From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: David Fuhrmann Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 05:48:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.13758537825033 (code B); Wed, 07 Aug 2013 05:48:02 +0000 Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ymir (Postfix) with ESMTPS id 0F6AD5DB1E for ; Wed, 7 Aug 2013 07:36:22 +0200 (CEST) Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13 for ; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=; b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624 adRQ== X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 22:36:20 -0700 (PDT) Sender: David Fuhrmann From: David Fuhrmann Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Date: Wed, 7 Aug 2013 07:36:18 +0200 To: submit@bugs.x2go.org Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) Package: x2goserver Version: 4.0.1.6 Severity: critical Hi, I just noticed that x2goserver allows to connect to ALL running X = sessions on the target machine, using "connect to local desktop". These = might be logged in local users, or NX sessions which were not terminated = correctly. This is especially worse in the latter case, as the screen is = not locked here, normally. This is a HUGE security leak, as now all users are able to access data = of the other users, and hinder them from working by manipulating current = sessions. Normal remote desktop software should BLOCK such access by default, and = only allow it when the user explicitly requested it or configured it so. From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Mike Gabriel , 287@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 09:47:24 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by 287-submit@bugs.x2go.org id=B287.137586862022955 (code B ref 287); Wed, 07 Aug 2013 09:47:24 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 09:43:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EF9A05DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id B17899FD for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A33163BAC6 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9cwC4Z+yPaO for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 80A333BBA2 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5CB4C3BAC6 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 18E0E3BBA2; Wed, 7 Aug 2013 11:43:38 +0200 (CEST) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 07 Aug 2013 11:43:38 +0200 Message-ID: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Wed, 07 Aug 2013 11:43:38 +0200 From: Mike Gabriel To: David Fuhrmann , 287@bugs.x2go.org References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_au4h0r792a2"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_au4h0r792a2 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit control: tag -1 moreinfo control: tag -1 not-a-bug control: tag -1 wontfix On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote: > I just noticed that x2goserver allows to connect to ALL running X > sessions on the target machine, using "connect to local desktop". > These might be logged in local users, or NX sessions which were not > terminated correctly. This is especially worse in the latter case, > as the screen is not locked here, normally. > > This is a HUGE security leak, as now all users are able to access > data of the other users, and hinder them from working by > manipulating current sessions. > > Normal remote desktop software should BLOCK such access by default, > and only allow it when the user explicitly requested it or > configured it so. I just tested this to be really sure that this is a not-a-bug report... What you describe only works for the same login!!!! So if my user (sunweaver) logs in locally to an X-Session and ,,sunweaver'' then connects via X2Go to connect to a local X session then I can access my __own__ local X sessions. However, I cannot access other users' sessions unless they grant access via the X2Go Desktop Sharing utility. Please re-test and re-confirm or post a message that states that the mistake was on your part. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_au4h0r792a2 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSAhbJAAoJEJr0azAldxsxnEwP/3E8uLXg9pBsE7RiGrsfrsQk oit7xxskzrgVocZviND3InXM9fDKn5Eou5ioA0MMPFm8WTtg6NtZrOYYJORIuE3w J7sr5s9eOmhka50PyePJ+7lrx3MhGG3LVrjFVcAHXaNNxjrOtheOLsjh3HMjT3mX v9mug6hPQ/zTR991vv1sdGqkfQfzE4Ft7SdyKnjNzVRRfKWbzX9tv32KEfh1uavx JR07pbLkcEPZTl2IQ+WKNC9zf5HmG+FpsnXvBElHLgWRUIJP5smthRUGyROKl1sU LDCTwqqLwi3uvo6FZl6DXl8RgA37gutroIiZEST//XAP7XKXTNmwEWYd8bx4ZC5J H16ATbhY4s81+EjQzhn8VROBjce6F7i0mc5Lfv6w5/XNmdtFDbGIx226Xwrcm6hB YDoYp8tZICczWKIdGAjxF7AO/QdHJV1hv+0F9xRUAjW5zCxtshHQyMemtX/Z1idq dtawfI1OnWP3dmnBnEoiMtVeg2xVkbQGwrZx0FbZtWhrB5Pr+lHIWBwX3Y79SDFy oeQxSLMBaE8yAzhp1//sp2ar3QPWEe/Gjo1oefTcLjOVNLJLtyJHTbcdq3VtL1zw +/DvsjyqwOP20anztZZelEE+GH5Y5IDvf/RLd+m4ZGWNdLB5UzrZSQU+zmdlzVKi BJyPSfMmCf+kG6wLwZNu =aTPB -----END PGP SIGNATURE----- --=_au4h0r792a2-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: david.fuhrmann@gmail.com Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 12:03:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: not-a-bug moreinfo wontfix Received: via spool by 287-submit@bugs.x2go.org id=B287.13758764566420 (code B ref 287); Wed, 07 Aug 2013 12:03:01 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 11:54:16 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-ve0-f176.google.com (mail-ve0-f176.google.com [209.85.128.176]) by ymir (Postfix) with ESMTPS id 6E83B5DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 13:54:15 +0200 (CEST) Received: by mail-ve0-f176.google.com with SMTP id b10so1642741vea.7 for <287@bugs.x2go.org>; Wed, 07 Aug 2013 04:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=HGd5TT63eS3fZeuNQKFpK3IFDtcG8RP94dPuhu+zK/8=; b=XFnZvRodbjqlJBkxOdqUvZil5sjper5NGf0tRyjJkQvxlNMpbrtmf2gD45lEKChVbP FQ3Hm8BvEE9qIPTqVNgg2Xe/oOWZkXsf9cte0mSUluLHXxCUFlGTxou1If4Ev/ofKUE7 Dparx6bUrUrM3HZxnhT8A+IYi5fwc6HtqUB6nox4rzbUCXWEOd1MZSiy8n5ztdd//e/P vAVubRyxeU79oisILg3xA70SC1u0Cb4PYR7UhrND+MbUQq7XPNpKHnByewzD8iu1Z+yF dvZY7f+BYOPx1wn0ATud9Di6M4M98fn9YaG5KZgbZdI4/ZrOk+bZ8RU07ZNeLmsLUk6U NZbA== MIME-Version: 1.0 X-Received: by 10.58.209.5 with SMTP id mi5mr94567vec.46.1375876454107; Wed, 07 Aug 2013 04:54:14 -0700 (PDT) Sender: david.fuhrmann@gmail.com Received: by 10.52.76.167 with HTTP; Wed, 7 Aug 2013 04:54:14 -0700 (PDT) In-Reply-To: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> Date: Wed, 7 Aug 2013 13:54:14 +0200 X-Google-Sender-Auth: jerFbzpIw5fSwvX40QgarkHhkaU Message-ID: From: David Fuhrmann To: Mike Gabriel Cc: 287@bugs.x2go.org Content-Type: multipart/alternative; boundary=047d7bd6bbba4d63e004e35a33fd --047d7bd6bbba4d63e004e35a33fd Content-Type: text/plain; charset=ISO-8859-1 thanks ... for the answer. We just retested it today in our environment, and the issue is still as described. Especially we did: 1) user_A starts a xfce x2go session on hostA, without starting x2godesktopsharing. 2) user_B logs in at hostA, using "connect to local desktop. It sees a X session under its own user name, and a port. user_B can click on "full access" and gets access to the session. Second test: - user_A starts x2godesktopsharing, but leave the default setting (do not allow access, with cross). - user_B sees same behaviour as described above Third test: - user_A starts x2godesktopsharing, but and enables access (green icon in menu bar) - user_B now sees two sessions in the session list: one with his own user name, one with user_As user name. Both have the same port. If user_B selects the one which has user_A as its name, he can only connect to view, and eventually, this connection gets refused. (In the mean time, user_A sees a question dialog asking user_B for access in the session.) But still, user_B sees a session with his own name, and can connect to it and gets full access to the xfce session started by user_A. So in summary: The x2godesktopsharing has no effect at all when it should block all accesses, and only works partly when it should allow individual access. In our environment, every machine has the same logins provided by an LDAP server. I will retest at home to see how it behaves with normal local users. With best regards, David 2013/8/7 Mike Gabriel > control: tag -1 moreinfo > control: tag -1 not-a-bug > control: tag -1 wontfix > > On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote: > > I just noticed that x2goserver allows to connect to ALL running X >> sessions on the target machine, using "connect to local desktop". These >> might be logged in local users, or NX sessions which were not terminated >> correctly. This is especially worse in the latter case, as the screen is >> not locked here, normally. >> >> This is a HUGE security leak, as now all users are able to access data of >> the other users, and hinder them from working by manipulating current >> sessions. >> >> Normal remote desktop software should BLOCK such access by default, and >> only allow it when the user explicitly requested it or configured it so. >> > > I just tested this to be really sure that this is a not-a-bug report... > > What you describe only works for the same login!!!! So if my user > (sunweaver) logs in locally to an X-Session and ,,sunweaver'' then connects > via X2Go to connect to a local X session then I can access my __own__ local > X sessions. > > However, I cannot access other users' sessions unless they grant access > via the X2Go Desktop Sharing utility. > > Please re-test and re-confirm or post a message that states that the > mistake was on your part. > > Thanks+Greets, > Mike > > > -- > > DAS-NETZWERKTEAM > mike gabriel, herweg 7, 24357 fleckeby > fon: +49 (1520) 1976 148 > > GnuPG Key ID 0x25771B31 > mail: mike.gabriel@das-netzwerkteam.**de, > http://das-netzwerkteam.de > > freeBusy: > https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-** > netzwerkteam.de.xfb > --047d7bd6bbba4d63e004e35a33fd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
thanks

