X2Go Bug report logs -
#287
Linux Mint desktops configured too insecurely for multi-user mode
Reported by: David Fuhrmann <fuhrmann_mail@web.de>
Date: Wed, 7 Aug 2013 05:48:02 UTC
Severity: critical
Tags: confirmed, moreinfo, wontfix
Found in version 4.0.1.6
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 05:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 05:48:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
Package: x2goserver
Version: 4.0.1.6
Severity: critical
Hi,
I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.
This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.
Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 09:47:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 09:47:24 GMT) (full text, mbox, link).
Message #10 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 moreinfo
control: tag -1 not-a-bug
control: tag -1 wontfix
On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:
> I just noticed that x2goserver allows to connect to ALL running X
> sessions on the target machine, using "connect to local desktop".
> These might be logged in local users, or NX sessions which were not
> terminated correctly. This is especially worse in the latter case,
> as the screen is not locked here, normally.
>
> This is a HUGE security leak, as now all users are able to access
> data of the other users, and hinder them from working by
> manipulating current sessions.
>
> Normal remote desktop software should BLOCK such access by default,
> and only allow it when the user explicitly requested it or
> configured it so.
I just tested this to be really sure that this is a not-a-bug report...
What you describe only works for the same login!!!! So if my user
(sunweaver) logs in locally to an X-Session and ,,sunweaver'' then
connects via X2Go to connect to a local X session then I can access my
__own__ local X sessions.
However, I cannot access other users' sessions unless they grant
access via the X2Go Desktop Sharing utility.
Please re-test and re-confirm or post a message that states that the
mistake was on your part.
Thanks+Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) moreinfo.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 287-submit@bugs.x2go.org
.
(Wed, 07 Aug 2013 09:47:24 GMT) (full text, mbox, link).
Added tag(s) not-a-bug.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 287-submit@bugs.x2go.org
.
(Wed, 07 Aug 2013 09:47:24 GMT) (full text, mbox, link).
Added tag(s) wontfix.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 287-submit@bugs.x2go.org
.
(Wed, 07 Aug 2013 09:47:24 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 12:03:01 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 12:03:01 GMT) (full text, mbox, link).
Message #21 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
thanks
... for the answer. We just retested it today in our environment, and the
issue is still as described. Especially we did:
1) user_A starts a xfce x2go session on hostA, without starting
x2godesktopsharing.
2) user_B logs in at hostA, using "connect to local desktop. It sees a X
session under its own user name, and a port. user_B can click on "full
access" and gets access to the session.
Second test:
- user_A starts x2godesktopsharing, but leave the default setting (do not
allow access, with cross).
- user_B sees same behaviour as described above
Third test:
- user_A starts x2godesktopsharing, but and enables access (green icon in
menu bar)
- user_B now sees two sessions in the session list: one with his own user
name, one with user_As user name. Both have the same port. If user_B
selects the one which has user_A as its name, he can only connect to view,
and eventually, this connection gets refused. (In the mean time, user_A
sees a question dialog asking user_B for access in the session.)
But still, user_B sees a session with his own name, and can connect to it
and gets full access to the xfce session started by user_A.
So in summary: The x2godesktopsharing has no effect at all when it should
block all accesses, and only works partly when it should allow individual
access.
In our environment, every machine has the same logins provided by an LDAP
server. I will retest at home to see how it behaves with normal local users.
With best regards,
David
2013/8/7 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
> control: tag -1 moreinfo
> control: tag -1 not-a-bug
> control: tag -1 wontfix
>
> On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:
>
> I just noticed that x2goserver allows to connect to ALL running X
>> sessions on the target machine, using "connect to local desktop". These
>> might be logged in local users, or NX sessions which were not terminated
>> correctly. This is especially worse in the latter case, as the screen is
>> not locked here, normally.
>>
>> This is a HUGE security leak, as now all users are able to access data of
>> the other users, and hinder them from working by manipulating current
>> sessions.
>>
>> Normal remote desktop software should BLOCK such access by default, and
>> only allow it when the user explicitly requested it or configured it so.
>>
>
> I just tested this to be really sure that this is a not-a-bug report...
>
> What you describe only works for the same login!!!! So if my user
> (sunweaver) logs in locally to an X-Session and ,,sunweaver'' then connects
> via X2Go to connect to a local X session then I can access my __own__ local
> X sessions.
>
> However, I cannot access other users' sessions unless they grant access
> via the X2Go Desktop Sharing utility.
>
> Please re-test and re-confirm or post a message that states that the
> mistake was on your part.
