-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-01-08 14:11, Mike Gabriel wrote: > Hi all, > > as those of you who have studied X2Go Server code probably have noticed, X2Go uses the su command quite intensively. The problem about su is that it invokes a subshell whenever it is called. Those subshells are quite difficult to handle without providing space for exploitation. > > As su is (in all cases) used to drop privileges from root to a normal user, my suggestion would be exchanging the su calls by sudo calls. (sudo -u <user> <command>). The advantage of sudo: it does not invoke a subshell. > > Feedback? Request for comments??? Any other approach thinkable??? >
IMO we should get rid of su altogether if possible. As far as I can see the cleansession-stuff can run as a daemon for every user (Simple shell-scripts that sleeps in between checks and terminates if there is no active session). Printing is another issue. But IMO even that can be solved by polling rather than pushing the data. Moty - -- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : stru...@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS1SziAAoJEG/nl4s6YOSIm8wH/38hz548y7QAKrt8iaPMPOkO U5R6Es8Da8shRX+QmaOnSXsNzaWHN7QOsF5X9EFSN4RpI8ff8lUchHk2BlWfSEvU dqS7gdPOdQZaSMUdQdVjzFZiYg1mpAoyDYB4gZ7lhltCi0Bo+kN6yTX7EU2bjW1U ivNhEjgfFrdV7SIUdfaEAaH4uTFsQmg1RBX4sU8ysQOzwkXTfRrMjJZxf/hnLobe /uEfiam3ONb/7pqqRk2eEHuf68wVt97awq718mmroQNMJO2bTWrLCWYbAXi8geF/ /+Ji0VQqs8u7yOYCSusNTygEETbF8Fx0aDSqoMoGGwTl/xViH7nWxV4vbEEvi5I= =Ollg -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev