X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 05:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 05:48:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: submit@bugs.x2go.org
Subject: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 07:36:18 +0200
Package: x2goserver
Version: 4.0.1.6
Severity: critical

Hi,

I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.

This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.

Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 09:47:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 09:47:24 GMT) Full text and rfc822 format available.

Message #10 received at 287@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>, 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 07 Aug 2013 11:43:38 +0200
[Message part 1 (text/plain, inline)]
control: tag -1 moreinfo
control: tag -1 not-a-bug
control: tag -1 wontfix

On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:

> I just noticed that x2goserver allows to connect to ALL running X  
> sessions on the target machine, using "connect to local desktop".  
> These might be logged in local users, or NX sessions which were not  
> terminated correctly. This is especially worse in the latter case,  
> as the screen is not locked here, normally.
>
> This is a HUGE security leak, as now all users are able to access  
> data of the other users, and hinder them from working by  
> manipulating current sessions.
>
> Normal remote desktop software should BLOCK such access by default,  
> and only allow it when the user explicitly requested it or  
> configured it so.

I just tested this to be really sure that this is a not-a-bug report...

What you describe only works for the same login!!!! So if my user  
(sunweaver) logs in locally to an X-Session and ,,sunweaver'' then  
connects via X2Go to connect to a local X session then I can access my  
__own__ local X sessions.

However, I cannot access other users' sessions unless they grant  
access via the X2Go Desktop Sharing utility.

Please re-test and re-confirm or post a message that states that the  
mistake was on your part.

Thanks+Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 287-submit@bugs.x2go.org. (Wed, 07 Aug 2013 09:47:24 GMT) Full text and rfc822 format available.

Added tag(s) not-a-bug. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 287-submit@bugs.x2go.org. (Wed, 07 Aug 2013 09:47:24 GMT) Full text and rfc822 format available.

Added tag(s) wontfix. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 287-submit@bugs.x2go.org. (Wed, 07 Aug 2013 09:47:24 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 12:03:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 12:03:01 GMT) Full text and rfc822 format available.

Message #21 received at 287@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 13:54:14 +0200
[Message part 1 (text/plain, inline)]
thanks

... for the answer. We just retested it today in our environment, and the
issue is still as described. Especially we did:

1) user_A starts a xfce x2go session on hostA, without starting
x2godesktopsharing.
2) user_B logs in at hostA, using "connect to local desktop. It sees a X
session under its own user name, and a port. user_B can click on "full
access" and gets access to the session.

Second test:
- user_A starts x2godesktopsharing, but leave the default setting (do not
allow access, with cross).
- user_B sees same behaviour as described above

Third test:
- user_A starts x2godesktopsharing, but and enables access (green icon in
menu bar)
- user_B now sees two sessions in the session list: one with his own user
name, one with user_As user name. Both have the same port. If user_B
selects the one which has user_A as its name, he can only connect to view,
and eventually, this connection gets refused. (In the mean time, user_A
sees a question dialog asking user_B for access in the session.)
But still, user_B sees a session with his own name, and can connect to it
and gets full access to the xfce session started by user_A.

So in summary: The x2godesktopsharing has no effect at all when it should
block all accesses, and only works partly when it should allow individual
access.

In our environment, every machine has the same logins provided by an LDAP
server. I will retest at home to see how it behaves with normal local users.