... for the answer. We just retested it today in= our environment, and the issue is still as described. Especially we did:
1) user_A starts a xfce x2go session on hostA, without starting x= 2godesktopsharing.
2) user_B logs in at hostA, using "connect= to local desktop. It sees a X session under its own user name, and a port.= user_B can click on "full access" and gets access to the session= .

Second test:
- user_A starts x2godesktopsharing, but lea= ve the default setting (do not allow access, with cross).
- user_B= sees same behaviour as described above

Third test:
- user_A starts x2godesktopsharing, but and enables access (green icon in = menu bar)
- user_B now sees two sessions in the session list: one = with his own user name, one with user_As user name. Both have the same port= . If user_B selects the one which has user_A as its name, he can only conne= ct to view, and eventually, this connection gets refused. (In the mean time= , user_A sees a question dialog asking user_B for access in the session.)
But still, user_B sees a session with his own name, and can connect t= o it and gets full access to the xfce session started by user_A.

So in summary: The x2godesktopsharing has no effect at all when it shoul= d block all accesses, and only works partly when it should allow individual= access.

In our environment, every machine has the same logins provided by= an LDAP server. I will retest at home to see how it behaves with normal lo= cal users.

With best regards,
David




2013/8/7 Mike Gabriel <mike.gabriel@das-ne= tzwerkteam.de>
control: tag -1 moreinfo
control: tag -1 not-a-bug
control: tag -1 wontfix

On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:

I just noticed that x2goserver allows to connect to ALL running X sessions = on the target machine, using "connect to local desktop". These mi= ght be logged in local users, or NX sessions which were not terminated corr= ectly. This is especially worse in the latter case, as the screen is not lo= cked here, normally.

This is a HUGE security leak, as now all users are able to access data of t= he other users, and hinder them from working by manipulating current sessio= ns.

Normal remote desktop software should BLOCK such access by default, and onl= y allow it when the user explicitly requested it or configured it so.

I just tested this to be really sure that this is a not-a-bug report...

What you describe only works for the same login!!!! So if my user (sunweave= r) logs in locally to an X-Session and ,,sunweaver'' then connects = via X2Go to connect to a local X session then I can access my __own__ local= X sessions.

However, I cannot access other users' sessions unless they grant access= via the X2Go Desktop Sharing utility.

Please re-test and re-confirm or post a message that states that the mistak= e was on your part.

Thanks+Greets,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/fr= eebusy/m.gabriel%40das-netzwerkteam.de.xfb

