[X2go-dev] x2go security Issues
Moritz Struebe
Moritz.Struebe at informatik.uni-erlangen.de
Thu Jan 20 10:24:12 CET 2011
Hi,
Morning,
I am testing PyHoca. One of the problems a came around is, that the
client checks whether I am in the x2go group - which I'm not. I also
noticed that some other security-checks are done in the client. I
believe this is dangerous, because administrators might think that these
are real security checks, while they can easily be circumvented. I
believe these check must be done server-side. That way they can also
easily be adjusted by administrators.
Besides that, one of our admins did quite a few security patches to
avoid x2gowrapper having to run as root. At the moment this only works
for Postgres. None the less I must say that I'm not happy running
x2gowrapper, which is easy to exploit using SQL-Injections, as root. It
should at least do a "sudo -u x2go" or similar. This user only needs
access to the database. That way worst case the db is corrupted and not
the whole system.
Cheers
Morty
--
Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter)
Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme)
Friedrich-Alexander-Universität Erlangen-Nürnberg
Martensstr. 1
91058 Erlangen
Tel : +49 9131 85-25419
Fax : +49 9131 85-28732
eMail : struebe at informatik.uni-erlangen.de
WWW : http://www4.informatik.uni-erlangen.de/~morty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5867 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110120/424d9a79/attachment.bin>
More information about the x2go-dev
mailing list