[X2Go-Dev] replacing su calls in X2Go Server scripts with sudo (or ???)

Moritz Struebe Moritz.Struebe at informatik.uni-erlangen.de
Tue Jan 14 13:26:17 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-01-08 14:11, Mike Gabriel wrote:
> Hi all,
>
> as those of you who have studied X2Go Server code probably have
noticed, X2Go uses the su command quite intensively. The problem about
su is that it invokes a subshell whenever it is called. Those subshells
are quite difficult to handle without providing space for exploitation.
>
> As su is (in all cases) used to drop privileges from root to a normal
user, my suggestion would be exchanging the su calls by sudo calls.
(sudo -u <user> <command>). The advantage of sudo: it does not invoke a
subshell.
>
> Feedback? Request for comments??? Any other approach thinkable???
>

IMO we should get rid of su altogether if possible. As far as I can see
the cleansession-stuff can run as a daemon for every user (Simple
shell-scripts that sleeps in between checks and terminates if there is
no active session). Printing is another issue. But IMO even that can be
solved by polling rather than pushing the data.

Moty

- -- 
Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter)
Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme)
Friedrich-Alexander-Universität Erlangen-Nürnberg
Martensstr. 1
91058 Erlangen

Tel   : +49 9131 85-25419
Fax   : +49 9131 85-28732
eMail : struebe at informatik.uni-erlangen.de
WWW   : http://www4.informatik.uni-erlangen.de/~morty


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS1SziAAoJEG/nl4s6YOSIm8wH/38hz548y7QAKrt8iaPMPOkO
U5R6Es8Da8shRX+QmaOnSXsNzaWHN7QOsF5X9EFSN4RpI8ff8lUchHk2BlWfSEvU
dqS7gdPOdQZaSMUdQdVjzFZiYg1mpAoyDYB4gZ7lhltCi0Bo+kN6yTX7EU2bjW1U
ivNhEjgfFrdV7SIUdfaEAaH4uTFsQmg1RBX4sU8ysQOzwkXTfRrMjJZxf/hnLobe
/uEfiam3ONb/7pqqRk2eEHuf68wVt97awq718mmroQNMJO2bTWrLCWYbAXi8geF/
/+Ji0VQqs8u7yOYCSusNTygEETbF8Fx0aDSqoMoGGwTl/xViH7nWxV4vbEEvi5I=
=Ollg
-----END PGP SIGNATURE-----


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5005 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20140114/18161830/attachment.bin>

More information about the x2go-dev mailing list