X2Go Bug report logs - #1295
x2goclient/broker mode : don't close on suspended session with --close-disconnect

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

Date: Wed, 9 May 2018 14:05:02 UTC

Severity: normal

Found in version 4.1.2.0-0~1750~ubuntu16.04.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1295; Package x2goclient. (Wed, 09 May 2018 14:05:02 GMT) (full text, mbox, link).

Acknowledgement sent to Walid MOGHRABI <w.moghrabi@servicemagic.eu>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.

Your message specified a Severity: in the pseudo-header, but the severity value bug was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, important, normal, minor, wishlist.

(Wed, 09 May 2018 14:05:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Walid MOGHRABI <w.moghrabi@servicemagic.eu>
To: submit@bugs.x2go.org
Subject: x2goclient/broker mode : don't close on suspended session with --close-disconnect
Date: Wed, 9 May 2018 16:00:43 +0200 (CEST)
package: x2goclient
version: 4.1.2.0-0~1750~ubuntu16.04.1
priority: bug

In broker/tce mode, when I connect a new session on TCE-CLIENT-1, if I live migrate the running session on TCE-CLIENT-2, the session is detached from client 1 to client 2 correctly (suspended on client 1 and correctly resumed on client 2) but x2goclient doesn't close itself on client 1 once session is detached.
The client stays opened on the sessions profiles list with the currently logged in user instead of closing itself and getting back to the broker login prompt.

This is a major security issue since anyone can then just click on a session profile to connect with the current user credentials. 

Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1295; Package x2goclient. (Tue, 15 May 2018 12:05:02 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 15 May 2018 12:05:02 GMT) (full text, mbox, link).

Message #10 received at 1295@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Walid MOGHRABI <w.moghrabi@servicemagic.eu>, 1295@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1295: x2goclient/broker mode : don't close on suspended session with --close-disconnect
Date: Tue, 15 May 2018 12:01:03 +0000
[Message part 1 (text/plain, inline)]
Hi Walid,

On  Mi 09 Mai 2018 16:00:43 CEST, Walid MOGHRABI wrote:

> package: x2goclient
> version: 4.1.2.0-0~1750~ubuntu16.04.1
> priority: bug
>
> In broker/tce mode, when I connect a new session on TCE-CLIENT-1, if  
> I live migrate the running session on TCE-CLIENT-2, the session is  
> detached from client 1 to client 2 correctly (suspended on client 1  
> and correctly resumed on client 2) but x2goclient doesn't close  
> itself on client 1 once session is detached.

This per se is a bug, as --close-disconnect fails.

> The client stays opened on the sessions profiles list with the  
> currently logged in user instead of closing itself and getting back  
> to the broker login prompt.

I think --close-disconnect is not what you want. You want --broker-autologoff.

> This is a major security issue since anyone can then just click on a  
> session profile to connect with the current user credentials.

Understood. However, please check if you can achieve the correct  
behaviour with --broker-autologoff. It saves you the X2Go Client  
restarts on session logout.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 11:20:56 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.