--047d7bd6bbba4d63e004e35a33fd-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Mike Gabriel , 287@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 14:18:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: not-a-bug moreinfo wontfix Received: via spool by 287-submit@bugs.x2go.org id=B287.137588418315626 (code B ref 287); Wed, 07 Aug 2013 14:18:01 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 14:03:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 2743F5DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:03 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id CA99EA1 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:02 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id BBB723BC29 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:02 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfL3IargYIq1 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:02 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 671913BB7E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:02 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 213523BC29 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 16:03:02 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 050633BB7E; Wed, 7 Aug 2013 16:02:58 +0200 (CEST) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 07 Aug 2013 16:02:58 +0200 Message-ID: <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Wed, 07 Aug 2013 16:02:58 +0200 From: Mike Gabriel To: David Fuhrmann Cc: 287@bugs.x2go.org References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_6bppw0j8zafm"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_6bppw0j8zafm Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit control: tag -1 - wontfix control: tag -1 - not-a-bug Hi David, On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote: > thanks > > ... for the answer. We just retested it today in our environment, and the > issue is still as described. Especially we did: > > 1) user_A starts a xfce x2go session on hostA, without starting > x2godesktopsharing. > 2) user_B logs in at hostA, using "connect to local desktop. It sees a X > session under its own user name, and a port. user_B can click on "full > access" and gets access to the session. > > Second test: > - user_A starts x2godesktopsharing, but leave the default setting (do not > allow access, with cross). > - user_B sees same behaviour as described above > > Third test: > - user_A starts x2godesktopsharing, but and enables access (green icon in > menu bar) > - user_B now sees two sessions in the session list: one with his own user > name, one with user_As user name. Both have the same port. If user_B > selects the one which has user_A as its name, he can only connect to view, > and eventually, this connection gets refused. (In the mean time, user_A > sees a question dialog asking user_B for access in the session.) > But still, user_B sees a session with his own name, and can connect to it > and gets full access to the xfce session started by user_A. > > So in summary: The x2godesktopsharing has no effect at all when it should > block all accesses, and only works partly when it should allow individual > access. > > In our environment, every machine has the same logins provided by an LDAP > server. I will retest at home to see how it behaves with normal local users. Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!! Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)? Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_6bppw0j8zafm Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSAlOSAAoJEJr0azAldxsxVBYQAIkBTJ8NcDRY8EQb8xXmYXGb VCzKWIs+VfJJ/WUwYEKQdmN70wBaWrvzF7efXbIduxIUsa1WCgYNTzNQIfxA1idY yZYWFqnZIcFG78mI7z6r95doy/b3yvYcfdQEmXXkWkORVRSD55RRLVWEVERuhIkk VTmTcL5pFwvGiazfnbRPQIVTZyAlE/GzyAkNJBQ5A/16MmulgUTPVXVdUW0OUjGP 5PuAfEZN1NrJHk05CxaIkZUEvg41ZFpnxBS05c2nykhVL+HXfaACpsz37+P4SYfy qqn2xGMMEur1tVlRGlhPiK7PIn4nL2vOYy3gCxcZ1CFggZOhSA1ACINhRQU37KaW 0aRFDfk5owprDe90AFRr+xnnD/ojhHXz0W0FpYo2P4SVDjZAeyoCYOhRrQps67eC oHHTAkLwJbqQ4yCC5JQdU8uFJ0oM7dFnR+wbV7PvLKTIfgdBELkgGiOaNQRHfmqq uX0Ld/nCB2WTf82W5XU2tswZIjmo4gd9JDCZMuKiJpeNUhjRH+tL+uYq8FMunc8c SEWix2+gt258WJLbIFPRzp7FVxNp8CPCCaTEJrbc6YRJ8GrerQtaXyvEdZD9JMhg s4Gq3llYBR/o/pxX69h/dDNEW7oiBPxwEqwMsZE+mRCK0TKeSlqlruu86lqk1mbG /xD7RFq4aqSTkl3CvpqA =RQMa -----END PGP SIGNATURE----- --=_6bppw0j8zafm-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: David Fuhrmann Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 16:03:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137589100921736 (code B ref 287); Wed, 07 Aug 2013 16:03:02 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 15:56:49 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-ea0-f179.google.com (mail-ea0-f179.google.com [209.85.215.179]) by ymir (Postfix) with ESMTPS id 7C8475DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 17:56:48 +0200 (CEST) Received: by mail-ea0-f179.google.com with SMTP id b10so915272eae.38 for <287@bugs.x2go.org>; Wed, 07 Aug 2013 08:56:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TULNUeSSB1zhMDjllI0tc3P7OXIb3vlzhHVtseH2vCE=; b=IoQdErGXdp4fxd0PpHd+z4XojCMldFB11ij0+2sCJkVdAA14OphREM1NMaM2LkWJm9 Q14e/K4yX+mP0iWOyMh6AV1vSB3jf5o8ob/9XdcWxdwXhi011JOIvX8RaalHBgMB5WdV Z6eEGMgdyDz8Gr53m0cJacSdex1kvfRUtEv+P1Jgnl/wHjOU3gBVD1jXiFYICZcmSck+ NwIUWA8W5IXr79DojZFbmhZx0coG7eGQ08k6BiCFZ83UOlhoVrTjWUSmr1z6wwjSy2ey EWRh/rGUEjekD6kamWjC5w7W0nK6awxClu4grIAToX62jEumPP4U/w7pVitweYpJgRPv BtgQ== X-Received: by 10.14.179.131 with SMTP id h3mr3706273eem.102.1375891008151; Wed, 07 Aug 2013 08:56:48 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id m54sm10723337eex.2.2013.08.07.08.56.46 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Aug 2013 08:56:47 -0700 (PDT) Sender: David Fuhrmann Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: text/plain; charset=us-ascii From: David Fuhrmann X-Priority: 3 (Normal) In-Reply-To: <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> Date: Wed, 7 Aug 2013 17:56:45 +0200 Cc: 287@bugs.x2go.org Content-Transfer-Encoding: quoted-printable Message-Id: <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> To: Mike Gabriel X-Mailer: Apple Mail (2.1508) Hi, We are using a debian-based linux mint, and installed the server from = the debian 7 repository IIRC. I just tested at home on Ubuntu 10.04, and here it works fine. I think = this might be some configuration issue. Best, David Am 07.08.2013 um 16:02 schrieb Mike Gabriel = : > control: tag -1 - wontfix > control: tag -1 - not-a-bug >=20 > Hi David, >=20 > On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote: >=20 >> thanks >>=20 >> ... for the answer. We just retested it today in our environment, and = the >> issue is still as described. Especially we did: >>=20 >> 1) user_A starts a xfce x2go session on hostA, without starting >> x2godesktopsharing. >> 2) user_B logs in at hostA, using "connect to local desktop. It sees = a X >> session under its own user name, and a port. user_B can click on = "full >> access" and gets access to the session. >>=20 >> Second test: >> - user_A starts x2godesktopsharing, but leave the default setting (do = not >> allow access, with cross). >> - user_B sees same behaviour as described above >>=20 >> Third test: >> - user_A starts x2godesktopsharing, but and enables access (green = icon in >> menu bar) >> - user_B now sees two sessions in the session list: one with his own = user >> name, one with user_As user name. Both have the same port. If user_B >> selects the one which has user_A as its name, he can only connect to = view, >> and eventually, this connection gets refused. (In the mean time, = user_A >> sees a question dialog asking user_B for access in the session.) >> But still, user_B sees a session with his own name, and can connect = to it >> and gets full access to the xfce session started by user_A. >>=20 >> So in summary: The x2godesktopsharing has no effect at all when it = should >> block all accesses, and only works partly when it should allow = individual >> access. >>=20 >> In our environment, every machine has the same logins provided by an = LDAP >> server. I will retest at home to see how it behaves with normal local = users. >=20 > Ok, thanks for re-testing. I undo the taggings earlier made on this = issue. This is indeed a big issue that needs immediate fixing!!! >=20 > Next question: what distro are you on. I tested on Debian and it = worked flawlessly. Do you have any chance to test on Debian or Ubuntu = (if you are on some RPM based distro)? >=20 > Greets, > Mike >=20 >=20 > --=20 >=20 > DAS-NETZWERKTEAM > mike gabriel, herweg 7, 24357 fleckeby > fon: +49 (1520) 1976 148 >=20 > GnuPG Key ID 0x25771B31 > mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de >=20 > freeBusy: > = https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.