Package: x2goserver Version: 4.1.0.3-0~1708~ubuntu16.04.1 Severity: wishlist
Hello all, we are using x2go to run a single application on remote server, and we want to lock all other access as much as possible. Essentially, we'd like to ensure that even if the user connects via SSH, he could start only one (or limited set) of applications. I found this guide https://wiki.x2go.org/doku.php/wiki:security:rbash but it seems to be somewhat outdated. I followed the instructions, created the wrapper command, set up the symlinks, and configured ssh, but then I get this error: Connection failed. rbash: bash: command not found Apparently x2go client is trying to execute "bash /usr/bin/x2goruncommand" instead of just "x2goruncommand". If I add bash to the path with allowed commands, it starts working. But it makes the whole use of rbash pointless. Also it allows me to run anything via x2go anyway - as x2goruncommand is a bash script, it escapes the restrictions of rbash. Is it possible to update that wiki page with current requirements - what commands are necessary in $PATH for restricted shell ? I found that at least nxagent should be there too. And to modify the login sequence so that bash is not needed in $PATH ? BTW is that defined on server or client? Where exactly? I also found a nice feature "published applications" https://wiki.x2go.org/doku.php/wiki:advanced:published-applications It would be nice, if the x2go server had a config option, allowing users to run only the "published applications", or use some other list of allowed commands. So far my attempts at limiting the access to other applications was not very successful. There's a lot of stuff needed internally by x2go, so I cannot just remove execute bit from many commands in (/usr)/bin/ Thanks for any advice or hotfix. Best Regards Vladislav Kurz _______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev