[X2go-dev] concept for X2go session lock-down to kiosk-mode (was Re: X2go is insecure)
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Mar 30 11:43:59 CEST 2011
On Wed, 2011-03-30 at 10:58 +0200, Erik Auerswald wrote:
> Hi,
>
> On Tue, Mar 29, 2011 at 06:31:07PM +0200, Mike Gabriel wrote:
> > On Di 29 Mär 2011 16:55:50 CEST Alexander Wuerstlein wrote:
> >> On 11-03-29 15:36, Dick Kniep <dick.kniep at lindix.nl> wrote:
> >
> >> An authorized user running commands over ssh is not a security problem
> >> at all. It works as intended. ssh provides shells.
> >
> > As Reinhard has mentioned in another post: Dicks setup requires a
> > complete lock-down-kiosk-mode-kind-of-thing. He wants a user to be able
> > to run a small set of commands only (i.e. the rootless applications he
> > wants to provide to his customers). From his perspective AFAIK a user
> > logged in via SSH is a security issue. May it be so.
> >
> >>> The $SSH_ORIGINAL_COMMAND contains the original command that the
> >>> client wants to execute on the server. This command is checked against
> >>> the allowed commands for the user within the wrapper.
> >>
> >> From the invocation I infer, that the intended language for the
> >> wrapper is shellskript. This is extremely dangerous if intended as a
> >> security measure like you claim. Also please note that it is very hard
> >> to write such wrappers in a secure way, such that stuff like e.g.
> >> 'allowed_command foo bar ; evil_command' is not possible.
> >
> > This is a very worthy remark!!! I also think that it needs quite an
> > effort to script such a wrapper (and have it accepted in X2go
> > upstream!!!)
>
> An example for rsync via SSH can be found at:
> http://troy.jdmz.net/rsync/index.html
>
> The validate-rsync script there can be used as a starting point.
>
> Regards,
> Erik
I admit I have not thought this issue through thoroughly as I'm under a
brutal deadline right now but I would think the problem is that one can
use X2Go for application publishing and not just complete desktops. Do
we know in advance every possible application one might want to publish
via X2Go? If we did (and I can't imagine we would), would we want to
identify those via X2Go or some other mechanism built more for the task?
My guess is, since we are an application publishing application, we
should leave restriction of applications to the sysadmin using the tools
already at their disposal. Again, that is only a half baked thought but
I think it has some merit - John
More information about the x2go-dev
mailing list