>
> Thanks+Greets,
> Mike
>
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
>
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@das-netzwerkteam.**de<mike.gabriel@das-netzwerkteam.de>,
> http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-**
> netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
>
[Message part 2 (text/html, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 14:18:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 14:18:01 GMT) (full text, mbox, link).
Message #26 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 - wontfix
control: tag -1 - not-a-bug
Hi David,
On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
> thanks
>
> ... for the answer. We just retested it today in our environment, and the
> issue is still as described. Especially we did:
>
> 1) user_A starts a xfce x2go session on hostA, without starting
> x2godesktopsharing.
> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
> session under its own user name, and a port. user_B can click on "full
> access" and gets access to the session.
>
> Second test:
> - user_A starts x2godesktopsharing, but leave the default setting (do not
> allow access, with cross).
> - user_B sees same behaviour as described above
>
> Third test:
> - user_A starts x2godesktopsharing, but and enables access (green icon in
> menu bar)
> - user_B now sees two sessions in the session list: one with his own user
> name, one with user_As user name. Both have the same port. If user_B
> selects the one which has user_A as its name, he can only connect to view,
> and eventually, this connection gets refused. (In the mean time, user_A
> sees a question dialog asking user_B for access in the session.)
> But still, user_B sees a session with his own name, and can connect to it
> and gets full access to the xfce session started by user_A.
>
> So in summary: The x2godesktopsharing has no effect at all when it should
> block all accesses, and only works partly when it should allow individual
> access.
>
> In our environment, every machine has the same logins provided by an LDAP
> server. I will retest at home to see how it behaves with normal local users.
Ok, thanks for re-testing. I undo the taggings earlier made on this
issue. This is indeed a big issue that needs immediate fixing!!!
Next question: what distro are you on. I tested on Debian and it
worked flawlessly. Do you have any chance to test on Debian or Ubuntu
(if you are on some RPM based distro)?
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Removed tag(s) wontfix.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 287-submit@bugs.x2go.org
.
(Wed, 07 Aug 2013 14:18:01 GMT) (full text, mbox, link).
Removed tag(s) not-a-bug.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 287-submit@bugs.x2go.org
.
(Wed, 07 Aug 2013 14:18:01 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 16:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 16:03:02 GMT) (full text, mbox, link).
Message #35 received at 287@bugs.x2go.org (full text, mbox, reply):
Hi,
We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.
I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.
Best,
David
Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> control: tag -1 - wontfix
> control: tag -1 - not-a-bug
>
> Hi David,
>
> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
>
>> thanks
>>
>> ... for the answer. We just retested it today in our environment, and the
>> issue is still as described. Especially we did:
>>
>> 1) user_A starts a xfce x2go session on hostA, without starting
>> x2godesktopsharing.
>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>> session under its own user name, and a port. user_B can click on "full
>> access" and gets access to the session.
>>
>> Second test:
>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>> allow access, with cross).
>> - user_B sees same behaviour as described above
>>
>> Third test:
>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>> menu bar)
>> - user_B now sees two sessions in the session list: one with his own user
>> name, one with user_As user name. Both have the same port. If user_B
>> selects the one which has user_A as its name, he can only connect to view,
>> and eventually, this connection gets refused. (In the mean time, user_A
>> sees a question dialog asking user_B for access in the session.)
>> But still, user_B sees a session with his own name, and can connect to it
>> and gets full access to the xfce session started by user_A.
>>
>> So in summary: The x2godesktopsharing has no effect at all when it should
>> block all accesses, and only works partly when it should allow individual
>> access.
>>
>> In our environment, every machine has the same logins provided by an LDAP
>> server. I will retest at home to see how it behaves with normal local users.
>
> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
>
> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
>
> Greets,
> Mike
>
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
>
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 18:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 18:18:02 GMT) (full text, mbox, link).
Message #40 received at 287@bugs.x2go.org (full text, mbox, reply):
Hi,
To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.
You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.
With best regards,
David
Am 07.08.2013 um 17:56 schrieb David Fuhrmann <fuhrmann_mail@web.de>:
> Hi,
>
> We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.
>
> I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.
>
> Best,
> David
>
> Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
>
>> control: tag -1 - wontfix
>> control: tag -1 - not-a-bug
>>
>> Hi David,
>>
>> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
>>
>>> thanks
>>>
>>> ... for the answer. We just retested it today in our environment, and the
>>> issue is still as described. Especially we did:
>>>
>>> 1) user_A starts a xfce x2go session on hostA, without starting
>>> x2godesktopsharing.
>>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>>> session under its own user name, and a port. user_B can click on "full
>>> access" and gets access to the session.