With best regards,
David




2013/8/7 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

> control: tag -1 moreinfo
> control: tag -1 not-a-bug
> control: tag -1 wontfix
>
> On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:
>
>  I just noticed that x2goserver allows to connect to ALL running X
>> sessions on the target machine, using "connect to local desktop". These
>> might be logged in local users, or NX sessions which were not terminated
>> correctly. This is especially worse in the latter case, as the screen is
>> not locked here, normally.
>>
>> This is a HUGE security leak, as now all users are able to access data of
>> the other users, and hinder them from working by manipulating current
>> sessions.
>>
>> Normal remote desktop software should BLOCK such access by default, and
>> only allow it when the user explicitly requested it or configured it so.
>>
>
> I just tested this to be really sure that this is a not-a-bug report...
>
> What you describe only works for the same login!!!! So if my user
> (sunweaver) logs in locally to an X-Session and ,,sunweaver'' then connects
> via X2Go to connect to a local X session then I can access my __own__ local
> X sessions.
>
> However, I cannot access other users' sessions unless they grant access
> via the X2Go Desktop Sharing utility.
>
> Please re-test and re-confirm or post a message that states that the
> mistake was on your part.
>
> Thanks+Greets,
> Mike
>
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
>
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@das-netzwerkteam.**de<mike.gabriel@das-netzwerkteam.de>,
> http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-**
> netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
>
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 14:18:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 14:18:01 GMT) Full text and rfc822 format available.

Message #26 received at 287@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 07 Aug 2013 16:02:58 +0200
[Message part 1 (text/plain, inline)]
control: tag -1 - wontfix
control: tag -1 - not-a-bug

Hi David,

On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:

> thanks
>
> ... for the answer. We just retested it today in our environment, and the
> issue is still as described. Especially we did:
>
> 1) user_A starts a xfce x2go session on hostA, without starting
> x2godesktopsharing.
> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
> session under its own user name, and a port. user_B can click on "full
> access" and gets access to the session.
>
> Second test:
> - user_A starts x2godesktopsharing, but leave the default setting (do not
> allow access, with cross).
> - user_B sees same behaviour as described above
>
> Third test:
> - user_A starts x2godesktopsharing, but and enables access (green icon in
> menu bar)
> - user_B now sees two sessions in the session list: one with his own user
> name, one with user_As user name. Both have the same port. If user_B
> selects the one which has user_A as its name, he can only connect to view,
> and eventually, this connection gets refused. (In the mean time, user_A
> sees a question dialog asking user_B for access in the session.)
> But still, user_B sees a session with his own name, and can connect to it
> and gets full access to the xfce session started by user_A.
>
> So in summary: The x2godesktopsharing has no effect at all when it should
> block all accesses, and only works partly when it should allow individual
> access.
>
> In our environment, every machine has the same logins provided by an LDAP
> server. I will retest at home to see how it behaves with normal local users.

Ok, thanks for re-testing. I undo the taggings earlier made on this  
issue. This is indeed a big issue that needs immediate fixing!!!

Next question: what distro are you on. I tested on Debian and it  
worked flawlessly. Do you have any chance to test on Debian or Ubuntu  
(if you are on some RPM based distro)?

Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Removed tag(s) wontfix. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 287-submit@bugs.x2go.org. (Wed, 07 Aug 2013 14:18:01 GMT) Full text and rfc822 format available.

Removed tag(s) not-a-bug. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 287-submit@bugs.x2go.org. (Wed, 07 Aug 2013 14:18:01 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 16:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 16:03:02 GMT) Full text and rfc822 format available.

Message #35 received at 287@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 17:56:45 +0200
Hi,

We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.

I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.

Best,
David

Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:

> control: tag -1 - wontfix
> control: tag -1 - not-a-bug
> 
> Hi David,
> 
> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
> 
>> thanks
>> 
>> ... for the answer. We just retested it today in our environment, and the
>> issue is still as described. Especially we did:
>> 
>> 1) user_A starts a xfce x2go session on hostA, without starting
>> x2godesktopsharing.
>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>> session under its own user name, and a port. user_B can click on "full
>> access" and gets access to the session.
>> 
>> Second test:
>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>> allow access, with cross).
>> - user_B sees same behaviour as described above
>> 
>> Third test:
>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>> menu bar)
>> - user_B now sees two sessions in the session list: one with his own user
>> name, one with user_As user name. Both have the same port. If user_B
>> selects the one which has user_A as its name, he can only connect to view,
>> and eventually, this connection gets refused. (In the mean time, user_A
>> sees a question dialog asking user_B for access in the session.)
>> But still, user_B sees a session with his own name, and can connect to it
>> and gets full access to the xfce session started by user_A.
>> 
>> So in summary: The x2godesktopsharing has no effect at all when it should
>> block all accesses, and only works partly when it should allow individual
>> access.
>> 
>> In our environment, every machine has the same logins provided by an LDAP
>> server. I will retest at home to see how it behaves with normal local users.
> 
> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
> 
> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
> 
> Greets,
> Mike
> 
> 
> -- 
> 
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
> 
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
> 
> freeBusy:
> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 18:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 18:18:02 GMT) Full text and rfc822 format available.

