This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:security:rbash [2014/10/31 22:11] woglinde [Bring the path back to some scripts] |
wiki:security:rbash [2014/11/03 13:07] (current) woglinde [rbash as default shell (optional)] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | The way x2go works, allows every user to get a ssh access to the x2go server. | + | The way x2go works, allows every user to get ssh access to the x2go server. |
This can be a big problem when, you can not use the broker, to prevent certain actions on | This can be a big problem when, you can not use the broker, to prevent certain actions on | ||
- | the server. The users can browse the x2go-server and have the access to nearly all directiores. | + | the x2go-server. |
+ | |||
+ | The users can browse the x2go-server and have the access to nearly all directiores. | ||
There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand | There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand | ||
and hard to setup correctly. Another option is the use of rbash, but with the current state of x2go-server there | and hard to setup correctly. Another option is the use of rbash, but with the current state of x2go-server there | ||
are serval steps so setup it up working correctly. | are serval steps so setup it up working correctly. | ||
+ | |||
+ | This guide is focused on a single application approach, no audio, remote/ | ||
====== rbash short feature overview ====== | ====== rbash short feature overview ====== | ||
Line 15: | Line 19: | ||
* no redirections via > and >> are allowed | * no redirections via > and >> are allowed | ||
* no calls of binaries via complete path | * no calls of binaries via complete path | ||
- | * no changes | + | * no changes |
But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. | But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. | ||
Line 91: | Line 95: | ||
</ | </ | ||
- | ====== Fix session clean up ====== | + | ===== Security concerns |
+ | There could be still problems to brake out of rbash, no one yet made a security audit of the linked x2go scripts, if they allow the execution of a real shell | ||
+ | via options. |