[X2Go-Dev] Bug#1550: X2Go/Server/DB/SQLite3.pm: Reads shadow entry ($pass) but it is never used

Paul Menzel pmenzel at molgen.mpg.de
Wed Jun 2 13:38:12 CEST 2021 

Package: x2goserver
Version: 4.1.0.3


Dear X2Go folks,


We noticed, that every two seconds our “shadow server” (similar to NIS) 
gets a request for the shadow line of the x2go user [1].

Tracing this reveals:

      x2gocleansessio-3593    [112] .... 2334059.441996: sys_clone 
<-system_call_exception
                <...>-468193  [120] .... 2334059.538048: sys_clone 
<-system_call_exception
                <...>-468194  [128] .... 2334059.539367: sys_clone 
<-system_call_exception
      x2golistsession-468193  [120] .... 2334059.542178: sys_clone 
<-system_call_exception
      libx2go-server--468196  [136] .... 2334059.656827: tcp_connect 
<-tcp_v4_connect
      x2gocleansessio-3593    [112] .... 2334059.695737: sys_clone 
<-system_call_exception
                <...>-468197  [128] .... 2334059.793699: sys_clone 
<-system_call_exception
             x2gopath-468198  [137] .... 2334059.794604: sys_clone 
<-system_call_exception
        x2gogetstatus-468197  [128] .... 2334059.797066: sys_clone 
<-system_call_exception
                <...>-468200  [097] .... 2334059.912926: tcp_connect 
<-tcp_v4_connect

     /sys/kernel/debug/tracing# ps -fp 3593
     UID          PID    PPID  C STIME TTY          TIME CMD
     root        3593       1  0 May06 ?        00:36:27 /usr/bin/perl 
/usr/sbin/x2gocleansessions

and (for example the first `libx2go-server-db-sqlite3-wrapper`) → 
`/usr/share/perl5/X2Go/Server/DB/SQLite3.pm` contains:

         my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, 
$homedir, $shell, $expire) = getpwnam($x2gouser);
         my $dbfile="$homedir/x2go_sessions";

> The getpwnam() function returns a pointer to a structure containing the
> broken-out fields of the record in the password database (e.g., the lo‐
> cal password file /etc/passwd, NIS, and LDAP) that matches the username
> name.

Reading `/usr/share/perl5/X2Go/Server/DB/SQLite3.pm` [2] it looks like, 
the variable `$pass` is never used?

```
sub init_db
{
	# retrieve home dir of x2gouser
	my $x2gouser='x2gouser';
	my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, 
$shell, $expire) = getpwnam($x2gouser);
	my $dbfile="$homedir/x2go_sessions";
	my 
$dbh=DBI->connect("dbi:SQLite:dbname=$dbfile","","",{sqlite_use_immediate_transaction 
=> 1, AutoCommit => 1, }) or die $_;

	# on SLE 11.x the sqlite_busy_timeout function does not exist, trying 
to work around that...
	if ( $dbh->can('sqlite_busy_timeout') )
	{
		$dbh->sqlite_busy_timeout( 2000 );
	}
	return $dbh;
}
```


Kind regards,

Paul


[1]: 
https://salsa.debian.org/debian-remote-team/x2goserver/-/blob/master/x2goserver/sbin/x2gocleansessions#L166
[2]: 
https://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=X2Go/Server/DB/SQLite3.pm;h=e6fb22b884c869dc14c6471a99ba31a5d45a6c30;hb=HEAD#l64

More information about the x2go-dev mailing list