Message #40 received at 287@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 20:10:44 +0200
Hi,

To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.

You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.

With best regards,
David


Am 07.08.2013 um 17:56 schrieb David Fuhrmann <fuhrmann_mail@web.de>:

> Hi,
> 
> We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.
> 
> I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.
> 
> Best,
> David
> 
> Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> 
>> control: tag -1 - wontfix
>> control: tag -1 - not-a-bug
>> 
>> Hi David,
>> 
>> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
>> 
>>> thanks
>>> 
>>> ... for the answer. We just retested it today in our environment, and the
>>> issue is still as described. Especially we did:
>>> 
>>> 1) user_A starts a xfce x2go session on hostA, without starting
>>> x2godesktopsharing.
>>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>>> session under its own user name, and a port. user_B can click on "full
>>> access" and gets access to the session.
>>> 
>>> Second test:
>>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>>> allow access, with cross).
>>> - user_B sees same behaviour as described above
>>> 
>>> Third test:
>>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>>> menu bar)
>>> - user_B now sees two sessions in the session list: one with his own user
>>> name, one with user_As user name. Both have the same port. If user_B
>>> selects the one which has user_A as its name, he can only connect to view,
>>> and eventually, this connection gets refused. (In the mean time, user_A
>>> sees a question dialog asking user_B for access in the session.)
>>> But still, user_B sees a session with his own name, and can connect to it
>>> and gets full access to the xfce session started by user_A.
>>> 
>>> So in summary: The x2godesktopsharing has no effect at all when it should
>>> block all accesses, and only works partly when it should allow individual
>>> access.
>>> 
>>> In our environment, every machine has the same logins provided by an LDAP
>>> server. I will retest at home to see how it behaves with normal local users.
>> 
>> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
>> 
>> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
>> 
>> Greets,
>> Mike
>> 
>> 
>> -- 
>> 
>> DAS-NETZWERKTEAM
>> mike gabriel, herweg 7, 24357 fleckeby
>> fon: +49 (1520) 1976 148
>> 
>> GnuPG Key ID 0x25771B31
>> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
>> 
>> freeBusy:
>> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
> 


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 19:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 19:33:02 GMT) Full text and rfc822 format available.

Message #45 received at 287@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 07 Aug 2013 21:22:25 +0200
[Message part 1 (text/plain, inline)]
Hi David,

On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:

> To rule out some specific configuration issue in our current system,  
> I installed a fresh linux mint inside a virtual machine and was able  
> to confirm the issues.
>
> You should be able to reproduce it easily by doing the same. Choose  
> Linux Mint debian edition, 64 Bit, Mate package and install  
> x2goserver following your instructions for debian 7.

What is the primary GID of users on Linux Mint. Do they follow the pattern

  foo:foo
  bar:bar
  sunweaver:sunweaver

or is there a group that all users get crushed in with there primary  
GIDs, like

  foo:users
  bar:users
  sunweaver:users

???

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Wed, 07 Aug 2013 20:03:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 07 Aug 2013 20:03:01 GMT) Full text and rfc822 format available.

Message #50 received at 287@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 21:56:19 +0200
Am 07.08.2013 um 21:22 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:

> Hi David,
> 
> On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:
> 
>> To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.
>> 
>> You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.
> 
> What is the primary GID of users on Linux Mint. Do they follow the pattern
> 
>  foo:foo
>  bar:bar
>  sunweaver:sunweaver
> 
> or is there a group that all users get crushed in with there primary GIDs, like
> 
>  foo:users
>  bar:users
>  sunweaver:users

In a fresh linux mint system, the first one. In our production environment, the latter one.

