[X2Go-Dev] Bug#835: x2gobroker-ssh: cannot execute x2gobroker-agent if agent-query-mode is set to LOCAL

[Mike Gabriel]

Package: x2gobroker-ssh
Severity: important
Version: 0.0.3.0-preview



Reason:

/usr/bin/x2gobroker-ssh is installed with these permissions:







  real uid: <uidNumber-of-the-user>
  real gid: <gidNumber-if-the-user>
  effective uid: x2gobroker
  effective gid: <gidNumber-if-the-user>





-rwsr-x--- 1 root x2gobroker 6168 Apr  2 06:39 /usr/lib/x2go/x2gobroker-agent



Solution:
---------

(root@medoc) {~} # cat /etc/sudoers.d/x2gobroker-ssh

%x2gobroker-users       ALL=(:x2gobroker) /usr/lib/x2go/x2gobroker-agent



A patch is in prep and should be committed soon.

Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

x2gobroker-ssh cannot execute x2gobroker-agent if agent-query-mode is set to LOCAL. -r-sr-x--- 1 x2gobroker <x2gobroker-users> 6168 Apr 1 06:24 /usr/bin/x2gobroker-ssh That means: only users that are members of the POSIX group <x2gobroker-users> (in Debian/Ubuntu, this is configurable via DebConf) can launch a fully featured X2Go Session Broker instance via SSH brokerage. A user that is member of group <x2gobroker-users> launches x2gobroker-ssh and the process permissions are these: So, the setuid flag on /usr/bin/x2gobroker-ssh changes the effective user ID, but not the effective group ID. If agent-query-mode is set to LOCAL, x2gobroker-ssh directly calls /usr/lib/x2go/x2gobroker-agent (via subprocess.Popen) and fails, because of insufficient priveleges: Only users that are members of POSIX group "x2gobroker" can launch the x2gobroker-agent script (and gain root priveleges). In a sane environment, no user is member of this group (except the user "x2gobroker"). # Allow members of group x2gobroker-users to execute any /usr/lib/x2go/x2gobroker-agent If the user launching x2gobroker-ssh is member of the group <x2gobroker-users>, then the LOCAL query to the x2gobroker-agent is run via sudo. If the evoking user is not a member of the <x2gobroker-users> group, then no sudo gets used (e.g. for executing the x2gobroker-agent via agent-query-mode SSH or via agent-query-mode through the http broker implementation.

pgpCicovBNrmM.pgp
Description: Digitale PGP-Signatur

_______________________________________________
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev