[X2go-Dev] x2goserver package with setuidwrapper
Reinhard Tartler
siretart at tauware.de
Mon Jul 18 17:40:02 CEST 2011
On Mon, Jul 18, 2011 at 15:04:59 (CEST), Mike Gabriel wrote:
> Then we should also make sure, no one can su to the x2gouser, shouldn't
> we? Or at least make sure that x2gouser cannot change permissions on
> that file? How that?
Something like this should do it:
-r-sr-sr-x 1 x2gouser x2gousers 5388 2011-07-18 00:12 /usr/bin/x2gosqlitewrapper*
-rwxr-xr-x 1 root root 10094 2011-07-18 00:02 /usr/lib/x2go/x2gosqlitewrapper.pl*
btw, this commit seems very wrong to me:
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=82c6545adef362a9d759b5ddf41473af052156c7
The real uid must never be the same as the effective user id. How else is
the script supposed to find out what what user called the script? The
point of the script is to ensure that each user can only add and remove
entries for their *own* sessions, and cannot muck around with sessions
from other users, doesn't it?
Your patch removed a very important saftey sanity check. If you removed
it because it failed for you, then you now have allowed every user to
delete any session, even from other users. Or even worse.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
More information about the x2go-dev
mailing list