4

Currently I have multi-user linux servers where developers access through remote desktop and use the session as work environment.

But I'm a bit concerned about the increasing popularity of applications applications using a localhost port to communicate between parts (for example back-end in python and front-end opened in a browser, ex: https://gdbgui.com/ )

On a unix multi-user desktop environment localhost is accessible by any user.

And worst, even if that kind of application would want to implement a secure connection between the web front-end and the back-end there is no really perfect solution:

  • use HTTP over unix domain socket (AF_UNIX): not currently supported by popular web browser
  • use a "user" private network interface "localuser": inexistant, localhost is the only standard
  • use a tocken in the url launched by the browser: http://localhost/?tocken=xyz : the tocken can leak to other user through the command line argument if procfs is not mounted with hidepid=1 option
  • have a password set during program installation, ask the user to enter the password and set a session cookie: not the most user friendly for a desktop application...

So I can't even report bugs to the devs of these applications and hope for fixes !

My conclusion is that it seems that unix multi-user desktop environments are nowadays considered harmful for this use case (and I'm pretty they are for others use cases where multi user envs are considered harmful). And that I should consider switching to VDI (1 virtual machine per user) as soon as possible. But it would be a lot of work to migrate from multi-user environment to 1 virtual machine desktops per user.

But I want to be sure before changing my infrastructure: I am right in my reasoning or too much alarming ?

N.B: I know it is an unclear question, it a result of a long search on securing localhost connexions on my multi-user unix environments without any successful solution, so I'm hoping for interesting opinions about this problem...

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
sligor
  • 41
  • 3

1 Answers1

1

I don't have a good answer, but I note that the question does not mention container technology as a potential isolation mechanism to explore.

I would encourage that exploration. The container ecosystem has enormous momentum, thousands of engineers across hundreds of companies, containerizing all the things. There is no reason in principle that it would not be a perfect solution for this problem.

A production quality solution might not be available at the present moment, but I have already seen on several occasions the kubernetes ecosystem deliver a solution from a standing start before an org that needed the solution was able to get out of a planning process to ramp up on its own.

Quick googling on this finds a POC:

https://www.researchgate.net/publication/314070005_GUIdock-VNC_Using_a_graphical_desktop_sharing_system_to_provide_a_browser-based_interface_for_containerized_software

I don't believe the k8s machinery at present supports vnc, but I remember seeing ports of the vnc protocol to web sockets, which is directly servable from k8s cluster.

Hopefully someone with direct knowledge of the state of play here will chime in.

Jonah Benton
  • 3,359
  • 12
  • 20