X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: David Fuhrmann <fuhrmann_mail@web.de>, 287@bugs.x2go.org
Resent-From: David Fuhrmann <fuhrmann_mail@web.de>
Original-Sender: David Fuhrmann <david.fuhrmann@gmail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 07 Aug 2013 16:03:02 +0000
Resent-Message-ID: <handler.287.B287.137589100921736@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 287-submit@bugs.x2go.org id=B287.137589100921736
          (code B ref 287); Wed, 07 Aug 2013 16:03:02 +0000
Received: (at 287) by bugs.x2go.org; 7 Aug 2013 15:56:49 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-ea0-f179.google.com (mail-ea0-f179.google.com [209.85.215.179])
	by ymir (Postfix) with ESMTPS id 7C8475DB1E
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 17:56:48 +0200 (CEST)
Received: by mail-ea0-f179.google.com with SMTP id b10so915272eae.38
        for <287@bugs.x2go.org>; Wed, 07 Aug 2013 08:56:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=TULNUeSSB1zhMDjllI0tc3P7OXIb3vlzhHVtseH2vCE=;
        b=IoQdErGXdp4fxd0PpHd+z4XojCMldFB11ij0+2sCJkVdAA14OphREM1NMaM2LkWJm9
         Q14e/K4yX+mP0iWOyMh6AV1vSB3jf5o8ob/9XdcWxdwXhi011JOIvX8RaalHBgMB5WdV
         Z6eEGMgdyDz8Gr53m0cJacSdex1kvfRUtEv+P1Jgnl/wHjOU3gBVD1jXiFYICZcmSck+
         NwIUWA8W5IXr79DojZFbmhZx0coG7eGQ08k6BiCFZ83UOlhoVrTjWUSmr1z6wwjSy2ey
         EWRh/rGUEjekD6kamWjC5w7W0nK6awxClu4grIAToX62jEumPP4U/w7pVitweYpJgRPv
         BtgQ==
X-Received: by 10.14.179.131 with SMTP id h3mr3706273eem.102.1375891008151;
        Wed, 07 Aug 2013 08:56:48 -0700 (PDT)
Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35])
        by mx.google.com with ESMTPSA id m54sm10723337eex.2.2013.08.07.08.56.46
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 07 Aug 2013 08:56:47 -0700 (PDT)
Sender: David Fuhrmann <david.fuhrmann@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: David Fuhrmann <fuhrmann_mail@web.de>
X-Priority: 3 (Normal)
In-Reply-To: <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de>
Date: Wed, 7 Aug 2013 17:56:45 +0200
Cc: 287@bugs.x2go.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de>
References: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de> <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <CANN0FUgL27BfEyQ_=4nLiY56rHjo5fGsf1OyDK47vLb2Gdi+jg@mail.gmail.com> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
X-Mailer: Apple Mail (2.1508)
Hi,

We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.

I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.

Best,
David

Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:

> control: tag -1 - wontfix
> control: tag -1 - not-a-bug
> 
> Hi David,
> 
> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
> 
>> thanks
>> 
>> ... for the answer. We just retested it today in our environment, and the
>> issue is still as described. Especially we did:
>> 
>> 1) user_A starts a xfce x2go session on hostA, without starting
>> x2godesktopsharing.
>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>> session under its own user name, and a port. user_B can click on "full
>> access" and gets access to the session.
>> 
>> Second test:
>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>> allow access, with cross).
>> - user_B sees same behaviour as described above
>> 
>> Third test:
>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>> menu bar)
>> - user_B now sees two sessions in the session list: one with his own user
>> name, one with user_As user name. Both have the same port. If user_B
>> selects the one which has user_A as its name, he can only connect to view,
>> and eventually, this connection gets refused. (In the mean time, user_A
>> sees a question dialog asking user_B for access in the session.)
>> But still, user_B sees a session with his own name, and can connect to it
>> and gets full access to the xfce session started by user_A.
>> 
>> So in summary: The x2godesktopsharing has no effect at all when it should
>> block all accesses, and only works partly when it should allow individual
>> access.
>> 
>> In our environment, every machine has the same logins provided by an LDAP
>> server. I will retest at home to see how it behaves with normal local users.
> 
> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
> 
> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
> 
> Greets,
> Mike
> 
> 
> -- 
> 
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
> 
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
> 
> freeBusy:
> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 11:52:52 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.