control: tag -1 moreinfo
control: tag -1 not-a-bug
control: tag -1 wontfix

On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:

> I just noticed that x2goserver allows to connect to ALL running X  
> sessions on the target machine, using "connect to local desktop".  
> These might be logged in local users, or NX sessions which were not  
> terminated correctly. This is especially worse in the latter case,  
> as the screen is not locked here, normally.
>
> This is a HUGE security leak, as now all users are able to access  
> data of the other users, and hinder them from working by  
> manipulating current sessions.
>
> Normal remote desktop software should BLOCK such access by default,  
> and only allow it when the user explicitly requested it or  
> configured it so.

I just tested this to be really sure that this is a not-a-bug report...

What you describe only works for the same login!!!! So if my user  
(sunweaver) logs in locally to an X-Session and ,,sunweaver'' then  
connects via X2Go to connect to a local X session then I can access my  
__own__ local X sessions.

However, I cannot access other users' sessions unless they grant  
access via the X2Go Desktop Sharing utility.

Please re-test and re-confirm or post a message that states that the  
mistake was on your part.

Thanks+Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb