Hi devs,
I would like to apply the below patch to x2goserver/master... if I do
not here a veto within the next two days, I will push the patch to
code.x2go.org...
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=16cdb70f5bbd1298...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
I think these are actually two patches. One "moving from sudo to suid" and the second "Make printing more robust using NFS".
Cheers Morty
On 2011-04-12 18:02, Mike Gabriel wrote:
Hi devs,
I would like to apply the below patch to x2goserver/master... if I do not here a veto within the next two days, I will push the patch to code.x2go.org...
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=16cdb70f5bbd1298...
Greets, Mike
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty,
On Mi 13 Apr 2011 13:28:20 CEST Moritz Struebe wrote:
I think these are actually two patches. One "moving from sudo to suid" and the second "Make printing more robust using NFS".
Cheers Morty
Actually, yes! Two patches.
Wheres the "moving from sudo to suid" phrase is only partially
correct. x2goprint itself is called via sudo (from within cups-x2go).
However, the database handling within x2goprint is using Perl's suid.
Best, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi,
so we basically want to add cups-x2go to the server, too. I just checkt cups-x2go and I didn't find any obvious security issues, but there is plenty of code that gives me a bad feeling. I also don't really see why x2goprint needs to be root.
Cheers Morty
On 2011-04-13 14:18, Mike Gabriel wrote:
x2goprint itself is called via sudo (from within cups-x2go).
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty,
I divert the cups-x2go part into a separate thread...
On Mi 13 Apr 2011 16:46:00 CEST Moritz Struebe wrote:
Hi,
so we basically want to add cups-x2go to the server, too.
Yes, we want to do that. I already have a Git project locally here.
Shall I push it to code.x2go.org or do you want to?
I just checkt cups-x2go and I didn't find any obvious security issues, but there is plenty of code that gives me a bad feeling.
Could you be more precise on that?
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Morty,
On Mi 13 Apr 2011 16:46:00 CEST Moritz Struebe wrote:
I also don't really see why x2goprint needs to be root.
The cups-x2go/x2goprint principle is as follows:
o cups-x2go can run on x2goserver or on another print server o cups creates a PDF (as root) o cups-x2go scp-copies the file to x2gprint@x2goserver which might be local o cups-x2go calls x2goprint on x2goserver o x2goprint (as user x2goprint) will pick up the print job o ... move it to /tmp/... o chown to the x2go session user o ... and move the print job to the x2goclient (sshfs)
=> the chown part needs root privs...
Maybe we should really start thinking about a non-sudo way of getting
the print job from the cups server to the x2goserver to the client...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On 2011-04-13 17:43, Mike Gabriel wrote:
Hi Morty,
On Mi 13 Apr 2011 16:46:00 CEST Moritz Struebe wrote:
I also don't really see why x2goprint needs to be root.
The cups-x2go/x2goprint principle is as follows:
o cups-x2go can run on x2goserver or on another print server o cups creates a PDF (as root) o cups-x2go scp-copies the file to x2gprint@x2goserver which might be local o cups-x2go calls x2goprint on x2goserver o x2goprint (as user x2goprint) will pick up the print job o ... move it to /tmp/... o chown to the x2go session user o ... and move the print job to the x2goclient (sshfs)
=> the chown part needs root privs...
Maybe we should really start thinking about a non-sudo way of getting the print job from the cups server to the x2goserver to the client...
I put some basic research into this, and what I found out by now is:
I don't think we can get around the ugly thing of the cups-server connecting back to the x2go-server, but I do think we can get around sudo using the sbit/suidperl once again. If we have a script in the user home that is executed as the user, we can use that to pipe the pdf to the appropriate folder. This file can be created by the client or one of the server-scripts and can even be deleted if the client does not support printing. This way there is no need to become root and the worst thing that can happen is, that the quota of the home is exceeded. No root, though.
Any thoughts?
Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty,
On Mo 18 Apr 2011 09:13:47 CEST Moritz Struebe wrote:
On 2011-04-13 17:43, Mike Gabriel wrote: I don't think we can get around the ugly thing of the cups-server connecting back to the x2go-server, but I do think we can get around sudo using the sbit/suidperl once again. If we have a script in the user home that is executed as the user, we can use that to pipe the pdf to the appropriate folder. This file can be created by the client or one of the server-scripts and can even be deleted if the client does not support printing. This way there is no need to become root and the worst thing that can happen is, that the quota of the home is exceeded. No root, though.
Any thoughts?
Thanks for taking the time.
I would be glad if all of your proposed changes would implemented in
the server code, so that this change of concept stays invisible to the
client...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On Tue, 2011-04-12 at 18:02 +0200, Mike Gabriel wrote:
Hi devs,
I would like to apply the below patch to x2goserver/master... if I do
not here a veto within the next two days, I will push the patch to
code.x2go.org...http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=16cdb70f5bbd1298...
<snip> While we are making significant changes to x2goprint, would you consider including the patches we submitted a year or so ago so that one CUPS server can support more than one x2goserver? Perhaps it does that already now. Thanks - John
Hi John,
On Mi 13 Apr 2011 19:22:58 CEST "John A. Sullivan III" wrote:
On Tue, 2011-04-12 at 18:02 +0200, Mike Gabriel wrote:
Hi devs,
I would like to apply the below patch to x2goserver/master... if I do not here a veto within the next two days, I will push the patch to code.x2go.org...
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=16cdb70f5bbd1298...
<snip> While we are making significant changes to x2goprint, would you consider including the patches we submitted a year or so ago so that one CUPS server can support more than one x2goserver? Perhaps it does that already now. Thanks - John
Thanks for reminding me. I will take a look...
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi,
On Di 12 Apr 2011 18:02:55 CEST Mike Gabriel wrote:
Hi devs,
I would like to apply the below patch to x2goserver/master... if I
do not here a veto within the next two days, I will push the patch
to code.x2go.org...http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=16cdb70f5bbd1298...
I have just pushed the patch to the master branch.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...