= xfb From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: David Fuhrmann Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 18:18:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.13758990492850 (code B ref 287); Wed, 07 Aug 2013 18:18:02 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 18:10:49 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-ea0-f174.google.com (mail-ea0-f174.google.com [209.85.215.174]) by ymir (Postfix) with ESMTPS id C3D065DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 20:10:48 +0200 (CEST) Received: by mail-ea0-f174.google.com with SMTP id z15so986229ead.33 for <287@bugs.x2go.org>; Wed, 07 Aug 2013 11:10:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BFUgTqaFVZx06Pqp3WxQSxwI0O/hVtrzL8D1BQivuyg=; b=oYXsPNzwqajW6IenXZRJTDXycs0h9PQmDMEzkI3RtKiYutqhbl3YhWin+q5xiFkM4q ur1JZ+tatjJrKJe0HHvyuxXGR+TT+USfHiBgkZEayZDwtthGAiOvxaNelYZ/rZ489+O3 7U1YJyjfOZcYxbClQNqei3Hfxy0wjSLqhQFDiwVZu0wHDcQKXrZJu1b+gEzfxGNYip0P VS6DdSHfaBY5RBf/S4V0AbWswpMWBkiUiQ9MbS0l2WSQuwFns812uJXWM6xEDl4TGIm4 DSuNQ33TpAh33bsnub6evU13U5TmYrXWyOWqqDwsxCRUPHuPqo8DqDF59xIFe2lzop3X uLuQ== X-Received: by 10.14.69.206 with SMTP id n54mr4208506eed.118.1375899048497; Wed, 07 Aug 2013 11:10:48 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id f49sm6016919eec.7.2013.08.07.11.10.46 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Aug 2013 11:10:47 -0700 (PDT) Sender: David Fuhrmann Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: text/plain; charset=us-ascii From: David Fuhrmann X-Priority: 3 (Normal) In-Reply-To: <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> Date: Wed, 7 Aug 2013 20:10:44 +0200 Cc: 287@bugs.x2go.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> To: Mike Gabriel X-Mailer: Apple Mail (2.1508) Hi, To rule out some specific configuration issue in our current system, I = installed a fresh linux mint inside a virtual machine and was able to = confirm the issues. You should be able to reproduce it easily by doing the same. Choose = Linux Mint debian edition, 64 Bit, Mate package and install x2goserver = following your instructions for debian 7. With best regards, David Am 07.08.2013 um 17:56 schrieb David Fuhrmann : > Hi, >=20 > We are using a debian-based linux mint, and installed the server from = the debian 7 repository IIRC. >=20 > I just tested at home on Ubuntu 10.04, and here it works fine. I think = this might be some configuration issue. >=20 > Best, > David >=20 > Am 07.08.2013 um 16:02 schrieb Mike Gabriel = : >=20 >> control: tag -1 - wontfix >> control: tag -1 - not-a-bug >>=20 >> Hi David, >>=20 >> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote: >>=20 >>> thanks >>>=20 >>> ... for the answer. We just retested it today in our environment, = and the >>> issue is still as described. Especially we did: >>>=20 >>> 1) user_A starts a xfce x2go session on hostA, without starting >>> x2godesktopsharing. >>> 2) user_B logs in at hostA, using "connect to local desktop. It sees = a X >>> session under its own user name, and a port. user_B can click on = "full >>> access" and gets access to the session. >>>=20 >>> Second test: >>> - user_A starts x2godesktopsharing, but leave the default setting = (do not >>> allow access, with cross). >>> - user_B sees same behaviour as described above >>>=20 >>> Third test: >>> - user_A starts x2godesktopsharing, but and enables access (green = icon in >>> menu bar) >>> - user_B now sees two sessions in the session list: one with his own = user >>> name, one with user_As user name. Both have the same port. If user_B >>> selects the one which has user_A as its name, he can only connect to = view, >>> and eventually, this connection gets refused. (In the mean time, = user_A >>> sees a question dialog asking user_B for access in the session.) >>> But still, user_B sees a session with his own name, and can connect = to it >>> and gets full access to the xfce session started by user_A. >>>=20 >>> So in summary: The x2godesktopsharing has no effect at all when it = should >>> block all accesses, and only works partly when it should allow = individual >>> access. >>>=20 >>> In our environment, every machine has the same logins provided by an = LDAP >>> server. I will retest at home to see how it behaves with normal = local users. >>=20 >> Ok, thanks for re-testing. I undo the taggings earlier made on this = issue. This is indeed a big issue that needs immediate fixing!!! >>=20 >> Next question: what distro are you on. I tested on Debian and it = worked flawlessly. Do you have any chance to test on Debian or Ubuntu = (if you are on some RPM based distro)? >>=20 >> Greets, >> Mike >>=20 >>=20 >> --=20 >>=20 >> DAS-NETZWERKTEAM >> mike gabriel, herweg 7, 24357 fleckeby >> fon: +49 (1520) 1976 148 >>=20 >> GnuPG Key ID 0x25771B31 >> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de >>=20 >> freeBusy: >> = https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.= xfb >=20 From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Mike Gabriel , 287@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 19:33:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137590334726589 (code B ref 287); Wed, 07 Aug 2013 19:33:02 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 19:22:27 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id C16BB5DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 890889FD for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 7D0533BF19 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hWUsRVR+-Ar for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 6056D3BF13 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 3E7AB3BF1D for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:22:26 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 1E13E3BF19; Wed, 7 Aug 2013 21:22:25 +0200 (CEST) Received: from p57B4C702.dip0.t-ipconnect.de (p57B4C702.dip0.t-ipconnect.de [87.180.199.2]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 07 Aug 2013 21:22:25 +0200 Message-ID: <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Wed, 07 Aug 2013 21:22:25 +0200 From: Mike Gabriel To: David Fuhrmann Cc: 287@bugs.x2go.org References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_kuejmp9gv3l"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_kuejmp9gv3l Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit Hi David, On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote: > To rule out some specific configuration issue in our current system, > I installed a fresh linux mint inside a virtual machine and was able > to confirm the issues. > > You should be able to reproduce it easily by doing the same. Choose > Linux Mint debian edition, 64 Bit, Mate package and install > x2goserver following your instructions for debian 7. What is the primary GID of users on Linux Mint. Do they follow the pattern foo:foo bar:bar sunweaver:sunweaver or is there a group that all users get crushed in with there primary GIDs, like foo:users bar:users sunweaver:users ??? