X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: "Fred Her." <x2go@edhil.net>, 287@bugs.x2go.org
Resent-From: "Fred Her." <x2go@edhil.net>
Original-Sender: frederic.hermann@gmail.com
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Sat, 17 Aug 2013 08:18:01 +0000
Resent-Message-ID: <handler.287.B287.137672705730080@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 287-submit@bugs.x2go.org id=B287.137672705730080
          (code B ref 287); Sat, 17 Aug 2013 08:18:01 +0000
Received: (at 287) by bugs.x2go.org; 17 Aug 2013 08:10:57 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,T_DKIM_INVALID
	autolearn=ham version=3.3.2
Received: from mail-wg0-f67.google.com (mail-wg0-f67.google.com [74.125.82.67])
	by ymir (Postfix) with ESMTPS id AD3DC3BDED
	for <287@bugs.x2go.org>; Sat, 17 Aug 2013 10:10:56 +0200 (CEST)
Received: by mail-wg0-f67.google.com with SMTP id z12so789403wgg.6
        for <287@bugs.x2go.org>; Sat, 17 Aug 2013 01:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:date:message-id:subject:from:to:content-type;
        bh=Z2oLPRZJ2fSXGIBSa6XiKKIs6kLnfMvo+s7EmD9k1pI=;
        b=C0XRuAe7cnfuht+hUvGQ/L6bzH09yMj5tdomACh/Pn0+VPIjWqO2Ms9Jeo41H9WKOJ
         tYFqvdK3awmE6IZCpE4wOrUiaXp0tEujuml8SGVrVp9rZUDWlCuE9Y1A53Zqz/mABwoy
         MikWMCREPxCRWGTqPz4HE/TUalhKcIPlNeeLT4LEqf4icPIgUt9T5r0ek+j/cwR8J8rL
         Y3yTn1iB4KtmdLV9Xw3rsAKQTTeey/VVHWrRvlW1D3zVM2E5gn/0TB0ke4G6B4l+u9HH
         rxrpx69FMxH+7spEUty7/IAIj1YgzsHR5TZ1mFG5dlOzvVJZVxYPAoxOMrFzWuuukVOd
         W3OA==
MIME-Version: 1.0
X-Received: by 10.180.106.228 with SMTP id gx4mr1168108wib.9.1376727056373;
 Sat, 17 Aug 2013 01:10:56 -0700 (PDT)
Sender: frederic.hermann@gmail.com
Received: by 10.194.171.135 with HTTP; Sat, 17 Aug 2013 01:10:56 -0700 (PDT)
Date: Sat, 17 Aug 2013 10:10:56 +0200
X-Google-Sender-Auth: BUNphhZAUMbWrpvWOJDdkOqNw0Q
Message-ID: <CAA5CsJWxxoZ9R5VwA3JbK+cQ6wRSysW2opo9xwJuOvAytpyy=A@mail.gmail.com>
From: "Fred Her." <x2go@edhil.net>
To: 287@bugs.x2go.org
Content-Type: multipart/alternative; boundary=e89a8f13ed0425dffe04e4203f81
[Message part 1 (text/plain, inline)]
Actually, this seems not an x2go issue, but a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.

If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.

So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,

or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)

or change this file to:

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true

note to x2go packages maintainer:
Maybe this should be an option to check/disable when the x2goserver package
is installed?

Or maybe a warning should be issued if "xhost" is set to + when a user
connect?
[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 11:58:19 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.