From unknown Sat May 16 23:32:05 2026 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#287 closed by Mike Gabriel (Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default) Message-ID: References: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de> X-X2go-PR-Keywords: confirmed moreinfo wontfix X-X2go-PR-Message: they-closed 287 X-X2go-PR-Package: x2goserver X-X2go-PR-Source: x2goserver Date: Sat, 17 Aug 2013 18:48:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1376765282-5884-0" This is a multi-part message in MIME format... ------------=_1376765282-5884-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goserver package: #287: x2goserver allows to connect to ALL X server sessions by default It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1376765282-5884-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 17 Aug 2013 18:43:04 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EB7475DA6C; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A13FC9CF; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 94F383BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnPrIRDN108S; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 742803BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5582A3BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 0C59C3BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from 83-68-217-98.cable.dc13.debconf.org (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013 20:42:55 +0200 Message-ID: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 17 Aug 2013 20:42:55 +0200 From: Mike Gabriel To: 287@bugs.x2go.org Cc: control@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default References: <520F983C.6040904@stefanbaur.de> In-Reply-To: <520F983C.6040904@stefanbaur.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_7jk3unb0c2lq"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_7jk3unb0c2lq Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit title #287 Linux Mint desktops configured too insecurely for multi-user mode tag #287 confirmed tag #287 wontfix close #287 thanks Hi all, On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote: > Actually, this is not an x2go issue, this is a linux mint issue : by > default, there is a "xhost +" command launched at session startup for all > users. > > If you type "xhost - ", then you should see the normal behavior again : > userB will get a "no desktop found" message if he try to connect to the x2go > host. > > So, the workaround is to remove the "xhost +" command in the Control Panel > > Startup Applications for each user, > > or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop > (but this could come back if the package ubuntu-system-adjustments is > updated) > > or change this file to: > > [Desktop Entry] > Encoding=UTF-8 > Version=1.0 > Name=Xhost + > Exec=xhost + > Terminal=false > Type=Application > StartupNotify=false > Terminal=false > X-MATE-Autostart-enabled=false > Hidden=true We (David and I) just figured out the same... (what a race condition...). Thanks! What a security leakage if people start using Linux Mint in multi-user operation mode (like with X2Go or locally or with LTSP). With xhost + for every user you can launch applications on other people's desktops and also read out their clipboards' contents. /me rarely has to puke at other people's work, but this time... Well, yes. > note to x2go packages maintainers: > Maybe this should be an option to check/disable when the x2goserver package > is installed? No! We won't work around such grave issues in distributions or in other packages. This needs to be immediately fixed in Linux Mint upstream. > Or maybe a warning should be issued if "xhost" is set to + when a user > connect? Nope! In default setups no other distro evokes xhost + on session startup. This is just insane!!! So we ignore this issue in X2Go upstream completely. Stay away from Linux Mint with X2Go (or actually at all) till this has been fixed in Mint. light+love, Mike PS: quote me freely if needed... -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_7jk3unb0c2lq Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSD8QuAAoJEJr0azAldxsxoU0P/09lTB405vMfOtTwfnovq9HB yObD8YQBnvkFE2ONY5jE/yS/f1bp7R6ET+8HVP0uPrgf7Cao+dXlsHsQzFFVGwCA 7++z8U3aShdzVpqQ8nBjE4vewuTfNSbBzKMZQlNzFRHQ6TIOPF07XfCekQcDszTw aWFpt4Lv0vZNrNoYKABO+chOTrHLG8bpEe3hllxe9jmsEeOliYmiEzrjLzvT7gVA nRl9Yr5+bAybWQbl3H4ogDeOi2nAB1dlHhyD2Gltu8Sday22Whr8YNxAVu4x0Upt WC8+YQ7F/+Y5GTqiGu5c+HbQuVPgN9k5LkRg/d3urMODxlthPRD0rZKqE4UinnXh 4oV4VugOGQEBL+jT3xtrSkyrE+ztM8Tx2siIimlA02gWtaBp3xv0YDJHqQiyjPxK u3VfyQ3qzdip6PZoWsgB5fk0qx/Y+LrEEer5Hn/c4gbp+zxK1sYl8oCQzuL9d5Zo ieEXsmAtMZPf99wtk+oq4+9HGoRKaXoqQQF7Qjw3WmEZrDflX/7SqfhKudHtwl6o B1H9D5vj9WNWnUkuoOwl3Phtc6Iq7DS4PcpsbDllo6QPnqRtW0Ju/xeT6YJJkyXr JqXvH3FuW0EUaJgjDfjD8pIOX+y2VlRGNX6w2vonVIbFRDqC6YS1/mveSXr1ct1/ /repF12lv6Ihr46LxY3T =v0Ad -----END PGP SIGNATURE----- --=_7jk3unb0c2lq-- ------------=_1376765282-5884-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ymir (Postfix) with ESMTPS id 0F6AD5DB1E for ; Wed, 7 Aug 2013 07:36:22 +0200 (CEST) Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13 for ; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=; b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624 adRQ== X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 22:36:20 -0700 (PDT) Sender: David Fuhrmann From: David Fuhrmann Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: x2goserver allows to connect to ALL X server sessions by default Message-Id: Date: Wed, 7 Aug 2013 07:36:18 +0200 To: submit@bugs.x2go.org Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) Package: x2goserver Version: 4.0.1.6 Severity: critical Hi, I just noticed that x2goserver allows to connect to ALL running X = sessions on the target machine, using "connect to local desktop". These = might be logged in local users, or NX sessions which were not terminated = correctly. This is especially worse in the latter case, as the screen is = not locked here, normally. This is a HUGE security leak, as now all users are able to access data = of the other users, and hinder them from working by manipulating current = sessions. Normal remote desktop software should BLOCK such access by default, and = only allow it when the user explicitly requested it or configured it so. ------------=_1376765282-5884-0--