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_kuejmp9gv3l Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSAp5wAAoJEJr0azAldxsxXUQP/RIIgTHvxRu6AG5uMRrMLaDM jOPQdu+VTTIut0p6Ca0UMbpg7nWTKarXbEAPnV4Iru4If3I6mqEGqYnfupbIlZ5g lNaLYsAuaSxymJ2ifKGyMtWPQswCAmIZWMUbc2UfXD1u+vEKwDxyqyuJHCRQOntz ROqYc4r9aQbwvk6S3/N2cltlK7cS8CN/wCI2ahZowtR32fQmoBU4KG3VxVLl2X8r ga/FX0f1xLcE34gpuw/pTZNj++MGkvI7exML6SZvBbwjp9TZHT6fxOVN0NHhL/EK U90OEwEZQJxUt8jVLDAr4L8HLngSEhcfbPTtYhiWHqh3Fo9Hr359mtngBHZTD7dg M6Rby+9tceTFsyhGH73GSV9KKvrJg/iVrwm0ywsiq85/W+xTCg1kcW4FLLOlM9oC 5hpQcc8Wir7PmyTNXs7u1D6cZTF5YiEXq6vlmqFRYJ63/pBUboALwrAvXc173aZB KhY1Nnzlfjs3x9NIddCWgbNMGdVD/RASRiTRG6xzf/S2uAgrR27uclJpX0qNcZGz c089F49N0TP8p/7plR18CUQHuYTo9lai4IqvoCqdvbjiQ+IgDaD6XvnVpOHAKIIL squ/IuIlUkYm73l1nVSEHbzg1uPvcbQQtNGv7AzIgEmtgYKBqoQZbCRmiSKdBT+B bpsR+XoROldBLUJ52QE4 =ZP3y -----END PGP SIGNATURE----- --=_kuejmp9gv3l-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: David Fuhrmann Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 07 Aug 2013 20:03:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.13759053834763 (code B ref 287); Wed, 07 Aug 2013 20:03:01 +0000 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 19:56:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ymir (Postfix) with ESMTPS id 018235DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 21:56:22 +0200 (CEST) Received: by mail-ee0-f54.google.com with SMTP id e53so1091017eek.27 for <287@bugs.x2go.org>; Wed, 07 Aug 2013 12:56:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6dEJS5avVsjcxYvyvoQNZ4fn2ehSrqxWU8rKnmQo170=; b=rGPQ+PowpszPt7BYq0FDpTYz/lKDQ7HW9QGwyI/fGaSEYTTGkNH0FbKnEArHKPQeuR JmviyKhr+Y5OmN2igGW67ukU6YRpOgmHmy1ke9mbxCf1+ky2zfOp2qp6Or70C2/Sw2xD np+KJDn3Y+VVJwE0b8WFlhFtFlfhk01XxWEhH0m735U6FY5tHLpkciwyFiEshi9EokTQ s+j/lSL4BA5TNETlOGrBiqh/9m4UkD3V7zQHBRT1G7ba2U6zjBWNMk3MQeK3lHUrpGc3 7S45Go998PrQ+2jy0Ty+MMDZvlRNIOb9QT3KCPqhhJUUca9PWKXf4qRz67Yja/LWSX7a butQ== X-Received: by 10.15.41.77 with SMTP id r53mr4635619eev.64.1375905382711; Wed, 07 Aug 2013 12:56:22 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id k3sm12450953een.16.2013.08.07.12.56.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Aug 2013 12:56:21 -0700 (PDT) Sender: David Fuhrmann Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: text/plain; charset=us-ascii From: David Fuhrmann X-Priority: 3 (Normal) In-Reply-To: <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> Date: Wed, 7 Aug 2013 21:56:19 +0200 Cc: 287@bugs.x2go.org Content-Transfer-Encoding: quoted-printable Message-Id: <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> To: Mike Gabriel X-Mailer: Apple Mail (2.1508) Am 07.08.2013 um 21:22 schrieb Mike Gabriel = : > Hi David, >=20 > On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote: >=20 >> To rule out some specific configuration issue in our current system, = I installed a fresh linux mint inside a virtual machine and was able to = confirm the issues. >>=20 >> You should be able to reproduce it easily by doing the same. Choose = Linux Mint debian edition, 64 Bit, Mate package and install x2goserver = following your instructions for debian 7. >=20 > What is the primary GID of users on Linux Mint. Do they follow the = pattern >=20 > foo:foo > bar:bar > sunweaver:sunweaver >=20 > or is there a group that all users get crushed in with there primary = GIDs, like >=20 > foo:users > bar:users > sunweaver:users In a fresh linux mint system, the first one. In our production = environment, the latter one.= From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: David Fuhrmann , 287@bugs.x2go.org Resent-From: David Fuhrmann Original-Sender: David Fuhrmann Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 07:18:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137672300611932 (code B ref 287); Sat, 17 Aug 2013 07:18:02 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 07:03:26 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID, URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-ea0-f174.google.com (mail-ea0-f174.google.com [209.85.215.174]) by ymir (Postfix) with ESMTPS id 231F05DA6C for <287@bugs.x2go.org>; Sat, 17 Aug 2013 09:03:26 +0200 (CEST) Received: by mail-ea0-f174.google.com with SMTP id z15so1360385ead.19 for <287@bugs.x2go.org>; Sat, 17 Aug 2013 00:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=50OWwgH351YqPtQas7Qo6mUe738cvnwHQOaNVZVJp0U=; b=WvqpWJLt6K07Hrkfz3rdinGRu8J60zpczGzk8JLuBipvTKHafEfcxqirb9XmmStVBV PNOhCLLwfX5cHoN5niAmUOgGFuIJXl3BuemNSz6YUUIorv7zjl4TpdFrMglHNDaTyy1v /UtDPLWQY7XYc7TytXIQ3Fj8o4OxScSwtPBkDlcexjtDn+2AEG5lnFJT8CqvAWNZjP4D CKOeF1rFqA1Lo3cQQdgarJnHBg2/+Fz6lSzI/Ga/hjGQkx4+QNWU9nHAG998gPkZyfaV eoiRyleFT73O5t88QjpxdU/sKaftawshAkBVqjivmgnvLvyDdBeIoTL3VcarP6VSh9ju 3wTg== X-Received: by 10.14.176.8 with SMTP id a8mr3124883eem.12.1376723005731; Sat, 17 Aug 2013 00:03:25 -0700 (PDT) Received: from macbook.localdomain (erft-4db7c4d8.pool.mediaWays.net. [77.183.196.216]) by mx.google.com with ESMTPSA id r48sm1666043eev.14.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 17 Aug 2013 00:03:24 -0700 (PDT) Sender: David Fuhrmann Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: text/plain; charset=us-ascii From: David Fuhrmann X-Priority: 3 (Normal) In-Reply-To: <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> Date: Sat, 17 Aug 2013 09:03:21 +0200 Cc: 287@bugs.x2go.org Content-Transfer-Encoding: quoted-printable Message-Id: <32EA1C31-9067-4862-B5A7-24F6909253B3@web.de> References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> To: Mike Gabriel X-Mailer: Apple Mail (2.1508) Any news regarding this bug? Am 07.08.2013 um 21:56 schrieb David Fuhrmann : >=20 > Am 07.08.2013 um 21:22 schrieb Mike Gabriel = : >=20 >> Hi David, >>=20 >> On Mi 07 Aug 2013 20:10:44 CEST David Fuhrmann wrote: >>=20 >>> To rule out some specific configuration issue in our current system, = I installed a fresh linux mint inside a virtual machine and was able to = confirm the issues. >>>=20 >>> You should be able to reproduce it easily by doing the same. Choose = Linux Mint debian edition, 64 Bit, Mate package and install x2goserver = following your instructions for debian 7. >>=20 >> What is the primary GID of users on Linux Mint. Do they follow the = pattern >>=20 >> foo:foo >> bar:bar >> sunweaver:sunweaver >>=20 >> or is there a group that all users get crushed in with there primary = GIDs, like >>=20 >> foo:users >> bar:users >> sunweaver:users >=20 > In a fresh linux mint system, the first one. In our production = environment, the latter one. From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: "Fred Her." , 287@bugs.x2go.org Resent-From: "Fred Her." Original-Sender: frederic.hermann@gmail.com Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 08:18:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137672705730080 (code B ref 287); Sat, 17 Aug 2013 08:18:01 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 08:10:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-wg0-f67.google.com (mail-wg0-f67.google.com [74.125.82.67]) by ymir (Postfix) with ESMTPS id AD3DC3BDED for <287@bugs.x2go.org>; Sat, 17 Aug 2013 10:10:56 +0200 (CEST) Received: by mail-wg0-f67.google.com with SMTP id z12so789403wgg.6 for <287@bugs.x2go.org>; Sat, 17 Aug 2013 01:10:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=Z2oLPRZJ2fSXGIBSa6XiKKIs6kLnfMvo+s7EmD9k1pI=; b=C0XRuAe7cnfuht+hUvGQ/L6bzH09yMj5tdomACh/Pn0+VPIjWqO2Ms9Jeo41H9WKOJ tYFqvdK3awmE6IZCpE4wOrUiaXp0tEujuml8SGVrVp9rZUDWlCuE9Y1A53Zqz/mABwoy MikWMCREPxCRWGTqPz4HE/TUalhKcIPlNeeLT4LEqf4icPIgUt9T5r0ek+j/cwR8J8rL Y3yTn1iB4KtmdLV9Xw3rsAKQTTeey/VVHWrRvlW1D3zVM2E5gn/0TB0ke4G6B4l+u9HH rxrpx69FMxH+7spEUty7/IAIj1YgzsHR5TZ1mFG5dlOzvVJZVxYPAoxOMrFzWuuukVOd W3OA== MIME-Version: 1.0 X-Received: by 10.180.106.228 with SMTP id gx4mr1168108wib.9.1376727056373; Sat, 17 Aug 2013 01:10:56 -0700 (PDT) Sender: frederic.hermann@gmail.com Received: by 10.194.171.135 with HTTP; Sat, 17 Aug 2013 01:10:56 -0700 (PDT) Date: Sat, 17 Aug 2013 10:10:56 +0200 X-Google-Sender-Auth: BUNphhZAUMbWrpvWOJDdkOqNw0Q Message-ID: From: "Fred Her." To: 287@bugs.x2go.org Content-Type: multipart/alternative; boundary=e89a8f13ed0425dffe04e4203f81 --e89a8f13ed0425dffe04e4203f81 Content-Type: text/plain; charset=ISO-8859-1 Actually, this seems not an x2go issue, but a linux mint issue : by default, there is a "xhost +" command launched at session startup for all users. If you type "xhost - ", then you should see the normal behavior again : userB will get a "no desktop found" message if he try to connect to the x2go host. So, the workaround is to remove the "xhost +" command in the Control Panel > Startup Applications for each user, or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop (but this could come back if the package ubuntu-system-adjustments is updated) or change this file to: [Desktop Entry] Encoding=UTF-8 Version=1.0 Name=Xhost + Exec=xhost + Terminal=false Type=Application StartupNotify=false Terminal=false X-MATE-Autostart-enabled=false Hidden=true note to x2go packages maintainer: Maybe this should be an option to check/disable when the x2goserver package is installed? Or maybe a warning should be issued if "xhost" is set to + when a user connect? --e89a8f13ed0425dffe04e4203f81 Content-Type: text/html; charset=ISO-8859-1
Actually, this seems not an x2go issue, but a linux mint issue : by 
default, there is a "xhost +" command launched at session startup for all 
users. 

