Hello list,
I've made some small changes in cups-x2go to make it work with actual version of x2goserver. The changes are already in GIT.
@Mike: the preinst script of obsolete package "x2goprint" has modified sudoers file to allow user x2goprint execute program "/usr/bin/x2goprint". This script has also added a user x2goprint to system:
#useradd -s /bin/bash -d /var/spool/x2goprint/ -r x2goprint
#mkdir /var/spool/x2goprint/
#chown x2goprint /var/spoo/x2goprint/
#chmod 700 /var/spool/x2goprint/
Now, this job user should do by himself. Creation process of x2goprint is not documented in our wiki. This process should be good documented or made by some configuration script.
regards, alex
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hi Alex,
On Do 25 Aug 2011 14:23:54 CEST Oleksandr Shneyder wrote:
Hello list,
I've made some small changes in cups-x2go to make it work with actual version of x2goserver. The changes are already in GIT.
Thanks for doing this!!! I'll take a look, build intermediate packages
and put the below issues on my todo.
Now, this job user should do by himself. Creation process of x2goprint is not documented in our wiki. This process should be good documented or made by some configuration script.
I am basically always for auto configuration by script (TODO -> Mike),
but we should not again manipulate the sudoers file. People do not
like that...
Shall we think about a setgit solution as well?
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Am 25.08.2011 14:48, schrieb Mike Gabriel:
Hi Alex,
On Do 25 Aug 2011 14:23:54 CEST Oleksandr Shneyder wrote:
Hello list,
I've made some small changes in cups-x2go to make it work with actual version of x2goserver. The changes are already in GIT.
Thanks for doing this!!! I'll take a look, build intermediate packages and put the below issues on my todo.
Now, this job user should do by himself. Creation process of x2goprint is not documented in our wiki. This process should be good documented or made by some configuration script.
I am basically always for auto configuration by script (TODO -> Mike), but we should not again manipulate the sudoers file. People do not like that...
Shall we think about a setgit solution as well?
Greets, Mike
do you mean "setuid"?
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hi Alex,
On Do 25 Aug 2011 14:57:27 CEST Oleksandr Shneyder wrote:
Shall we think about a setgit solution as well?
do you mean "setuid"?
No, setgid (sorry for the typo). We have changed x2goserver in a way
that it now uses a setgid flag as opposed to a setuid flag.
Refer to this: http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=96655427f63bf17c...
And later commits as well as to this x2go-dev discussion: http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=gmane++x2goserver+package+with+setuidwrapper
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Am 25.08.2011 15:07, schrieb Mike Gabriel:
Hi Alex,
On Do 25 Aug 2011 14:57:27 CEST Oleksandr Shneyder wrote:
Shall we think about a setgit solution as well?
do you mean "setuid"?
No, setgid (sorry for the typo). We have changed x2goserver in a way that it now uses a setgid flag as opposed to a setuid flag.
Refer to this: http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=96655427f63bf17c...
And later commits as well as to this x2go-dev discussion: http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=gmane++x2goserver+package+with+setuidwrapper
Greets, Mike
X2go-Dev mailing list X2go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
x2goprint should be able to execute "su $user" to put a job file in spool directory.
-- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hi Alex,
On Do 25 Aug 2011 15:40:02 CEST Oleksandr Shneyder wrote:
x2goprint should be able to execute "su $user" to put a job file in spool directory.
That should be simple. But I won't have time to work on that before
next week... If someone else (Morty?) wants to start on that before,
feel free to do so.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Am 25.08.2011 15:58, Mike Gabriel schrieb:
That should be simple. But I won't have time to work on that before next week... If someone else (Morty?) wants to start on that before, feel free to do so.
Hi, I'm on holiday in Deutsch-Süd-West-Afrika. I won't be able to do anything before mid to end of September (conference). But I outlined two different soultions in the wiki (as x2goprint IMO still is a security issue it is in on the security assessment page). I personally prefer the one where every user starts his own cups server, as this is the most secure soultion. I already did some proof of concept experiments and I see no problems here (at least in my scenarios printing using linux sockets worked like a charm).
