This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
wiki:security:rbash [2014/10/31 21:05] woglinde [secure ssh access] |
wiki:security:rbash [2014/11/01 09:24] woglinde [rbash short feature overview] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | The way x2go works, allows every user to get a ssh access to the x2go server. | + | The way x2go works, allows every user to get ssh access to the x2go server. |
This can be a big problem when, you can not use the broker, to prevent certain actions on | This can be a big problem when, you can not use the broker, to prevent certain actions on | ||
- | the server. The users can browse the x2go-server and have the access to nearly all directiores. | + | the x2go-server. |
+ | |||
+ | The users can browse the x2go-server and have the access to nearly all directiores. | ||
There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand | There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand | ||
Line 15: | Line 17: | ||
* no redirections via > and >> are allowed | * no redirections via > and >> are allowed | ||
* no calls of binaries via complete path | * no calls of binaries via complete path | ||
- | * no changes | + | * no changes |
But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. | But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. | ||
Line 50: | Line 52: | ||
</ | </ | ||
- | We set the **PATH** to a new directory, so the users can only access the commands | + | We set the **PATH** to a new directory, so the users can only access the commands |
+ | |||
+ | ====== Link the needed programs to setup a session ====== | ||
+ | The following programs are needed to link to the new created directory. | ||
+ | |||
+ | <code bash> | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | mkdir / | ||
+ | cd / | ||
+ | x2goruncommand, | ||
+ | </ | ||
+ | |||
+ | Because some programs are written in perl and need fragments from the x2go-lib dir and it is searched relative, the lib-directory needs to be linked too. | ||
+ | <code bash> | ||
+ | mkdir / | ||
+ | cd / | ||
+ | </ | ||
+ | |||
+ | ====== Bring the path back to some scripts ====== | ||
+ | Because we set the PATH to / | ||
+ | |||
+ | <code bash> | ||
+ | x2gopath | ||
+ | x2goruncommand | ||
+ | x2gostartagent | ||
+ | x2goterminate-session | ||
+ | </ | ||
+ | |||
+ | After the license header add the following to all files mentioned | ||
+ | <code bash> | ||
+ | export PATH=/ | ||
+ | </ | ||
+ | |||
+ | ====== rbash as default shell (optional)====== | ||
+ | |||
+ | If rbash is also set as the default shell via /etc/passwd or some other mechanism, the sessioncleanup skripts needs | ||
+ | to be fixed too. | ||
+ |