[X2Go-Dev] Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.

Stefan Baur X2Go-ML-1 at baur-itcs.de
Sun May 3 22:41:31 CEST 2020 

Am 22.04.20 um 18:20 schrieb Vladislav Kurz:

[skipping the rbash part because I haven't really used that ever]

> I also found a nice feature "published applications"
> https://wiki.x2go.org/doku.php/wiki:advanced:published-applications
> It would be nice, if the x2go server had a config option, allowing users to run 
> only the "published applications", or use some other list of allowed commands.

That is impossible.

X2Go follows the Unix principle: Do *one* thing, and do it right.

The one place where you define which users are allowed to run
applications is the file system and its executable permissions.

Anything X2Go would try place on top of that would be bound to fail, as
it can easily bypassed by a user running X2Go with a custom
configuration, or SSHing into the machine with ssh -X, thus bypassing
X2Go entirely.

A bit more than 5 years ago, in

<https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=666>

I wrote:

SECURITY NOTICE

Users are advised to not misinterpret X2GoServer's Published
Application Mode as a security feature.  Even when using Published
Application Mode, it is still possible for users to locally configure
an X2GoClient with any setting they want, and use that to connect.  So
if you're trying to keep users from running a certain application on
the host, using Published Application Mode to "lock" the configuration
is the *wrong* way.  The users will still be able to run that
application by creating their own, local configuration file and using
that.  To keep users from running an application on the server, you
have to use *filesystem permissions*.  In the simplest case, this
means setting chmod 750 or 550 on the particular application on the
host, and making sure the users in question are not the owner and also
not a member of the group specified for the application.

This still stands.  It seems, however, like that notice only got
appended to the X2GoBroker man page, but nowhere to X2GoServer's
documentation.

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

More information about the x2go-dev mailing list