X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: David Fuhrmann <fuhrmann_mail@web.de>, 287@bugs.x2go.org
Resent-From: David Fuhrmann <fuhrmann_mail@web.de>
Original-Sender: David Fuhrmann <david.fuhrmann@gmail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 07 Aug 2013 18:18:02 +0000
Resent-Message-ID: <handler.287.B287.13758990492850@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 287-submit@bugs.x2go.org id=B287.13758990492850
          (code B ref 287); Wed, 07 Aug 2013 18:18:02 +0000
Received: (at 287) by bugs.x2go.org; 7 Aug 2013 18:10:49 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-ea0-f174.google.com (mail-ea0-f174.google.com [209.85.215.174])
	by ymir (Postfix) with ESMTPS id C3D065DB1E
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 20:10:48 +0200 (CEST)
Received: by mail-ea0-f174.google.com with SMTP id z15so986229ead.33
        for <287@bugs.x2go.org>; Wed, 07 Aug 2013 11:10:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=BFUgTqaFVZx06Pqp3WxQSxwI0O/hVtrzL8D1BQivuyg=;
        b=oYXsPNzwqajW6IenXZRJTDXycs0h9PQmDMEzkI3RtKiYutqhbl3YhWin+q5xiFkM4q
         ur1JZ+tatjJrKJe0HHvyuxXGR+TT+USfHiBgkZEayZDwtthGAiOvxaNelYZ/rZ489+O3
         7U1YJyjfOZcYxbClQNqei3Hfxy0wjSLqhQFDiwVZu0wHDcQKXrZJu1b+gEzfxGNYip0P
         VS6DdSHfaBY5RBf/S4V0AbWswpMWBkiUiQ9MbS0l2WSQuwFns812uJXWM6xEDl4TGIm4
         DSuNQ33TpAh33bsnub6evU13U5TmYrXWyOWqqDwsxCRUPHuPqo8DqDF59xIFe2lzop3X
         uLuQ==
X-Received: by 10.14.69.206 with SMTP id n54mr4208506eed.118.1375899048497;
        Wed, 07 Aug 2013 11:10:48 -0700 (PDT)
Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35])
        by mx.google.com with ESMTPSA id f49sm6016919eec.7.2013.08.07.11.10.46
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 07 Aug 2013 11:10:47 -0700 (PDT)
Sender: David Fuhrmann <david.fuhrmann@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: David Fuhrmann <fuhrmann_mail@web.de>
X-Priority: 3 (Normal)
In-Reply-To: <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de>
Date: Wed, 7 Aug 2013 20:10:44 +0200
Cc: 287@bugs.x2go.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E539B638-2553-426F-9092-54BFB09662EF@web.de>
References: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de> <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <CANN0FUgL27BfEyQ_=4nLiY56rHjo5fGsf1OyDK47vLb2Gdi+jg@mail.gmail.com> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
X-Mailer: Apple Mail (2.1508)
Hi,

To rule out some specific configuration issue in our current system, I installed a fresh linux mint inside a virtual machine and was able to confirm the issues.

You should be able to reproduce it easily by doing the same. Choose Linux Mint debian edition, 64 Bit, Mate package and install x2goserver following your instructions for debian 7.

With best regards,
David


Am 07.08.2013 um 17:56 schrieb David Fuhrmann <fuhrmann_mail@web.de>:

> Hi,
> 
> We are using a debian-based linux mint, and installed the server from the debian 7 repository IIRC.
> 
> I just tested at home on Ubuntu 10.04, and here it works fine. I think this might be some configuration issue.
> 
> Best,
> David
> 
> Am 07.08.2013 um 16:02 schrieb Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> 
>> control: tag -1 - wontfix
>> control: tag -1 - not-a-bug
>> 
>> Hi David,
>> 
>> On Mi 07 Aug 2013 13:54:14 CEST David Fuhrmann wrote:
>> 
>>> thanks
>>> 
>>> ... for the answer. We just retested it today in our environment, and the
>>> issue is still as described. Especially we did:
>>> 
>>> 1) user_A starts a xfce x2go session on hostA, without starting
>>> x2godesktopsharing.
>>> 2) user_B logs in at hostA, using "connect to local desktop. It sees a X
>>> session under its own user name, and a port. user_B can click on "full
>>> access" and gets access to the session.
>>> 
>>> Second test:
>>> - user_A starts x2godesktopsharing, but leave the default setting (do not
>>> allow access, with cross).
>>> - user_B sees same behaviour as described above
>>> 
>>> Third test:
>>> - user_A starts x2godesktopsharing, but and enables access (green icon in
>>> menu bar)
>>> - user_B now sees two sessions in the session list: one with his own user
>>> name, one with user_As user name. Both have the same port. If user_B
>>> selects the one which has user_A as its name, he can only connect to view,
>>> and eventually, this connection gets refused. (In the mean time, user_A
>>> sees a question dialog asking user_B for access in the session.)
>>> But still, user_B sees a session with his own name, and can connect to it
>>> and gets full access to the xfce session started by user_A.
>>> 
>>> So in summary: The x2godesktopsharing has no effect at all when it should
>>> block all accesses, and only works partly when it should allow individual
>>> access.
>>> 
>>> In our environment, every machine has the same logins provided by an LDAP
>>> server. I will retest at home to see how it behaves with normal local users.
>> 
>> Ok, thanks for re-testing. I undo the taggings earlier made on this issue. This is indeed a big issue that needs immediate fixing!!!
>> 
>> Next question: what distro are you on. I tested on Debian and it worked flawlessly. Do you have any chance to test on Debian or Ubuntu (if you are on some RPM based distro)?
>> 
>> Greets,
>> Mike
>> 
>> 
>> -- 
>> 
>> DAS-NETZWERKTEAM
>> mike gabriel, herweg 7, 24357 fleckeby
>> fon: +49 (1520) 1976 148
>> 
>> GnuPG Key ID 0x25771B31
>> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
>> 
>> freeBusy:
>> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
> 

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 11:23:29 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.