[X2Go-Dev] Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.

[Vladislav Kurz]

Package: x2goserver
Version: 4.1.0.3-0~1708~ubuntu16.04.1
Severity: wishlist

Hello all,

we are using x2go to run a single application on remote server, and we want to 
lock all other access as much as possible. Essentially, we'd like to ensure 
that even if the user connects via SSH, he could start only one (or limited 
set) of applications.

I found this guide https://wiki.x2go.org/doku.php/wiki:security:rbash but it 
seems to be somewhat outdated. I followed the instructions, created the 
wrapper command, set up the symlinks, and configured ssh, but then I get this 
error: Connection failed. rbash: bash: command not found

Apparently x2go client is trying to execute "bash /usr/bin/x2goruncommand" 
instead of just "x2goruncommand". If I add bash to the path with allowed 
commands, it starts working. But it makes the whole use of rbash pointless.
Also it allows me to run anything via x2go anyway - as x2goruncommand is a 
bash script, it escapes the restrictions of rbash.

Is it possible to update that wiki page with current requirements - what 
commands are necessary in $PATH for restricted shell ? I found that at least 
nxagent should be there too. And to modify the login sequence so that bash is 
not needed in $PATH ? BTW is that defined on server or client? Where exactly?

I also found a nice feature "published applications"
https://wiki.x2go.org/doku.php/wiki:advanced:published-applications
It would be nice, if the x2go server had a config option, allowing users to run 
only the "published applications", or use some other list of allowed commands.

So far my attempts at limiting the access to other applications was not very 
successful. There's a lot of stuff needed internally by x2go, so I cannot just 
remove execute bit from many commands in (/usr)/bin/

Thanks for any advice or hotfix.
Best Regards

Vladislav Kurz