[X2Go-Dev] Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run.
Vladislav Kurz
vladislav.kurz at webstep.net
Mon May 4 10:12:14 CEST 2020
Dne neděle 3. května 2020 22:41:31 CEST, Stefan Baur napsal(a):
> Am 22.04.20 um 18:20 schrieb Vladislav Kurz:
>
> [skipping the rbash part because I haven't really used that ever]
>
> > I also found a nice feature "published applications"
> > https://wiki.x2go.org/doku.php/wiki:advanced:published-applications
> > It would be nice, if the x2go server had a config option, allowing users
> > to run only the "published applications", or use some other list of
> > allowed commands.
> That is impossible.
>
> X2Go follows the Unix principle: Do *one* thing, and do it right.
>
> The one place where you define which users are allowed to run
> applications is the file system and its executable permissions.
Hello,
that's what I tried - limit execution by permissions, or using rbash - in
short it is a bash that allows you to run only executables in your $PATH.
But I failed. x2go itself requires executable permissions on a lot of stuff to
set up the session. Is there any authoritative source on what executables are
required for x2go to work?
What we need is to block users from copying files from the x2go server. So we
have to deny /bin/cat or /bin/dd to be invoked via ssh. But x2go will not
connect without /bin/cat being executable.
> Anything X2Go would try place on top of that would be bound to fail, as
> it can easily bypassed by a user running X2Go with a custom
> configuration, or SSHing into the machine with ssh -X, thus bypassing
> X2Go entirely.
Would it be possible to make some sort of wrapper that could be set as user's
shell that will allow only establishing x2go session? Something like setting
x2goruncommand as users shell? Something like scponly. Then one could focus
on blocking only x-applications like xterm, etc.
Best Regards
Vladislav Kurz
More information about the x2go-dev
mailing list