Dear maintainer,
on a system where x2goserver is installed I found the following entries in /etc/passwd:
x2gouser:x:123:137::/var/lib/x2go:/bin/false x2goprint:x:130:139::/var/spool/x2goprint:/bin/sh
Is there any reason why x2goprint should be able to logon interactively? Couldn't the shell be set to /bin/false like for x2gouser?
Best regards
Heinrich Schuchardt
HI Heinrich,
On Do 08 Nov 2012 04:41:55 CET glpk xypron wrote:
Dear maintainer,
on a system where x2goserver is installed I found the following
entries in /etc/passwd:x2gouser:x:123:137::/var/lib/x2go:/bin/false x2goprint:x:130:139::/var/spool/x2goprint:/bin/sh
Is there any reason why x2goprint should be able to logon interactively? Couldn't the shell be set to /bin/false like for x2gouser?
please check the cups-x2go CUPS virtual printer: http://code.x2go.org/gitweb?p=cups-x2go.git;a=blob;f=cups-x2go
There we do a lot of sudo and ssh -lx2goprint and if you come up with
a patch for x2goprint that prevents us from using /bin/sh as shell, I
will be happy to work that into cups-x2go.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On Do 08 Nov 2012 09:27:09 CET Mike Gabriel wrote:
[...] a patch for x2goprint that prevents us from using /bin/sh as shell, [...]
Actually this has to be: ... a patch for cups-x2go that prevents ...
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hello Mike,
I just read http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing
Following the instructions means that anybody who hacks my cups server can login as sudoer to the x2goserver, because I leave the key on the doorstep (/root/.ssh/id_dsa-x2goprint).
Why doesn't the x2goserver p
My suggestion is: apt-get install x2goserver-printing should not create user x2goprint, because the user is not needed if the Cups and the X2GO server are the same.
Best regards
Heinrich Schuchardt
HI Heinrich,
On Do 08 Nov 2012 19:46:59 CET Xypron wrote:
Hello Mike,
I just read http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing
Following the instructions means that anybody who hacks my cups server can login as sudoer to the x2goserver, because I leave the key on the doorstep (/root/.ssh/id_dsa-x2goprint).
Why doesn't the x2goserver p
My suggestion is: apt-get install x2goserver-printing should not create user x2goprint, because the user is not needed if the Cups and the X2GO server are the same.
My suggestion would be splitting up the already tiny package
x2goserver-printing into two packages rather than one. The first
providing the x2goprint script, the second
(x2goserver-printing-multinode) creating the user.
I'd really appreciate it if you came up with a (git-based) patch.
Otherwise, the request will to get a high prio from my side.
If you cannot provide a patch, please drop a reminder into our
bugtracker. Thanks!
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hello Mike,
just to get things clear:
Your suggestion would include:
Remove this (and surrounding code) from debian/x2goserver-printing.postinst:
adduser --system
--disabled-password --disabled-login
--shell /bin/sh --group --home /var/spool/x2goprint x2goprint
Remove the corresponding code from debian/x2goserver-printing.postrm
Create a new "empty" debian package "x2goserver-printremote" with postinst and postrm only, and run time dependency on package "x2goserver-printing".
Send patch to this list using "git send-email".
Did I get you right?
Best regards
Heinrich Schuchardt
-------- Original-Nachricht --------
Datum: Thu, 08 Nov 2012 22:36:10 +0100 Betreff: Re: [X2Go-User] User x2goprint - shell set to /bin/sh
HI Heinrich,
My suggestion would be splitting up the already tiny package
x2goserver-printing into two packages rather than one. The first
providing the x2goprint script, the second
(x2goserver-printing-multinode) creating the user.I'd really appreciate it if you came up with a (git-based) patch.
Otherwise, the request will to get a high prio from my side.If you cannot provide a patch, please drop a reminder into our
bugtracker. Thanks!Mike
On Thu, Nov 8, 2012 at 10:36 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
HI Heinrich,
On Do 08 Nov 2012 19:46:59 CET Xypron wrote:
Hello Mike,
I just read http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing
Following the instructions means that anybody who hacks my cups server can login as sudoer to the x2goserver, because I leave the key on the doorstep (/root/.ssh/id_dsa-x2goprint).
Why doesn't the x2goserver p
My suggestion is: apt-get install x2goserver-printing should not create user x2goprint, because the user is not needed if the Cups and the X2GO server are the same.
My suggestion would be splitting up the already tiny package x2goserver-printing into two packages rather than one. The first providing the x2goprint script, the second (x2goserver-printing-multinode) creating the user.
Another option would be a debconf question, defaulting to single-node.
-- regards, Reinhard
Hi Heinrich,
----- Original message -----
On Thu, Nov 8, 2012 at 10:36 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
HI Heinrich,
On Do 08 Nov 2012 19:46:59 CET Xypron wrote:
Hello Mike,
I just read http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing
Following the instructions means that anybody who hacks my cups server can login as sudoer to the x2goserver, because I leave the key on the doorstep (/root/.ssh/id_dsa-x2goprint).
Why doesn't the x2goserver p
My suggestion is: apt-get install x2goserver-printing should not create user x2goprint, because the user is not needed if the Cups and the X2GO server are the same.
My suggestion would be splitting up the already tiny package x2goserver-printing into two packages rather than one. The first providing the x2goprint script, the second (x2goserver-printing-multinode) creating the user.
Another option would be a debconf question, defaulting to single-node.
Reinhard, thanks for throwing that into the ring. I actually prefer that approach.
I also think that we should keep this debconf template silent, so it only gets called with dpkg-rconfigure command and a higher prio then the default.
Greets, Mike
On Fri, Nov 9, 2012 at 9:01 AM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Hi Heinrich,
----- Original message -----
On Thu, Nov 8, 2012 at 10:36 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
HI Heinrich,
On Do 08 Nov 2012 19:46:59 CET Xypron wrote:
Hello Mike,
I just read http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing
Following the instructions means that anybody who hacks my cups server can login as sudoer to the x2goserver, because I leave the key on the doorstep (/root/.ssh/id_dsa-x2goprint).
Why doesn't the x2goserver p
My suggestion is: apt-get install x2goserver-printing should not create user x2goprint, because the user is not needed if the Cups and the X2GO server are the same.
My suggestion would be splitting up the already tiny package x2goserver-printing into two packages rather than one. The first providing the x2goprint script, the second (x2goserver-printing-multinode) creating the user.
Another option would be a debconf question, defaulting to single-node.
Reinhard, thanks for throwing that into the ring. I actually prefer that approach.
I also think that we should keep this debconf template silent, so it only gets called with dpkg-rconfigure command and a higher prio then the default.
That what happens if you make the question priority: low.
-- regards, Reinhard
-
glpk xypron -
Mike Gabriel -
Reinhard Tartler -
Xypron