From mike.gabriel@das-netzwerkteam.de Wed Aug 7 11:43:40 2013 Received: (at 287) by bugs.x2go.org; 7 Aug 2013 09:43:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EF9A05DB1E for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id B17899FD for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A33163BAC6 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9cwC4Z+yPaO for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 80A333BBA2 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5CB4C3BAC6 for <287@bugs.x2go.org>; Wed, 7 Aug 2013 11:43:39 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 18E0E3BBA2; Wed, 7 Aug 2013 11:43:38 +0200 (CEST) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 07 Aug 2013 11:43:38 +0200 Message-ID: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Wed, 07 Aug 2013 11:43:38 +0200 From: Mike Gabriel To: David Fuhrmann , 287@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_au4h0r792a2"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_au4h0r792a2 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit control: tag -1 moreinfo control: tag -1 not-a-bug control: tag -1 wontfix On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote: > I just noticed that x2goserver allows to connect to ALL running X > sessions on the target machine, using "connect to local desktop". > These might be logged in local users, or NX sessions which were not > terminated correctly. This is especially worse in the latter case, > as the screen is not locked here, normally. > > This is a HUGE security leak, as now all users are able to access > data of the other users, and hinder them from working by > manipulating current sessions. > > Normal remote desktop software should BLOCK such access by default, > and only allow it when the user explicitly requested it or > configured it so. I just tested this to be really sure that this is a not-a-bug report... What you describe only works for the same login!!!! So if my user (sunweaver) logs in locally to an X-Session and ,,sunweaver'' then connects via X2Go to connect to a local X session then I can access my __own__ local X sessions. However, I cannot access other users' sessions unless they grant access via the X2Go Desktop Sharing utility. Please re-test and re-confirm or post a message that states that the mistake was on your part. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_au4h0r792a2 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSAhbJAAoJEJr0azAldxsxnEwP/3E8uLXg9pBsE7RiGrsfrsQk oit7xxskzrgVocZviND3InXM9fDKn5Eou5ioA0MMPFm8WTtg6NtZrOYYJORIuE3w J7sr5s9eOmhka50PyePJ+7lrx3MhGG3LVrjFVcAHXaNNxjrOtheOLsjh3HMjT3mX v9mug6hPQ/zTR991vv1sdGqkfQfzE4Ft7SdyKnjNzVRRfKWbzX9tv32KEfh1uavx JR07pbLkcEPZTl2IQ+WKNC9zf5HmG+FpsnXvBElHLgWRUIJP5smthRUGyROKl1sU LDCTwqqLwi3uvo6FZl6DXl8RgA37gutroIiZEST//XAP7XKXTNmwEWYd8bx4ZC5J H16ATbhY4s81+EjQzhn8VROBjce6F7i0mc5Lfv6w5/XNmdtFDbGIx226Xwrcm6hB YDoYp8tZICczWKIdGAjxF7AO/QdHJV1hv+0F9xRUAjW5zCxtshHQyMemtX/Z1idq dtawfI1OnWP3dmnBnEoiMtVeg2xVkbQGwrZx0FbZtWhrB5Pr+lHIWBwX3Y79SDFy oeQxSLMBaE8yAzhp1//sp2ar3QPWEe/Gjo1oefTcLjOVNLJLtyJHTbcdq3VtL1zw +/DvsjyqwOP20anztZZelEE+GH5Y5IDvf/RLd+m4ZGWNdLB5UzrZSQU+zmdlzVKi BJyPSfMmCf+kG6wLwZNu =aTPB -----END PGP SIGNATURE----- --=_au4h0r792a2--