X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #30 received at 287@bugs.x2go.org (full text, mbox, reply):

Received: (at 287) by bugs.x2go.org; 7 Aug 2013 14:03:03 +0000
From mike.gabriel@das-netzwerkteam.de  Wed Aug  7 16:03:03 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
	URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 2743F5DB1E
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 16:03:03 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id CA99EA1
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 16:03:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id BBB723BC29
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 16:03:02 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZfL3IargYIq1 for <287@bugs.x2go.org>;
	Wed,  7 Aug 2013 16:03:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 671913BB7E
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 16:03:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 213523BC29
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 16:03:02 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 050633BB7E; Wed,  7 Aug 2013 16:02:58 +0200 (CEST)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Wed, 07 Aug 2013 16:02:58 +0200
Message-ID: <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Wed, 07 Aug 2013 16:02:58 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>
Cc: 287@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X
 server sessions by default
References: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de>
 <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de>
 <CANN0FUgL27BfEyQ_=4nLiY56rHjo5fGsf1OyDK47vLb2Gdi+jg@mail.gmail.com>
In-Reply-To:  <CANN0FUgL27BfEyQ_=4nLiY56rHjo5fGsf1OyDK47vLb2Gdi+jg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_6bppw0j8zafm";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
control: tag -1 - wontfix
control: tag -1 - not-a-bug

Hi David,

On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:

> thanks
>
> ... for the answer. We just retested it today in our environment, and the
> issue is still as described. Especially we did:
>
> 1) user_A starts a xfce x2go session on hostA, without starting
> x2godesktopsharing.
> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
> session under its own user name, and a port. user_B can click on "full
> access" and gets access to the session.
>
> Second test:
> - user_A starts x2godesktopsharing, but leave the default setting (do not
> allow access, with cross).
> - user_B sees same behaviour as described above
>
> Third test:
> - user_A starts x2godesktopsharing, but and enables access (green icon in
> menu bar)
> - user_B now sees two sessions in the session list: one with his own user
> name, one with user_As user name. Both have the same port. If user_B
> selects the one which has user_A as its name, he can only connect to view,
> and eventually, this connection gets refused. (In the mean time, user_A
> sees a question dialog asking user_B for access in the session.)
> But still, user_B sees a session with his own name, and can connect to it
> and gets full access to the xfce session started by user_A.
>
> So in summary: The x2godesktopsharing has no effect at all when it should
> block all accesses, and only works partly when it should allow individual
> access.
>
> In our environment, every machine has the same logins provided by an LDAP
> server. I will retest at home to see how it behaves with normal local users.

Ok, thanks for re-testing. I undo the taggings earlier made on this  
issue. This is indeed a big issue that needs immediate fixing!!!

Next question: what distro are you on. I tested on Debian and it  
worked flawlessly. Do you have any chance to test on Debian or Ubuntu  
(if you are on some RPM based distro)?

Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:05:54 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.