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 07:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Fuhrmann <fuhrmann_mail@web.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 07:18:02 GMT) Full text and rfc822 format available.

Message #55 received at 287@bugs.x2go.org (full text, mbox):

From: David Fuhrmann <fuhrmann_mail@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 09:03:21 +0200
Any news regarding this bug?

Am 07.08.2013 um 21:56 schrieb David Fuhrmann <fuhrmann_mail@web.de>:

> 
> Am 07.08.2013 um 21:22 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> 
>> Hi David,
>> 
>> On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:
>> 
>>> To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.
>>> 
>>> You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.
>> 
>> What is the primary GID of users on Linux Mint. Do they follow the pattern
>> 
>> foo:foo
>> bar:bar
>> sunweaver:sunweaver
>> 
>> or is there a group that all users get crushed in with there primary GIDs, like
>> 
>> foo:users
>> bar:users
>> sunweaver:users
> 
> In a fresh linux mint system, the first one. In our production environment, the latter one.


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 08:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Fred Her." <x2go@edhil.net>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 08:18:02 GMT) Full text and rfc822 format available.

Message #60 received at 287@bugs.x2go.org (full text, mbox):

From: "Fred Her." <x2go@edhil.net>
To: 287@bugs.x2go.org
Subject: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 10:10:56 +0200
[Message part 1 (text/plain, inline)]
Actually, this seems not an x2go issue, but a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.

If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.

So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,

or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)

or change this file to:

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true

note to x2go packages maintainer:
Maybe this should be an option to check/disable when the x2goserver package
is installed?

Or maybe a warning should be issued if "xhost" is set to + when a user
connect?
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 15:33:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 15:33:01 GMT) Full text and rfc822 format available.

Message #65 received at 287@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 17:28:16 +0200
[Message part 1 (text/plain, inline)]
Hi David,

On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote:

> Any news regarding this bug?

I have set up a test VM for this issue today and I can absolute  
confirm what you report.

I will investigate on that further today/tomorrow, and I am quite sure  
of being able to exploit this without X2Go as well.

My guess is a mis-configuration in Linux mint around the local X-Server.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 15:48:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Baur <newsgroups.mail2@stefanbaur.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 15:48:01 GMT) Full text and rfc822 format available.

Message #70 received at 287@bugs.x2go.org (full text, mbox):

From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
To: 287@bugs.x2go.org, x2go@edhil.net
Subject: Fwd: Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 17:34:53 +0200
Looks like this info wasn't sent to the bugtracker, forwarding manually.


-------- Original-Nachricht --------
Betreff: 	Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect 
to ALL X server sessions by default
Datum: 	Fri, 16 Aug 2013 13:41:34 +0000 (UTC)
Von: 	Fred Her. <x2go@edhil.net>
Antwort an: 	x2go-dev@lists.berlios.de
An: 	x2go-dev@lists.berlios.de



David Fuhrmann <fuhrmann_mail <at> web.de> writes:

>
> Hi,
>
> To rule out some specific configuration issue in our current system, I
installed a fresh linux mint inside a
> virtual machine and was able to confirm the issues.
>
> You should be able to reproduce it easily by doing the same. Choose Linux
Mint debian edition, 64 Bit, Mate
> package and install x2goserver following your instructions for debian 7.

I performed the test on the same configuration, and can confirm this issue:

On a fresh linux mint issue, Ubuntu edition, 64bits, MATE package.

x2go package installed :


ii  x2goserver                          4.0.1.6-0~712~raring1  amd64
ii  x2goserver-extensions               4.0.1.6-0~712~raring1  all
ii  x2goserver-xsession                 4.0.1.6-0~712~raring1  all

userA creates a session with a custom desktop (x-session-manager) and
connect. Then close the session window (but do not disconnect)

UserB creates a session with "connect to Local Desktop" and log in using his
own login and ssh password

UserB can connect to UserA desktop with full access.