>>>
>>> Second test:
>>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>>> allow access, with cross).
>>> - user_B sees same behaviour as described above
>>>
>>> Third test:
>>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>>> menu bar)
>>> - user_B now sees two sessions in the session list: one with his own user
>>> name, one with user_As user name. Both have the same port. If user_B
>>> selects the one which has user_A as its name, he can only connect to view,
>>> and eventually, this connection gets refused. (In the mean time, user_A
>>> sees a question dialog asking user_B for access in the session.)
>>> But still, user_B sees a session with his own name, and can connect to it
>>> and gets full access to the xfce session started by user_A.
>>>
>>> So in summary: The x2godesktopsharing has no effect at all when it should
>>> block all accesses, and only works partly when it should allow individual
>>> access.
>>>
>>> In our environment, every machine has the same logins provided by an LDAP
>>> server. I will retest at home to see how it behaves with normal local users.
>>
>> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
>>
>> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
>>
>> Greets,
>> Mike
>>
>>
>> --
>>
>> DAS-NETZWERKTEAM
>> mike gabriel, herweg 7, 24357 fleckeby
>> fon: +49 (1520) 1976 148
>>
>> GnuPG Key ID 0x25771B31
>> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
>>
>> freeBusy:
>> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
>
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 19:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 19:33:02 GMT) (full text, mbox, link).
Message #45 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi David,
On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:
> To rule out some specific configuration issue in our current system,
> I installed a fresh linux mint inside a virtual machine and was able
> to confirm the issues.
>
> You should be able to reproduce it easily by doing the same. Choose
> Linux Mint debian edition, 64 Bit, Mate package and install
> x2goserver following your instructions for debian 7.
What is the primary GID of users on Linux Mint. Do they follow the pattern
foo:foo
bar:bar
sunweaver:sunweaver
or is there a group that all users get crushed in with there primary
GIDs, like
foo:users
bar:users
sunweaver:users
???
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Wed, 07 Aug 2013 20:03:01 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 07 Aug 2013 20:03:01 GMT) (full text, mbox, link).
Message #50 received at 287@bugs.x2go.org (full text, mbox, reply):
Am 07.08.2013 um 21:22 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> Hi David,
>
> On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:
>
>> To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.
>>
>> You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.
>
> What is the primary GID of users on Linux Mint. Do they follow the pattern
>
> foo:foo
> bar:bar
> sunweaver:sunweaver
>
> or is there a group that all users get crushed in with there primary GIDs, like
>
> foo:users
> bar:users
> sunweaver:users
In a fresh linux mint system, the first one. In our production environment, the latter one.
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 07:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 07:18:02 GMT) (full text, mbox, link).
Message #55 received at 287@bugs.x2go.org (full text, mbox, reply):
Any news regarding this bug?
Am 07.08.2013 um 21:56 schrieb David Fuhrmann <fuhrmann_mail@web.de>:
>
> Am 07.08.2013 um 21:22 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
>
>> Hi David,
>>
>> On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote:
>>
>>> To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.
>>>
>>> You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.
>>
>> What is the primary GID of users on Linux Mint. Do they follow the pattern
>>
>> foo:foo
>> bar:bar
>> sunweaver:sunweaver
>>
>> or is there a group that all users get crushed in with there primary GIDs, like
>>
>> foo:users
>> bar:users
>> sunweaver:users
>
> In a fresh linux mint system, the first one. In our production environment, the latter one.
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 08:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Fred Her." <x2go@edhil.net>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 08:18:02 GMT) (full text, mbox, link).
Message #60 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Actually, this seems not an x2go issue, but a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.
If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.
So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,
or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)
or change this file to:
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true
note to x2go packages maintainer:
Maybe this should be an option to check/disable when the x2goserver package
is installed?
Or maybe a warning should be issued if "xhost" is set to + when a user
connect?
[Message part 2 (text/html, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 15:33:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 15:33:01 GMT) (full text, mbox, link).
Message #65 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi David,
On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote:
> Any news regarding this bug?
I have set up a test VM for this issue today and I can absolute
confirm what you report.
I will investigate on that further today/tomorrow, and I am quite sure
of being able to exploit this without X2Go as well.
My guess is a mis-configuration in Linux mint around the local X-Server.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 15:48:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Baur <newsgroups.mail2@stefanbaur.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 15:48:01 GMT) (full text, mbox, link).
Message #70 received at 287@bugs.x2go.org (full text, mbox, reply):
Looks like this info wasn't sent to the bugtracker, forwarding manually.
-------- Original-Nachricht --------
Betreff: Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect
to ALL X server sessions by default
Datum: Fri, 16 Aug 2013 13:41:34 +0000 (UTC)
Von: Fred Her. <x2go@edhil.net>
Antwort an: x2go-dev@lists.berlios.de
An: x2go-dev@lists.berlios.de
David Fuhrmann <fuhrmann_mail <at> web.de> writes:
>
> Hi,
>
> To rule out some specific configuration issue in our current system, I
installed a fresh linux mint inside a
> virtual machine and was able to confirm the issues.
>
> You should be able to reproduce it easily by doing the same. Choose Linux
Mint debian edition, 64 Bit, Mate
> package and install x2goserver following your instructions for debian 7.
I performed the test on the same configuration, and can confirm this issue:
On a fresh linux mint issue, Ubuntu edition, 64bits, MATE package.
x2go package installed :
ii x2goserver 4.0.1.6-0~712~raring1 amd64
ii x2goserver-extensions 4.0.1.6-0~712~raring1 all
ii x2goserver-xsession 4.0.1.6-0~712~raring1 all
userA creates a session with a custom desktop (x-session-manager) and
connect. Then close the session window (but do not disconnect)
UserB creates a session with "connect to Local Desktop" and log in using his
own login and ssh password
UserB can connect to UserA desktop with full access.
As a workaround, ss there any x2goserver.conf parameters that could be used
to disable the Local Desktop access?
_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 15:48:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Baur <newsgroups.mail2@stefanbaur.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 15:48:02 GMT) (full text, mbox, link).
Message #75 received at 287@bugs.x2go.org (full text, mbox, reply):
Looks like this info wasn't forwared to the bugtracker, forwarding manually.
-------- Original-Nachricht --------
Betreff: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X
server sessions by default
Datum: Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Von: Fred Her. <x2go@edhil.net>
Antwort an: x2go-dev@lists.berlios.de
An: x2go-dev@lists.berlios.de
Actually, this is not an x2go issue, this is a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.
If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.
So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,
or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)
or change this file to:
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true
note to x2go packages maintainers:
Maybe this should be an option to check/disable when the x2goserver package
is installed?
Or maybe a warning should be issued if "xhost" is set to + when a user
connect?
_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 16:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Baur <newsgroups.mail2@stefanbaur.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 16:03:02 GMT) (full text, mbox, link).
Message #80 received at 287@bugs.x2go.org (full text, mbox, reply):
Please look at message
From: Fred Her. <x2go@edhil.net>
Date: Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Message-ID: <loom.20130816T163241-4@post.gmane.org>
which I just forwarded to the bugtracker (seems it went to the list, but
not the bugtracker).
Looks like the root cause for the problem has been found and it is
indeed a Linux Mint configuration stupidity.
-Stefan
Am 17.08.2013 17:28, schrieb Mike Gabriel:
> Hi David,
>
> On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote:
>
>> Any news regarding this bug?
>
> I have set up a test VM for this issue today and I can absolute
> confirm what you report.
>
> I will investigate on that further today/tomorrow, and I am quite sure
> of being able to exploit this without X2Go as well.
>
> My guess is a mis-configuration in Linux mint around the local X-Server.
>
> Mike
>
>
>
>
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#287
; Package x2goserver
.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Message #85 received at 287@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks
Hi all,
On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:
> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true
We (David and I) just figured out the same... (what a race
condition...). Thanks! What a security leakage if people start using
Linux Mint in multi-user operation mode (like with X2Go or locally or
with LTSP).
With xhost + for every user you can launch applications on other
people's desktops and also read out their clipboards' contents.
/me rarely has to puke at other people's work, but this time... Well, yes.
> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?
No! We won't work around such grave issues in distributions or in
other packages. This needs to be immediately fixed in Linux Mint
upstream.
> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?
Nope! In default setups no other distro evokes xhost + on session
startup. This is just insane!!! So we ignore this issue in X2Go
upstream completely.
Stay away from Linux Mint with X2Go (or actually at all) till this has
been fixed in Mint.
light+love,
Mike
PS: quote me freely if needed...
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) confirmed.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Added tag(s) wontfix.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Notification sent
to David Fuhrmann <fuhrmann_mail@web.de>
:
Bug acknowledged by developer.
(Sat, 17 Aug 2013 18:48:02 GMT) (full text, mbox, link).
Changed Bug title to 'Linux Mint desktops configured too insecurely for multi-user mode' from 'x2goserver allows to connect to ALL X server sessions by default'
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Sat, 17 Aug 2013 19:33:01 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org
.
(Sun, 15 Sep 2013 05:24:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Tue Nov 12 18:35:21 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.