[opensuse-edu] security issues regarding italc client startup
Hi, I recently noticed that the italc client is being started as the user that logged in, and this allowed them to kill the italc client and escape my control. i traced the problem and found that you have switched to using /etc/sysconfig/ica instead of patching the /etc/X11/xdm/Xsetup script. I also noticed that it no longer runs at the logon screen. both features ( running at the logon screen, inability to kill italc for users ) are very important to me, especially the users inability to kill the italc client. Is there any hope that this situation will change in the future, or are there workarounds to stop users from killing the italc client? Ben -- To unsubscribe, e-mail: opensuse-edu+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-edu+help@opensuse.org
Hi Ben On Do 17 Jul 2008 04:41:54 CEST Ben Cooksley <sourtooth@gmail.com> wrote:
I recently noticed that the italc client is being started as the user that logged in, and this allowed them to kill the italc client and escape my control. i traced the problem and found that you have switched to using /etc/sysconfig/ica instead of patching the /etc/X11/xdm/Xsetup script. I also noticed that it no longer runs at the logon screen. both features ( running at the logon screen, inability to kill italc for users ) are very important to me, especially the users inability to kill the italc client. Is there any hope that this situation will change in the future, or are there workarounds to stop users from killing the italc client?
Even with patching /etc/X11/xdm/Xsetup, users can kill the client - so the switch to a "non destructive" setup doesn't hurt in this case. So users are able to kill the client - but this is IMO something which can be handled "outside" the computer via face to face communication... But: I think we can switch to use the xauth-cookies and start the client as root - using the authority files for the users desktop. The problem: that's something completely new for me and I have to investigate some time to get this up and running even for multiple users on a Terminalserver. (Any help welcome ;-) So the "security" problem is nothing new in the end - and a solution can be provided in the near future. Until then, a teacher already noticed that a user has killed the ica client - so think of it like an attempt to deceive... With kind regards, Lars -- To unsubscribe, e-mail: opensuse-edu+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-edu+help@opensuse.org
On Thu, Jul 17, 2008 at 1:41 PM, Lars Vogdt <lrupp@suse.de> wrote:
hope that this situation will change in the future, or are there workarounds to stop users from killing the italc client?
There are patches in ubuntu packages that hide italc icon, but users would still be able to kill if if they know it is running. We can add it if desired.
Even with patching /etc/X11/xdm/Xsetup, users can kill the client - so the switch to a "non destructive" setup doesn't hurt in this case. So users are able to kill the client - but this is IMO something which can be handled "outside" the computer via face to face communication...
But: I think we can switch to use the xauth-cookies and start the client as root - using the authority files for the users desktop. The problem: that's something completely new for me and I have to investigate some time to get this up and running even for multiple users on a Terminalserver. (Any help welcome ;-)
The clients are running on one machine with different ports per user, not sure how we can achieve running multiple clients as root without the italc client being installed in ltsp client image chroot.
So the "security" problem is nothing new in the end - and a solution can be provided in the near future. Until then, a teacher already noticed that a user has killed the ica client - so think of it like an attempt to deceive...
Is there anything like "respawn" option that can be set on shell script? In other related news, we have updated italc in edu repo with patches from stgraber which has auto detect/add all the clients in the network, do give it a try. Ciao -J -- To unsubscribe, e-mail: opensuse-edu+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-edu+help@opensuse.org
Hi Cyberorg Thanks for the reminder! (Added as AI for the next Meeting ;-) On Fr 22 Aug 2008 13:35:14 CEST CyberOrg <cyberorg@opensuse.org> wrote:
hope that this situation will change in the future, or are there workarounds to stop users from killing the italc client?
There are patches in ubuntu packages that hide italc icon, but users would still be able to kill if if they know it is running. We can add it if desired.
To summarize - we've to options starting ICA: 1) Via "autostart" entry - running as normal user. Pro: - Everything in iTALC works as expected (even starting applications on the users desktop). Con: - the students can kill the client if they want (not without notifying the teacher - but he has to investigate the problem in persona) 2) Via entry in Xsetup - running as root Pro: - Users can't kill the client Con: - unable to launch apps on the students desktop as root hasn't the xauth-cookie. - running ica as root is a security risk (as always - that's why modern daemons drop root privileges as soon as possible) - as Xsetup is not marked as %config it will be replaced with an unpatched version if the x11-xorg package is updated. As result no client will start ica after a (security) update and the admin needs to patch each client again. As you can see in the current package, I'm prefering the first option as this is the better option in my eyes. Trying to solve a personal problem (students killing the application) with technical solutions is something I like to avoid. Especially if this affects a "personal enviroment" like the students desktop and opens possible security holes. ..and no: hiding the ica icon from the students desktop is NO option for me. Might be the "problem" that I live in germany, where personal rights are more important - but monitoring somebody who doesn't know or can easily forget that he's monitored assists in losing confidence. But I'm fine with documenting the two possible solutions and let the user decide which solution he want's to use in the end.
So the "security" problem is nothing new in the end - and a solution can be provided in the near future. Until then, a teacher already noticed that a user has killed the ica client - so think of it like an attempt to deceive...
Is there anything like "respawn" option that can be set on shell script?
What about running a cron job that checks each display for a running ica client ? And repeating my request for help: we need someone who's smart with xauth cookie handling - this way we can avoid one of the problems with solution 2 (unable to start applications on the users desktop)
In other related news, we have updated italc in edu repo with patches from stgraber which has auto detect/add all the clients in the network, do give it a try.
Thanks - will have a look at it. With kind regards, Lars -- To unsubscribe, e-mail: opensuse-edu+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-edu+help@opensuse.org
participants (3)
-
Ben Cooksley -
CyberOrg -
Lars Vogdt