If you type "xhost - ", then you should see the normal behavior again : 
userB will get a "no desktop found" message if he try to connect to the x2go 
host. 

So, the workaround is to remove the "xhost +" command in the Control Panel > 
Startup Applications for each user, 

or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop 
(but this could come back if the package ubuntu-system-adjustments is 
updated) 

or change this file to: 

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true

note to x2go packages maintainer: 
Maybe this should be an option to check/disable when the x2goserver package 
is installed? 

Or maybe a warning should be issued if "xhost" is set to + when a user 
connect? 
--e89a8f13ed0425dffe04e4203f81-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Mike Gabriel , 287@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 15:33:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137675329823329 (code B ref 287); Sat, 17 Aug 2013 15:33:01 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:28:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id D32E75DA6C for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:17 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 32A5DC93 for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:17 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 29F183BF2C for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:17 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRO693BoJT4w for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:17 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 0BC783BF3C for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:17 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id E00D43BB75 for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:28:16 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 85C653BF2C; Sat, 17 Aug 2013 17:28:16 +0200 (CEST) Received: from 83-68-217-98.cable.dc13.debconf.org (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013 17:28:16 +0200 Message-ID: <20130817172816.13812lxtcg86qc9c@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 17 Aug 2013 17:28:16 +0200 From: Mike Gabriel To: David Fuhrmann Cc: 287@bugs.x2go.org References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> <32EA1C31-9067-4862-B5A7-24F6909253B3@web.de> In-Reply-To: <32EA1C31-9067-4862-B5A7-24F6909253B3@web.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_2b9d1qumr9g0"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_2b9d1qumr9g0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit Hi David, On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote: > Any news regarding this bug? I have set up a test VM for this issue today and I can absolute confirm what you report. I will investigate on that further today/tomorrow, and I am quite sure of being able to exploit this without X2Go as well. My guess is a mis-configuration in Linux mint around the local X-Server. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_2b9d1qumr9g0 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSD5aQAAoJEJr0azAldxsxjMgP/jWNu4b6gWYlcH9pJyV8gdmc 63t8HLKjf1kuaLFmf1yKAFuDM5bS55+U75M097wSQeYt+z18HhthuBE7hm4wuaUL ACWyaj6vzESzTEkTtO6NyN/TQ7qVqdUUNoCi+YI2Es9qMoxipl09pWHU34T1J0oo AnWfS3bb77qKql/Tu0KtleD2VxmSuUTT1Ce9auhJEpKCIk0q5/t8h8QeZht2no4D wBLwHeNVZ4xx4LVPcqZBIUBFsqJhAnl0FUi6k60M7oS07XAiM/gZO1XwaM9a1R54 +nI8tzkC+TN6Q994gJYUN5jaEr97b1uj8V7ARE4BpZRlt/bSyT95/JNEVBu8bzeO AoO09Lrc2irEkw2Lwt6gNaCBNYZitjQDRXiPmmHZHD4JQDBryutmu+QR7OUDV0wx GQa9E/eCTxgOKDvFZKXH+sNrD+ENZCN/qR+V0GU7VAZSPuKPBjDgArtMtH2T8My3 0Lx7WAZh0I1o0rbwvp8Fqz0CniiejD/+QKWURAkiiHHzyK+UYSKODGGDWF1kwcQe PHNDwGboxYrX4AzjB2iMyXOYxvBWe8QptdtQl7jMIxj5iGZFUdLeE1gTjf2kThXx Nlx+XitQK3Dok+ZwP2ogZbcSB4QWWVjEi9r3XjTMip/0sXjYVmfKLQ9AUTM9qJHh 42uXmr59p/8ZqRe2YhQu =GSHw -----END PGP SIGNATURE----- --=_2b9d1qumr9g0-- From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: Fwd: Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Stefan Baur , 287@bugs.x2go.org Resent-From: Stefan Baur Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 15:48:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137675445728017 (code B ref 287); Sat, 17 Aug 2013 15:48:01 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:47:37 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 759 seconds by postgrey-1.34 at ymir; Sat, 17 Aug 2013 17:47:35 CEST Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ymir (Postfix) with ESMTP id E52623BDED for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:47:35 +0200 (CEST) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mrbap3) with ESMTP (Nemesis) id 0LuLSB-1W8MWF0tfT-011nEQ; Sat, 17 Aug 2013 17:34:56 +0200 Message-ID: <520F981D.1050903@stefanbaur.de> Date: Sat, 17 Aug 2013 17:34:53 +0200 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: 287@bugs.x2go.org, x2go@edhil.net References: In-Reply-To: X-Forwarded-Message-Id: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:Ttftb6FMabn+tvo9IWU91As9t0q/lrp7NAEd3nrZUZV Dun1Z20oDhOSt5OF60WlynK3nCJ4qWm+jOKc1zhMRz5e5eDrD4 BVEhOxzHn+WmZxVzr8TfIBZxkbEM70M4YoDaXyc2qDcobxOo3R ltMG/7j2K/dYmvMO1EVpH4IbaBuGPxwVElRc8zJ6hXOzQrct8c yCDI5NSIIL4g+5eSryJ3BuhJh6f9e8hYyRN/+VznCPoe8o7Gxs RrfV9EWNc84t5ZpVxR1PeyTld8KnBLsZqlgCJ4CKv2P15UjyGn vvSv52mkmijcqJIeK5FAsVOKxR3X2HXpMzSC+CfUFLtCEfRwfi IuUuH8bv6YAqIiPaxHuOk8QrbsEIhfUZrUqXfFrGN Looks like this info wasn't sent to the bugtracker, forwarding manually. -------- Original-Nachricht -------- Betreff: Re: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default Datum: Fri, 16 Aug 2013 13:41:34 +0000 (UTC) Von: Fred Her. Antwort an: x2go-dev@lists.berlios.de An: x2go-dev@lists.berlios.de David Fuhrmann web.de> writes: > > Hi, > > To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a > virtual machine and was able to confirm the issues. > > You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate > package and install x2goserver following your instructions for debian 7. I performed the test on the same configuration, and can confirm this issue: On a fresh linux mint issue, Ubuntu edition, 64bits, MATE package. x2go package installed : ii x2goserver 4.0.1.6-0~712~raring1 amd64 ii x2goserver-extensions 4.0.1.6-0~712~raring1 all ii x2goserver-xsession 4.0.1.6-0~712~raring1 all userA creates a session with a custom desktop (x-session-manager) and connect. Then close the session window (but do not disconnect) UserB creates a session with "connect to Local Desktop" and log in using his own login and ssh password UserB can connect to UserA desktop with full access. As a workaround, ss there any x2goserver.conf parameters that could be used to disable the Local Desktop access? _______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: Fwd: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Stefan Baur , 287@bugs.x2go.org Resent-From: Stefan Baur Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 15:48:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137675447528164 (code B ref 287); Sat, 17 Aug 2013 15:48:01 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:47:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ymir (Postfix) with ESMTP id B8F063BDED for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:47:54 +0200 (CEST) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0MZ7a0-1VP55b2pu0-00LT0C; Sat, 17 Aug 2013 17:35:23 +0200 Message-ID: <520F983C.6040904@stefanbaur.de> Date: Sat, 17 Aug 2013 17:35:24 +0200 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: 287@bugs.x2go.org, x2go@edhil.net References: In-Reply-To: X-Forwarded-Message-Id: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:NQoRJSOAj31Z/x8dTBZH+A+aha0jvPjQUvKunxj02x5 prtFv4w/aK5GMxZj1+jwMacNhBQRd80hazOI4izo3UKA/ZSu9S QZUNVxfvJ8D3/+LErO5uQb+1yvWE4w6133f0Uq6EvNW6Ba5KqX KNlBxN5ImJg2l7CKgotDrfFNK3viOo+70louvh0gwC1VlfLAIC cezug3cWfX6ZHDuyJDH2Jl6Qwj+LoTx+kKz7n8GW0awZ9ER4+r 0eqL1ZvudAqGl6uNj1SUSlMbXoiEbQQo2cWB4wNBWM0hikCOd0 mr9XFtKmjJ8Hryef4h4b6iw5z+mTOER2VEvvMkyhnDB6XWeXTX AOh1wkGv0NfSi99MIICla51QTGRSZa+jlQ6kU3sja Looks like this info wasn't forwared to the bugtracker, forwarding manually. -------- Original-Nachricht -------- Betreff: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Datum: Fri, 16 Aug 2013 14:47:40 +0000 (UTC) Von: Fred Her. Antwort an: x2go-dev@lists.berlios.de