As a workaround, ss there any x2goserver.conf parameters that could be used
to disable the Local Desktop access?






_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev




Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 15:48:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Baur <newsgroups.mail2@stefanbaur.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 15:48:02 GMT) Full text and rfc822 format available.

Message #75 received at 287@bugs.x2go.org (full text, mbox):

From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
To: 287@bugs.x2go.org, x2go@edhil.net
Subject: Fwd: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 17:35:24 +0200
Looks like this info wasn't forwared to the bugtracker, forwarding manually.


-------- Original-Nachricht --------
Betreff: 	[X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X 
server sessions by default
Datum: 	Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Von: 	Fred Her. <x2go@edhil.net>
Antwort an: 	x2go-dev@lists.berlios.de
An: 	x2go-dev@lists.berlios.de



Actually, this is not an x2go issue, this is a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.

If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.

So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,

or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)

or change this file to:

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true

note to x2go packages maintainers:
Maybe this should be an option to check/disable when the x2goserver package
is installed?

Or maybe a warning should be issued if "xhost" is set to + when a user
connect?

_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev




Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 16:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Baur <newsgroups.mail2@stefanbaur.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 16:03:02 GMT) Full text and rfc822 format available.

Message #80 received at 287@bugs.x2go.org (full text, mbox):

From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 287@bugs.x2go.org, x2go-dev@lists.berlios.de
Cc: David Fuhrmann <fuhrmann_mail@web.de>
Subject: Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 17:37:29 +0200
Please look at message

From: Fred Her.  <x2go@edhil.net>
Date: Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Message-ID: <loom.20130816T163241-4@post.gmane.org>


which I just forwarded to the bugtracker (seems it went to the list, but 
not the bugtracker).

Looks like the root cause for the problem has been found and it is 
indeed a Linux Mint configuration stupidity.

-Stefan

Am 17.08.2013 17:28, schrieb Mike Gabriel:
> Hi David,
>
> On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote:
>
>> Any news regarding this bug?
>
> I have set up a test VM for this issue today and I can absolute 
> confirm what you report.
>
> I will investigate on that further today/tomorrow, and I am quite sure 
> of being able to exploit this without X2Go as well.
>
> My guess is a mis-configuration in Linux mint around the local X-Server.
>
> Mike
>
>
>
>
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#287; Package x2goserver. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Message #85 received at 287@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 287@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 20:42:55 +0200
[Message part 1 (text/plain, inline)]
title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks

Hi all,

On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:

> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true

We (David and I) just figured out the same... (what a race  
condition...). Thanks! What a security leakage if people start using  
Linux Mint in multi-user operation mode (like with X2Go or locally or  
with LTSP).

With xhost + for every user you can launch applications on other  
people's desktops and also read out their clipboards' contents.

/me rarely has to puke at other people's work, but this time... Well, yes.

> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?

No! We won't work around such grave issues in distributions or in  
other packages. This needs to be immediately fixed in Linux Mint  
upstream.

> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?

Nope! In default setups no other distro evokes xhost + on session  
startup. This is just insane!!! So we ignore this issue in X2Go  
upstream completely.

Stay away from Linux Mint with X2Go (or actually at all) till this has  
been fixed in Mint.

light+love,
Mike

PS: quote me freely if needed...


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Added tag(s) confirmed. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Added tag(s) wontfix. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Notification sent to David Fuhrmann <fuhrmann_mail@web.de>:
Bug acknowledged by developer. (Sat, 17 Aug 2013 18:48:02 GMT) Full text and rfc822 format available.

Changed Bug title to 'Linux Mint desktops configured too insecurely for multi-user mode' from 'x2goserver allows to connect to ALL X server sessions by default' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sat, 17 Aug 2013 19:33:01 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Sun, 15 Sep 2013 05:24:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Apr 23 10:03:42 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.