Hi all, May I suggest the following: First of all: This is only about the SQLite wrapper! Let's get rid of sudo and use suid instead. Add a commented line to the wrapper that checks whether the current user is in the appropriate group.
Rationale: x2goserver-one, which is responsible for the automatic use of the SQLite wrapper, had exactly this behaviour: It gives all users access to x2go (Worse: A while ago it gave all users root-access). Therefore for the naive user there is no change in behaviour: It gives them more efficient access then using X-forwarding. Administrators who administer a large user base, who should have got nervous with the root-sudo anyway, sould be able to uncomment that one line within the wrapper and change it to a group or groups of there favour. After all x2go is yet another application. There is no way that you may compromise the system because of this - except using resources, but there are better ways to do so. It you want, you can even adjust the client work around the wrapper-script and start the agent manually (No, I won't discuss how). Therefore there is no real additional security won by disallowing users to run the wrapper. Cheers Morty P.s.: IMO the final decision must be made by Alex and Heinz anyway. On 2011-02-18 22:24, John A. Sullivan III wrote: > I'm thinking we should err on the side of security and make it secure by > default with the option to loosen. That said, is there a way to achieve > all goals? We do need to stop the sudo log spam. We do need to prevent > misfired installations that required great expertise to sort out. What > if, instead of using sudo, we did lock down the x2go scripts by default > with restricted ownership as suggested to those who responded to this > thread concerned about security. That leaves us with maintaining local > groups but that is not the end of the world. It eliminates the sudo > problem and makes us secure by default rather than exception. -- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : [email protected] WWW : http://www4.informatik.uni-erlangen.de/~morty
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ X2go-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
