +++ b/debian/x2godesktopsharing.postinst @@ -22,10 +22,10 @@ set -e case "$1" in configure) - X2GOGRP=`getent group | grep x2gousers` + X2GOGRP=`getent group | grep x2godesktopsharing` if [ "x$X2GOGRP"="x" ] then - addgroup --system x2gousers + addgroup --system x2godesktopsharing fi ;; diff --git a/sharetray.cpp b/sharetray.cpp index 7fe23f0..9f42997 100644 --- a/sharetray.cpp +++ b/sharetray.cpp @@ -215,7 +215,7 @@ void ShareTray::slotStartSharing() if ( serverSocket->listen ( socketFname ) ) { - chown ( socketFname.toAscii(),getuid(),getgrnam ( "x2gousers" )->gr_gid ); + chown ( socketFname.toAscii(),getuid(),getgrnam ( "x2godesktopsharing" )->gr_gid ); QFile::setPermissions ( socketFname, QFile::ReadOwner|QFile::WriteOwner|QFile::ReadGroup|QFile::WriteGroup ); connect ( serverSocket,SIGNAL ( newConnection() ), -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop? Cheers Morty On 2011-08-02 15:24, Mike Gabriel wrote:
Hi all,
I have had another look at x2godesktopsharing and I would propose a change of group membership for users who are allowed to use x2godesktopsharing. Formerly, this was group ,,x2gousers''. I would like to propose a rename to ,,x2godesktopsharing''.
A patch for this is attached below.
A possible question is if we want to migrate users in group x2gousers to this group during package upgrade.
Greets, Mike
commit 4cf4a0b2dad35e92ddaac712c9d2b6f513cd4a46 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Aug 2 15:18:54 2011 +0200
System group for x2godesktopsharing change from x2gousers ->x2godesktopsharing.
diff --git a/debian/changelog b/debian/changelog index b8c5bf1..7d7a7eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ x2godesktopsharing (3.0.1.3-0~x2go1) UNRELEASED; urgency=low
- Fix incomplete DENY statement in main.cpp.
- System group for x2godesktopsharing change from x2gousers ->
- x2godesktopsharing.
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Mon, 13 Jun 2011 20:39:33 +0200
diff --git a/debian/x2godesktopsharing.postinst b/debian/x2godesktopsharing.postinst index 2f7b721..1d55fba 100755 --- a/debian/x2godesktopsharing.postinst +++ b/debian/x2godesktopsharing.postinst @@ -22,10 +22,10 @@ set -e
case "$1" in configure)
- X2GOGRP=`getent group | grep x2gousers`
- X2GOGRP=`getent group | grep x2godesktopsharing` if [ "x$X2GOGRP"="x" ] then
addgroup --system x2gousers
addgroup --system x2godesktopsharingdiff --git a/sharetray.cpp b/sharetray.cpp index 7fe23f0..9f42997 100644 --- a/sharetray.cpp +++ b/sharetray.cpp @@ -215,7 +215,7 @@ void ShareTray::slotStartSharing() if ( serverSocket->listen ( socketFname ) ) {
chown ( socketFname.toAscii(),getuid(),getgrnam ( "x2gousers"
chown ( socketFname.toAscii(),getuid(),getgrnam (QFile::ReadOwner|QFile::WriteOwner|QFile::ReadGroup|QFile::WriteGroup ); connect ( serverSocket,SIGNAL ( newConnection() ),
X2go-Dev mailing list X2go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty,
On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways
for a user who is allowed to share another's desktop to manipulate the
user profile.
My main reason for the name change is to still get rid of the original
x2gousers group per se. Now that the group has been removed from
x2goserver it seems confusing to me to reintroduce it with
x2godesktopsharing. I'd rather see a group name here that reflects the
use case (i.e. be allowed to share an X2go desktop).
Thanks, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On 2011-08-02 15:41, Mike Gabriel wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways for a user who is allowed to share another's desktop to manipulate the user profile.
None the less - the user must grant access before someone else can access his/her session - if I remember right. My main intention: Do we need this group at all - or does it bring more trouble then help. We must also check, whether this script introduces false security by checking something that can easily be circumvented. I have not looked into it, but I have the feeling that this might be the case.
Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
On Tue, Aug 02, 2011 at 15:41:55 (CEST), Mike Gabriel wrote:
Hi Morty,
On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways for a user who is allowed to share another's desktop to manipulate the user profile.
This sounds to me as desktop sharing was a somewhat insecure feature anyway. In this case, why do you rely on a system group instead of for instance maintaining a /etc/x2go/allowdesktopshareing.users file that contains all users that are allowed to use the feature?
-- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4
Hi,
On Di 02 Aug 2011 16:46:56 CEST Reinhard Tartler wrote:
On Tue, Aug 02, 2011 at 15:41:55 (CEST), Mike Gabriel wrote:
Hi Morty,
On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways for a user who is allowed to share another's desktop to manipulate the user profile.
This sounds to me as desktop sharing was a somewhat insecure feature anyway. In this case, why do you rely on a system group instead of for instance maintaining a /etc/x2go/allowdesktopshareing.users file that contains all users that are allowed to use the feature?
x2godesktopsharing falls into a daemon (in user space) and a client
(the systray)--I think it is this way around. And these two
communicate via a socket file. And the write access is granted by
group membership. No group membership, no desktop access.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On Tue, 2011-08-02 at 16:59 +0200, Mike Gabriel wrote:
Hi,
On Di 02 Aug 2011 16:46:56 CEST Reinhard Tartler wrote:
On Tue, Aug 02, 2011 at 15:41:55 (CEST), Mike Gabriel wrote:
Hi Morty,
On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways for a user who is allowed to share another's desktop to manipulate the user profile.
This sounds to me as desktop sharing was a somewhat insecure feature anyway. In this case, why do you rely on a system group instead of for instance maintaining a /etc/x2go/allowdesktopshareing.users file that contains all users that are allowed to use the feature?
x2godesktopsharing falls into a daemon (in user space) and a client
(the systray)--I think it is this way around. And these two
communicate via a socket file. And the write access is granted by
group membership. No group membership, no desktop access.Greets, Mike <snip> I haven't thought it through thoroughly but I believe what you propose makes sense. Allowing it to be disabled allows one to shut down the social engineering vector. Yes, users need to grant access but they also do when they should not - John
On 2011-08-02 16:59, Mike Gabriel wrote:
x2godesktopsharing falls into a daemon (in user space) and a client (the systray)--I think it is this way around. And these two communicate via a socket file. And the write access is granted by group membership. No group membership, no desktop access.
...so why don't we reuse the technique used for the data sqlite database: Allow executing the appropriate scripts using the x2gouser-group. These scripts can check whether the user my access that file.
Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty,
On Di 02 Aug 2011 17:59:37 CEST Moritz Struebe wrote:
On 2011-08-02 16:59, Mike Gabriel wrote:
x2godesktopsharing falls into a daemon (in user space) and a client (the systray)--I think it is this way around. And these two communicate via a socket file. And the write access is granted by group membership. No group membership, no desktop access.
...so why don't we reuse the technique used for the data sqlite database: Allow executing the appropriate scripts using the x2gouser-group. These scripts can check whether the user my access that file.
Basically yes, do you have time for implementing this? It is not
trivial and x2godesktopsharing needs some bugs to be fixed anyway. So
my basic feeling is: let's postpone that after Baikal release and find
an intermediate solution that does not conflict with latest
x2goserver...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On 2011-08-02 21:41, Mike Gabriel wrote:
..so why don't we reuse the technique used for the data sqlite database: Allow executing the appropriate scripts using the x2gouser-group. These scripts can check whether the user my access that file.
Basically yes, do you have time for implementing this? It is not trivial and x2godesktopsharing needs some bugs to be fixed anyway. So my basic feeling is: let's postpone that after Baikal release and find an intermediate solution that does not conflict with latest x2goserver...
As I'm not using desktop sharing I do not care too much (Improving pulse is a more important issue for me). So yes, I think adding the group x2godesktopsharing is ok, as long as it is pointed out, that there might be a security risk of someone in that group exploiting desktop sharing.....
Cheers Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Alex, Heinz,
On Mi 03 Aug 2011 09:27:20 CEST Moritz Struebe wrote:
On 2011-08-02 21:41, Mike Gabriel wrote:
..so why don't we reuse the technique used for the data sqlite database: Allow executing the appropriate scripts using the x2gouser-group. These scripts can check whether the user my access that file.
Basically yes, do you have time for implementing this? It is not trivial and x2godesktopsharing needs some bugs to be fixed anyway. So my basic feeling is: let's postpone that after Baikal release and find an intermediate solution that does not conflict with latest x2goserver...
As I'm not using desktop sharing I do not care too much (Improving pulse is a more important issue for me). So yes, I think adding the group x2godesktopsharing is ok, as long as it is pointed out, that there might be a security risk of someone in that group exploiting desktop sharing.....
Any opinion on this???
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
John A. Sullivan III -
Mike Gabriel -
Moritz Struebe -
Reinhard Tartler