An: x2go-dev@lists.berlios.de Actually, this is not an x2go issue, this is a linux mint issue : by default, there is a "xhost +" command launched at session startup for all users. If you type "xhost - ", then you should see the normal behavior again : userB will get a "no desktop found" message if he try to connect to the x2go host. So, the workaround is to remove the "xhost +" command in the Control Panel > Startup Applications for each user, or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop (but this could come back if the package ubuntu-system-adjustments is updated) or change this file to: [Desktop Entry] Encoding=UTF-8 Version=1.0 Name=Xhost + Exec=xhost + Terminal=false Type=Application StartupNotify=false Terminal=false X-MATE-Autostart-enabled=false Hidden=true note to x2go packages maintainers: Maybe this should be an option to check/disable when the x2goserver package is installed? Or maybe a warning should be issued if "xhost" is set to + when a user connect? _______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Stefan Baur , 287@bugs.x2go.org Resent-From: Stefan Baur Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 16:03:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.137675460228612 (code B ref 287); Sat, 17 Aug 2013 16:03:02 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:50:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ymir (Postfix) with ESMTP id 064C83BDED for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:50:01 +0200 (CEST) Received: from [192.168.0.3] (dslb-088-067-155-037.pools.arcor-ip.net [88.67.155.37]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0LlYpT-1VhrOY0sRb-00ad0B; Sat, 17 Aug 2013 17:37:29 +0200 Message-ID: <520F98B9.3030208@stefanbaur.de> Date: Sat, 17 Aug 2013 17:37:29 +0200 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Mike Gabriel , 287@bugs.x2go.org, x2go-dev@lists.berlios.de CC: David Fuhrmann References: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> <32EA1C31-9067-4862-B5A7-24F6909253B3@web.de> <20130817172816.13812lxtcg86qc9c@mail.das-netzwerkteam.de> In-Reply-To: <20130817172816.13812lxtcg86qc9c@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:KbwdVzG85GSyWAbBKMQAGWGzMayzcNXN5Lc/VoU9/HG JrODYLDZqbk0RrS+khfX3+4XYKYjz7e2ONUufiFxn99b8FmdEO gPJU3yIFhyrMuZ8UwLksTCcoblS19BBPEkYMZUu9JwDvf4Mwmd 46sT38ZOfeoNkHs/s5ORBLXi9I/jj7mPCxHxCFZBd8bd7nHYe+ 3jgKoPuGLlPWBD+x2ovFF09gBEeIjkgPxNfsmv2raGTsOjWDNF cusSxpoWh1k6SIfn9gk/vKgSTPoZjcvKp4UZUeFsGAlAUKwQXn 8y9nxHV52HGkXDEDCl8AqxZwZAIrf7PseXyIlD3VGft2wfCLtI TSahmCMNGAe3j2FLePRkPMszIPAsEqnjlL0ZQChfP Please look at message From: Fred Her. Date: Fri, 16 Aug 2013 14:47:40 +0000 (UTC) Message-ID: which I just forwarded to the bugtracker (seems it went to the list, but not the bugtracker). Looks like the root cause for the problem has been found and it is indeed a Linux Mint configuration stupidity. -Stefan Am 17.08.2013 17:28, schrieb Mike Gabriel: > Hi David, > > On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote: > >> Any news regarding this bug? > > I have set up a test VM for this issue today and I can absolute > confirm what you report. > > I will investigate on that further today/tomorrow, and I am quite sure > of being able to exploit this without X2Go as well. > > My guess is a mis-configuration in Linux mint around the local X-Server. > > Mike > > > > > _______________________________________________ > X2Go-Dev mailing list > X2Go-Dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/x2go-dev From unknown Thu Mar 28 19:40:12 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default Reply-To: Mike Gabriel , 287@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 17 Aug 2013 18:48:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 287 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 287-submit@bugs.x2go.org id=B287.13767649764811 (code B ref 287); Sat, 17 Aug 2013 18:48:02 +0000 Received: (at 287) by bugs.x2go.org; 17 Aug 2013 18:42:56 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EB7475DA6C; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A13FC9CF; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 94F383BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnPrIRDN108S; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 742803BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5582A3BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 0C59C3BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from 83-68-217-98.cable.dc13.debconf.org (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013 20:42:55 +0200 Message-ID: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 17 Aug 2013 20:42:55 +0200 From: Mike Gabriel To: 287@bugs.x2go.org Cc: control@bugs.x2go.org References: <520F983C.6040904@stefanbaur.de> In-Reply-To: <520F983C.6040904@stefanbaur.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_7jk3unb0c2lq"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_7jk3unb0c2lq Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit title #287 Linux Mint desktops configured too insecurely for multi-user mode tag #287 confirmed tag #287 wontfix close #287 thanks Hi all, On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote: > Actually, this is not an x2go issue, this is a linux mint issue : by > default, there is a "xhost +" command launched at session startup for all > users. > > If you type "xhost - ", then you should see the normal behavior again : > userB will get a "no desktop found" message if he try to connect to the x2go > host. > > So, the workaround is to remove the "xhost +" command in the Control Panel > > Startup Applications for each user, > > or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop > (but this could come back if the package ubuntu-system-adjustments is > updated) > > or change this file to: > > [Desktop Entry] > Encoding=UTF-8 > Version=1.0 > Name=Xhost + > Exec=xhost + > Terminal=false > Type=Application > StartupNotify=false > Terminal=false > X-MATE-Autostart-enabled=false > Hidden=true We (David and I) just figured out the same... (what a race condition...). Thanks! What a security leakage if people start using Linux Mint in multi-user operation mode (like with X2Go or locally or with LTSP). With xhost + for every user you can launch applications on other people's desktops and also read out their clipboards' contents. /me rarely has to puke at other people's work, but this time... Well, yes. > note to x2go packages maintainers: > Maybe this should be an option to check/disable when the x2goserver package > is installed? No! We won't work around such grave issues in distributions or in other packages. This needs to be immediately fixed in Linux Mint upstream. > Or maybe a warning should be issued if "xhost" is set to + when a user > connect? Nope! In default setups no other distro evokes xhost + on session startup. This is just insane!!! So we ignore this issue in X2Go upstream completely. Stay away from Linux Mint with X2Go (or actually at all) till this has been fixed in Mint. light+love, Mike PS: quote me freely if needed... -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_7jk3unb0c2lq Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSD8QuAAoJEJr0azAldxsxoU0P/09lTB405vMfOtTwfnovq9HB yObD8YQBnvkFE2ONY5jE/yS/f1bp7R6ET+8HVP0uPrgf7Cao+dXlsHsQzFFVGwCA 7++z8U3aShdzVpqQ8nBjE4vewuTfNSbBzKMZQlNzFRHQ6TIOPF07XfCekQcDszTw aWFpt4Lv0vZNrNoYKABO+chOTrHLG8bpEe3hllxe9jmsEeOliYmiEzrjLzvT7gVA nRl9Yr5+bAybWQbl3H4ogDeOi2nAB1dlHhyD2Gltu8Sday22Whr8YNxAVu4x0Upt WC8+YQ7F/+Y5GTqiGu5c+HbQuVPgN9k5LkRg/d3urMODxlthPRD0rZKqE4UinnXh 4oV4VugOGQEBL+jT3xtrSkyrE+ztM8Tx2siIimlA02gWtaBp3xv0YDJHqQiyjPxK u3VfyQ3qzdip6PZoWsgB5fk0qx/Y+LrEEer5Hn/c4gbp+zxK1sYl8oCQzuL9d5Zo ieEXsmAtMZPf99wtk+oq4+9HGoRKaXoqQQF7Qjw3WmEZrDflX/7SqfhKudHtwl6o B1H9D5vj9WNWnUkuoOwl3Phtc6Iq7DS4PcpsbDllo6QPnqRtW0Ju/xeT6YJJkyXr JqXvH3FuW0EUaJgjDfjD8pIOX+y2VlRGNX6w2vonVIbFRDqC6YS1/mveSXr1ct1/ /repF12lv6Ihr46LxY3T =v0Ad -----END PGP SIGNATURE----- --=_7jk3unb0c2lq-- From unknown Thu Mar 28 19:40:12 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#287 closed by Mike Gabriel (Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default) Message-ID: References: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de> X-X2go-PR-Keywords: confirmed moreinfo wontfix