Cheers Morty
Am 25.08.2011 15:58, Mike Gabriel schrieb:
That should be simple. But I won't have time to work on that before next week... If someone else (Morty?) wants to start on that before, feel free to do so.
Hi, I'm on holiday in Deutsch-Süd-West-Afrika. I won't be able to do anything before mid to end of September (conference). But I outlined two different soultions in the wiki (as x2goprint IMO still is a security issue it is in on the security assessment page). I personally prefer the one where every user starts his own cups server, as this is the most secure soultion. I already did some proof of concept experiments and I see no problems here (at least in my scenarios printing using linux sockets worked like a charm). <snip> I am also very concerned about the security implications of x2goprint. However, I would prefer a solution which can use a single, central CUPS server it possible. For example, in our model we are preparing for many hundreds of vserver based users on a single host and several of those hosts. That would ultimately be hundreds to tens of thousands of CUPS
On Sat, 2011-09-03 at 09:04 +0100, Moritz Strübe wrote: processes running which would not have to be if they could be fed by a single CUPS server. That's why we originally hacked the x2goprint solution to support multiple x2goservers.
I do not know whether it is possible to resolve the security issues in such a way that preserves the ability of a single CUPS server. Thanks - John
On 2011-09-03 10:49, John A. Sullivan III wrote:
That would ultimately be hundreds to tens of thousands of CUPS processes running which would not have to be if they could be fed by a single CUPS server. That's why we originally hacked the x2goprint solution to support multiple x2goservers.
2.2MB in Memory on our system (/proc/<PID>/status - see "man proc"). IMO there are far better ways of saving RAM - e.g. using a different window manager may save a multitude of this.
Cheers
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
On Wed, 2011-09-14 at 10:39 +0200, Moritz Struebe wrote:
On 2011-09-03 10:49, John A. Sullivan III wrote:
That would ultimately be hundreds to tens of thousands of CUPS processes running which would not have to be if they could be fed by a single CUPS server. That's why we originally hacked the x2goprint solution to support multiple x2goservers.
2.2MB in Memory on our system (/proc/<PID>/status - see "man proc"). IMO there are far better ways of saving RAM - e.g. using a different window manager may save a multitude of this.
<snip> But it's not just about RAM. There is CPU consumption. There is another unneeded service running which creates a possible security exposure. It means hundreds of systems to upgrade and manage instead of one. One is almost always easier, safer, and less expensive to manage than hundreds - at least in my management experience - John
Hi all,
On Sa 03 Sep 2011 10:04:10 CEST Moritz Strübe wrote:
Am 25.08.2011 15:58, Mike Gabriel schrieb:
That should be simple. But I won't have time to work on that before next week... If someone else (Morty?) wants to start on that before, feel free to do so.
Hi, I'm on holiday in Deutsch-Süd-West-Afrika. I won't be able to do
anything before mid to end of September (conference). But I outlined
two different soultions in the wiki (as x2goprint IMO still is a
security issue it is in on the security assessment page). I
personally prefer the one where every user starts his own cups
server, as this is the most secure soultion. I already did some
proof of concept experiments and I see no problems here (at least in
my scenarios printing using linux sockets worked like a charm).
I finally managed to fix cups-x2go and x2goprint and also get rid of
sudo if CUPS server equals the X2go Server.
Please see my latest commits in cups-x2go.git and x2goserver.git.
I have also added a stanza to the Security Assesment page in the wiki: http://wiki.x2go.org/security
Also added to cups-x2go and x2goprint: syslogging!!! I will work on
more syslogging in other X2go components later.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
John A. Sullivan III -
Mike Gabriel -
Moritz Struebe -
Moritz Strübe
-
Oleksandr Shneyder