[X2go-dev] X2go is insecure
Moritz Struebe
Moritz.Struebe at informatik.uni-erlangen.de
Tue Mar 29 17:09:39 CEST 2011
Hi,
I disagree with almost everything you wrote, but I think it boils down
to the following:
On 2011-03-29 15:35, Dick Kniep wrote:
> The $SSH_ORIGINAL_COMMAND contains the original command that the
> client wants to execute on the server. This command is checked against
> the allowed commands for the user within the wrapper.
Why must there be an extra wrapper to disallow commands, when Linux
provides enough tools to do so at system level? Why prohibit those
commands in the first place. What you are suggesting, only makes sense
when you want to limit parameters passed to a command.
BTW: No one needs x2go to run "rm -rf /"! You can just do ssh <server>
rm - Why bother using x2go?
Cheers
Morty
--
Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter)
Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme)
Friedrich-Alexander-Universität Erlangen-Nürnberg
Martensstr. 1
91058 Erlangen
Tel : +49 9131 85-25419
Fax : +49 9131 85-28732
eMail : struebe at informatik.uni-erlangen.de
WWW : http://www4.informatik.uni-erlangen.de/~morty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110329/38bb2157/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5867 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110329/38bb2157/attachment.bin>
More information about the x2go-dev
mailing list