X-X2go-PR-Message: they-closed 287 X-X2go-PR-Package: x2goserver X-X2go-PR-Source: x2goserver Date: Sat, 17 Aug 2013 18:48:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1376765282-5884-0" This is a multi-part message in MIME format... ------------=_1376765282-5884-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goserver package: #287: x2goserver allows to connect to ALL X server sessions by default It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1376765282-5884-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 17 Aug 2013 18:43:04 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EB7475DA6C; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A13FC9CF; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 94F383BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnPrIRDN108S; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 742803BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5582A3BB75; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 0C59C3BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST) Received: from 83-68-217-98.cable.dc13.debconf.org (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013 20:42:55 +0200 Message-ID: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 17 Aug 2013 20:42:55 +0200 From: Mike Gabriel To: 287@bugs.x2go.org Cc: control@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default References: <520F983C.6040904@stefanbaur.de> In-Reply-To: <520F983C.6040904@stefanbaur.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_7jk3unb0c2lq"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_7jk3unb0c2lq Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit title #287 Linux Mint desktops configured too insecurely for multi-user mode tag #287 confirmed tag #287 wontfix close #287 thanks Hi all, On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote: > Actually, this is not an x2go issue, this is a linux mint issue : by > default, there is a "xhost +" command launched at session startup for all > users. > > If you type "xhost - ", then you should see the normal behavior again : > userB will get a "no desktop found" message if he try to connect to the x2go > host. > > So, the workaround is to remove the "xhost +" command in the Control Panel > > Startup Applications for each user, > > or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop > (but this could come back if the package ubuntu-system-adjustments is > updated) > > or change this file to: > > [Desktop Entry] > Encoding=UTF-8 > Version=1.0 > Name=Xhost + > Exec=xhost + > Terminal=false > Type=Application > StartupNotify=false > Terminal=false > X-MATE-Autostart-enabled=false > Hidden=true We (David and I) just figured out the same... (what a race condition...). Thanks! What a security leakage if people start using Linux Mint in multi-user operation mode (like with X2Go or locally or with LTSP). With xhost + for every user you can launch applications on other people's desktops and also read out their clipboards' contents. /me rarely has to puke at other people's work, but this time... Well, yes. > note to x2go packages maintainers: > Maybe this should be an option to check/disable when the x2goserver package > is installed? No! We won't work around such grave issues in distributions or in other packages. This needs to be immediately fixed in Linux Mint upstream. > Or maybe a warning should be issued if "xhost" is set to + when a user > connect? Nope! In default setups no other distro evokes xhost + on session startup. This is just insane!!! So we ignore this issue in X2Go upstream completely. Stay away from Linux Mint with X2Go (or actually at all) till this has been fixed in Mint. light+love, Mike PS: quote me freely if needed... -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_7jk3unb0c2lq Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSD8QuAAoJEJr0azAldxsxoU0P/09lTB405vMfOtTwfnovq9HB yObD8YQBnvkFE2ONY5jE/yS/f1bp7R6ET+8HVP0uPrgf7Cao+dXlsHsQzFFVGwCA 7++z8U3aShdzVpqQ8nBjE4vewuTfNSbBzKMZQlNzFRHQ6TIOPF07XfCekQcDszTw aWFpt4Lv0vZNrNoYKABO+chOTrHLG8bpEe3hllxe9jmsEeOliYmiEzrjLzvT7gVA nRl9Yr5+bAybWQbl3H4ogDeOi2nAB1dlHhyD2Gltu8Sday22Whr8YNxAVu4x0Upt WC8+YQ7F/+Y5GTqiGu5c+HbQuVPgN9k5LkRg/d3urMODxlthPRD0rZKqE4UinnXh 4oV4VugOGQEBL+jT3xtrSkyrE+ztM8Tx2siIimlA02gWtaBp3xv0YDJHqQiyjPxK u3VfyQ3qzdip6PZoWsgB5fk0qx/Y+LrEEer5Hn/c4gbp+zxK1sYl8oCQzuL9d5Zo ieEXsmAtMZPf99wtk+oq4+9HGoRKaXoqQQF7Qjw3WmEZrDflX/7SqfhKudHtwl6o B1H9D5vj9WNWnUkuoOwl3Phtc6Iq7DS4PcpsbDllo6QPnqRtW0Ju/xeT6YJJkyXr JqXvH3FuW0EUaJgjDfjD8pIOX+y2VlRGNX6w2vonVIbFRDqC6YS1/mveSXr1ct1/ /repF12lv6Ihr46LxY3T =v0Ad -----END PGP SIGNATURE----- --=_7jk3unb0c2lq-- ------------=_1376765282-5884-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ymir (Postfix) with ESMTPS id 0F6AD5DB1E for ; Wed, 7 Aug 2013 07:36:22 +0200 (CEST) Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13 for ; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=; b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624 adRQ== X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 22:36:20 -0700 (PDT) Sender: David Fuhrmann From: David Fuhrmann Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: x2goserver allows to connect to ALL X server sessions by default Message-Id: Date: Wed, 7 Aug 2013 07:36:18 +0200 To: submit@bugs.x2go.org Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) Package: x2goserver Version: 4.0.1.6 Severity: critical Hi, I just noticed that x2goserver allows to connect to ALL running X = sessions on the target machine, using "connect to local desktop". These = might be logged in local users, or NX sessions which were not terminated = correctly. This is especially worse in the latter case, as the screen is = not locked here, normally. This is a HUGE security leak, as now all users are able to access data = of the other users, and hinder them from working by manipulating current = sessions. Normal remote desktop software should BLOCK such access by default, and = only allow it when the user explicitly requested it or configured it so. ------------=_1376765282-5884-0-- From mike.gabriel@das-netzwerkteam.de Sat Aug 17 21:25:26 2013 Received: (at control) by bugs.x2go.org; 17 Aug 2013 19:25:26 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 605615DA6C for ; Sat, 17 Aug 2013 21:25:26 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 21DC11F12 for ; Sat, 17 Aug 2013 21:25:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 105893B9EE for ; Sat, 17 Aug 2013 21:25:26 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQ4xp-w48tPa for ; Sat, 17 Aug 2013 21:25:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id E3F323BF35 for ; Sat, 17 Aug 2013 21:25:25 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id CF3D63B9EE for ; Sat, 17 Aug 2013 21:25:25 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id B31DB3BF35; Sat, 17 Aug 2013 21:25:25 +0200 (CEST) Received: from 83-68-217-98.cable.dc13.debconf.org (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013 21:25:25 +0200 Message-ID: <20130817212525.1908562666s82885@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 17 Aug 2013 21:25:25 +0200 From: Mike Gabriel To: control@bugs.x2go.org Subject: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_53h2njqwxe79"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_53h2njqwxe79 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit retitle #287 Linux Mint desktops configured too insecurely for multi-user mode thanks --=_53h2njqwxe79 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSD84lAAoJEJr0azAldxsxQgAP/RvhoOzu3VDU6qBPaxvS6bW6 P8UAfr6FEps5RdJA701JVceSCHZGIkAyqXYOcDCLXQaSYa8GV8EkgjpSiP7SBF0h l5sR8BA1ywpehNmOgAEmsrVjP588n/R0Nn5FOOefQ+w4xxhsCEsDTnk80B8gBQp1 /yYG0aG2GoicXqWIxVtpi627l4wAhcqcWbSdm+iWDG98d6sCEKofAQKzxu2GG5PL xSl7W2rrtn9k858mzPZZ9AlHV3xzREOYPrLf81fqQTAbibG4E7tnHAc2/1iSbMQ+ Z75VoubeA0zIL3de9P4wX5f4m3IyqCcAbcz7T0NVCRnz+tmYvNdp6lAKpdVlFfku mTXYrOIzwWjDDEEWGaCHrXGOvMe1JwJrZQOtAoCrE50qtFfmE0N2fP/Qn9tm7b9M gfCvWCrSAXhfyxmYxVvPGD3Q6ap3w2Kt8ZOivvKNP8E3BC7L6gH4I2dHsnLaHARw r6EUG3hGA5Fw2Wt8RCVrGE76Con08YzujNoA//WX6MtzwFAz1+dil/B+IZUMVN+4 KQ/nzQu7wEtmoL1nRigADJFq/WoZ973LsFQ/qx9ZgpjEl1SMwfSLIZ1BO/i5ZWlX MlD/70qJ/qc7udcQS6AS27B9x66cTzfjAfBGAK6vJAscnvxyyhPOSfYnX+ySn/Ew BJfFMLzjXiWjmXyZkNts =Ve2h -----END PGP SIGNATURE----- --=_53h2njqwxe79--