X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: Fwd: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: Stefan Baur <newsgroups.mail2@stefanbaur.de>, 287@bugs.x2go.org
Resent-From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Sat, 17 Aug 2013 15:48:01 +0000
Resent-Message-ID: <handler.287.B287.137675447528164@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 287-submit@bugs.x2go.org id=B287.137675447528164
          (code B ref 287); Sat, 17 Aug 2013 15:48:01 +0000
Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:47:55 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9])
	by ymir (Postfix) with ESMTP id B8F063BDED
	for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:47:54 +0200 (CEST)
Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27])
	by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis)
	id 0MZ7a0-1VP55b2pu0-00LT0C; Sat, 17 Aug 2013 17:35:23 +0200
Message-ID: <520F983C.6040904@stefanbaur.de>
Date: Sat, 17 Aug 2013 17:35:24 +0200
From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: 287@bugs.x2go.org, x2go@edhil.net
References: <loom.20130816T163241-4@post.gmane.org>
In-Reply-To: <loom.20130816T163241-4@post.gmane.org>
X-Forwarded-Message-Id: <loom.20130816T163241-4@post.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:NQoRJSOAj31Z/x8dTBZH+A+aha0jvPjQUvKunxj02x5
 prtFv4w/aK5GMxZj1+jwMacNhBQRd80hazOI4izo3UKA/ZSu9S
 QZUNVxfvJ8D3/+LErO5uQb+1yvWE4w6133f0Uq6EvNW6Ba5KqX
 KNlBxN5ImJg2l7CKgotDrfFNK3viOo+70louvh0gwC1VlfLAIC
 cezug3cWfX6ZHDuyJDH2Jl6Qwj+LoTx+kKz7n8GW0awZ9ER4+r
 0eqL1ZvudAqGl6uNj1SUSlMbXoiEbQQo2cWB4wNBWM0hikCOd0
 mr9XFtKmjJ8Hryef4h4b6iw5z+mTOER2VEvvMkyhnDB6XWeXTX
 AOh1wkGv0NfSi99MIICla51QTGRSZa+jlQ6kU3sja
Looks like this info wasn't forwared to the bugtracker, forwarding manually.


-------- Original-Nachricht --------
Betreff: 	[X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X 
server sessions by default
Datum: 	Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Von: 	Fred Her. <x2go@edhil.net>
Antwort an: 	x2go-dev@lists.berlios.de
An: 	x2go-dev@lists.berlios.de



Actually, this is not an x2go issue, this is a linux mint issue : by
default, there is a "xhost +" command launched at session startup for all
users.

If you type "xhost - ", then you should see the normal behavior again :
userB will get a "no desktop found" message if he try to connect to the x2go
host.

So, the workaround is to remove the "xhost +" command in the Control Panel >
Startup Applications for each user,

or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
(but this could come back if the package ubuntu-system-adjustments is
updated)

or change this file to:

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=Xhost +
Exec=xhost +
Terminal=false
Type=Application
StartupNotify=false
Terminal=false
X-MATE-Autostart-enabled=false
Hidden=true

note to x2go packages maintainers:
Maybe this should be an option to check/disable when the x2goserver package
is installed?

Or maybe a warning should be issued if "xhost" is set to + when a user
connect?

_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 13:18:54 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.