[X2Go-Commits] [x2gobroker] 01/01: Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666).
git-admin at x2go.org
git-admin at x2go.org
Mon Mar 30 16:57:59 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2gobroker.
commit 6652693c1fe47dbc53f84db84fab34f70485951a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Mon Mar 30 16:57:56 2015 +0200
Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666).
---
debian/changelog | 2 ++
man/man1/x2gobroker.1 | 17 ++++++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 8ac74a1..a0640e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -283,6 +283,8 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low
- man pages: Update date.
- If non-load-balanced session profiles reference a non-reachable host,
hand-back the system's hostname to X2Go Client / Python X2Go.
+ - Add security notice / disclaimer to x2gbroker.1 man page as suggested
+ by Stefan Baur. (Fixes: #666).
* debian/control:
+ Provide separate bin:package for SSH brokerage: x2gobroker-ssh.
+ Replace LDAP support with session brokerage support in LONG_DESCRIPTION.
diff --git a/man/man1/x2gobroker.1 b/man/man1/x2gobroker.1
index cadb4e1..4f00a48 100644
--- a/man/man1/x2gobroker.1
+++ b/man/man1/x2gobroker.1
@@ -108,11 +108,26 @@ Directory where stdout/stderr will be redirected after having daemonized (defaul
If started as root, drop privileges to uid X2GO_DAEMON_USER and gid X2GO_DAEMON_GROUP (as configured
in \fI/etc/x2go/broker/defaults.conf\fR on systemd systems or \fI/etc/defaults/python-x2gobroker\fR
on SystemV systems).
+.SH SECURITY NOTICE / DISCLAIMER
+Users are advised to not misinterpret X2Go Session Broker's capabilites as a
+security feature. Even when using X2Go Session Broker, it is still possible for
+users to locally configure an X2Go Client with any settings they want, and
+use that to connect. So if you're trying to keep users from running a
+certain application on the host, using X2Go Session Broker to "lock" the
+configuration is the *wrong* way. The users will still be able to run
+that application by creating their own, local configuration file and
+using that.
+.PP
+To keep users from running an application on the server, you have to use
+\fIfilesystem permissions\fR on the X2Go Server. In the simplest case,
+this means setting chmod 750 or 550 on the particular application on the
+host, and making sure the users in question are not the owner and also
+not a member of the group specified for the application.
.SH "FILES"
/etc/x2go/x2gobroker.conf, /etc/x2go/broker/* (configuration files)
.PP
/etc/default/python-x2gobroker, /etc/default/x2gobroker-daemon (environment for X2Go Session
-Broker when run as a standalone daemon)
+Broker when run as a standalone daemon via SystemV or upstart)
.PP
/var/log/x2gobroker/* (log files of X2Go Session Broker)
.SH "SEE ALSO"
--
Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
More information about the x2go-commits
mailing list