X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 287@bugs.x2go.org
Resent-From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 07 Aug 2013 09:47:24 +0000
Resent-Message-ID: <handler.287.B287.137586862022955@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by 287-submit@bugs.x2go.org id=B287.137586862022955
          (code B ref 287); Wed, 07 Aug 2013 09:47:24 +0000
Received: (at 287) by bugs.x2go.org; 7 Aug 2013 09:43:40 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id EF9A05DB1E
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id B17899FD
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A33163BAC6
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id F9cwC4Z+yPaO for <287@bugs.x2go.org>;
	Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 80A333BBA2
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5CB4C3BAC6
	for <287@bugs.x2go.org>; Wed,  7 Aug 2013 11:43:39 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 18E0E3BBA2; Wed,  7 Aug 2013 11:43:38 +0200 (CEST)
Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 07 Aug 2013
 11:43:38 +0200
Message-ID: <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Wed, 07 Aug 2013 11:43:38 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: David Fuhrmann <fuhrmann_mail@web.de>, 287@bugs.x2go.org
References: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de>
In-Reply-To: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_au4h0r792a2";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
control: tag -1 moreinfo
control: tag -1 not-a-bug
control: tag -1 wontfix

On Mi 07 Aug 2013 07:36:18 CEST David Fuhrmann wrote:

> I just noticed that x2goserver allows to connect to ALL running X  
> sessions on the target machine, using "connect to local desktop".  
> These might be logged in local users, or NX sessions which were not  
> terminated correctly. This is especially worse in the latter case,  
> as the screen is not locked here, normally.
>
> This is a HUGE security leak, as now all users are able to access  
> data of the other users, and hinder them from working by  
> manipulating current sessions.
>
> Normal remote desktop software should BLOCK such access by default,  
> and only allow it when the user explicitly requested it or  
> configured it so.

I just tested this to be really sure that this is a not-a-bug report...

What you describe only works for the same login!!!! So if my user  
(sunweaver) logs in locally to an X-Session and ,,sunweaver'' then  
connects via X2Go to connect to a local X session then I can access my  
__own__ local X sessions.

However, I cannot access other users' sessions unless they grant  
access via the X2Go Desktop Sharing utility.

Please re-test and re-confirm or post a message that states that the  
mistake was on your part.

Thanks+Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 13:16:33 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.