[X2Go-Commits] [x2gobroker] 01/01: Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666).

git-admin at x2go.org git-admin at x2go.org
Mon Mar 30 16:57:59 CEST 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository x2gobroker.

commit 6652693c1fe47dbc53f84db84fab34f70485951a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Mon Mar 30 16:57:56 2015 +0200

    Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666).
---
 debian/changelog      |    2 ++
 man/man1/x2gobroker.1 |   17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 8ac74a1..a0640e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -283,6 +283,8 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low
     - man pages: Update date.
     - If non-load-balanced session profiles reference a non-reachable host,
       hand-back the system's hostname to X2Go Client / Python X2Go.
+    - Add security notice / disclaimer to x2gbroker.1 man page as suggested
+      by Stefan Baur. (Fixes: #666).
   * debian/control:
     + Provide separate bin:package for SSH brokerage: x2gobroker-ssh.
     + Replace LDAP support with session brokerage support in LONG_DESCRIPTION.
diff --git a/man/man1/x2gobroker.1 b/man/man1/x2gobroker.1
index cadb4e1..4f00a48 100644
--- a/man/man1/x2gobroker.1
+++ b/man/man1/x2gobroker.1
@@ -108,11 +108,26 @@ Directory where stdout/stderr will be redirected after having daemonized (defaul
 If started as root, drop privileges to uid X2GO_DAEMON_USER and gid X2GO_DAEMON_GROUP (as configured
 in \fI/etc/x2go/broker/defaults.conf\fR on systemd systems or \fI/etc/defaults/python-x2gobroker\fR
 on SystemV systems).
+.SH SECURITY NOTICE / DISCLAIMER
+Users are advised to not misinterpret X2Go Session Broker's capabilites as a
+security feature. Even when using X2Go Session Broker, it is still possible for
+users to locally configure an X2Go Client with any settings they want, and
+use that to connect. So if you're trying to keep users from running a
+certain application on the host, using X2Go Session Broker to "lock" the
+configuration is the *wrong* way. The users will still be able to run
+that application by creating their own, local configuration file and
+using that.
+.PP
+To keep users from running an application on the server, you have to use
+\fIfilesystem permissions\fR on the X2Go Server. In the simplest case,
+this means setting chmod 750 or 550 on the particular application on the
+host, and making sure the users in question are not the owner and also
+not a member of the group specified for the application.
 .SH "FILES"
 /etc/x2go/x2gobroker.conf, /etc/x2go/broker/* (configuration files)
 .PP
 /etc/default/python-x2gobroker, /etc/default/x2gobroker-daemon (environment for X2Go Session
-Broker when run as a standalone daemon)
+Broker when run as a standalone daemon via SystemV or upstart)
 .PP
 /var/log/x2gobroker/* (log files of X2Go Session Broker)
 .SH "SEE ALSO"

--
Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git


More information about the x2go-commits mailing list