Hi Stefan, hi Alexander, On Fr 06 Dez 2013 20:56:00 CET, Alexander Wuerstlein wrote: > On 13-12-06 19:18, Stefan Baur wrote: >> Am 06.12.2013 18:44, schrieb Nick Ingegneri: >> >Once it became apparent in our testing that exporting displays didn't >> >work as expected, the system administrator who installed it went through >> >the configuration files and documentation looking for a solution. He >> >couldn't find one, so he escalated it to me to look into. If we hadn't >> >been able to find a fix it would have ruled out X2Go from further >> >consideration, which would have been unfortunate as it is currently our >> >leading choice for this particular need. >> >> [...] >> Sorry, but I've seen way too many people go "chmod 777 -R /*" as >> soon as something doesn't work as expected, and I'm fearing the same >> for an easily reachable option to allow TCP connections - because >> "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the >> filesystem. >> >> Of course, everybody is free to shoot him-/herself in the foot, >> that's why it's Linux - but merely leaving a "this is dangerous" >> note next to the parameter is like sticking a tag "please don't use >> this unless you know what you're doing" on a loaded 12-gauge in a >> room full of toddlers. > > There is one more aspect to this: If there is such a configuration > option, then sooner or later the likes of Linux Mint will enable it by > default for all their users, leaving them wide open to the whole world, > despite all the warnings. They did that with 'xhost +'[0]. > > So I agree that even just having such an option hidden away somewhere > would be very very bad. It needs to be hard and a lot of work to break > security or somebody will do it by default and deploy it on a wide > scale. > > > > Ciao, > > Alexander Wuerstlein. > > [0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520 From a security point of view: is there really a severe difference in having to edit x2gostartagent or vs. x2goserver.conf as root to enable TCP listening for x2goagent? If people want to deploy X2Go and need TCP enabled they will do that anyway. You do not have to rebuild some binary to make that happen even, you just have to create a custom copy of x2gostartagent in /usr/local/bin. @Nick: The above may very well be your workaround... >> In my opinion, Mike is a bit too customer-friendly here by turning >> your request into a wishlist item that lets every newbie shoot >> him-/herself in the foot, security-wise, by toggling a setting in >> the configuration. My current focus is to spread X2Go, get more people interested in X2Go and get more people interested in developing / financing X2Go. If I here of a use case that involves hundreds of users, then I am open to supporting that use case one way or another. I don't think making TCP-listening configurable is a security problem. Once you enable that option, you should be aware of what you are doing. For sure. The Linux Mint argument does not really count to me, either. As a package maintainer of a linux distribution, I can do anything patchy to the upstream code I like. People with the Linux Mint attitude may very easily patch x2gostartagent and ship a TCP-listening X2Go Server by default in their package archive. Wouldn't it make more sense, having that option configurable from the start then and providing the switch-off in an obvious place (i.e. a conffile)? My point is: if you want to enable TCP listening of x2goagent, you have to switch one line in x2gostartagent. What I propose is a config parameter for x2goserver.conf that avoids people from nastily hacking x2gostartagent. I know several setups in intranet where display managers and X-servers run in TCP listen mode and for the local network that is ok and wanted. Of course for X2Go this should not be the default (that's why we closed down TCP listening earlier when it was still enabled by accident). And Nick, I also think that you should seriously consider looking at the security aspects of your current IT setup. It seems quite hackable and you should really be sure that all of your staff members are really good friends (which normally is not the case for everyone at $WORK). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb