X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#287: [X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: Stefan Baur <newsgroups.mail2@stefanbaur.de>, 287@bugs.x2go.org
Resent-From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Sat, 17 Aug 2013 16:03:02 +0000
Resent-Message-ID: <handler.287.B287.137675460228612@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 287-submit@bugs.x2go.org id=B287.137675460228612
          (code B ref 287); Sat, 17 Aug 2013 16:03:02 +0000
Received: (at 287) by bugs.x2go.org; 17 Aug 2013 15:50:02 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9])
	by ymir (Postfix) with ESMTP id 064C83BDED
	for <287@bugs.x2go.org>; Sat, 17 Aug 2013 17:50:01 +0200 (CEST)
Received: from [192.168.0.3] (dslb-088-067-155-037.pools.arcor-ip.net [88.67.155.37])
	by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis)
	id 0LlYpT-1VhrOY0sRb-00ad0B; Sat, 17 Aug 2013 17:37:29 +0200
Message-ID: <520F98B9.3030208@stefanbaur.de>
Date: Sat, 17 Aug 2013 17:37:29 +0200
From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 287@bugs.x2go.org, 
 x2go-dev@lists.berlios.de
CC: David Fuhrmann <fuhrmann_mail@web.de>
References: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de> <20130807114338.13215dfoanwep8sq@mail.das-netzwerkteam.de> <CANN0FUgL27BfEyQ_=4nLiY56rHjo5fGsf1OyDK47vLb2Gdi+jg@mail.gmail.com> <20130807160258.61246yer4vhkibo2@mail.das-netzwerkteam.de> <7590CCCD-172A-4E9A-BF38-49ADA374C4C1@web.de> <E539B638-2553-426F-9092-54BFB09662EF@web.de> <20130807212225.14293ngtwzvr07sh@mail.das-netzwerkteam.de> <16BAD52E-0196-43DC-A0D5-57BB7B844530@web.de> <32EA1C31-9067-4862-B5A7-24F6909253B3@web.de> <20130817172816.13812lxtcg86qc9c@mail.das-netzwerkteam.de>
In-Reply-To: <20130817172816.13812lxtcg86qc9c@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:KbwdVzG85GSyWAbBKMQAGWGzMayzcNXN5Lc/VoU9/HG
 JrODYLDZqbk0RrS+khfX3+4XYKYjz7e2ONUufiFxn99b8FmdEO
 gPJU3yIFhyrMuZ8UwLksTCcoblS19BBPEkYMZUu9JwDvf4Mwmd
 46sT38ZOfeoNkHs/s5ORBLXi9I/jj7mPCxHxCFZBd8bd7nHYe+
 3jgKoPuGLlPWBD+x2ovFF09gBEeIjkgPxNfsmv2raGTsOjWDNF
 cusSxpoWh1k6SIfn9gk/vKgSTPoZjcvKp4UZUeFsGAlAUKwQXn
 8y9nxHV52HGkXDEDCl8AqxZwZAIrf7PseXyIlD3VGft2wfCLtI
 TSahmCMNGAe3j2FLePRkPMszIPAsEqnjlL0ZQChfP
Please look at message

From: Fred Her.  <x2go@edhil.net>
Date: Fri, 16 Aug 2013 14:47:40 +0000 (UTC)
Message-ID: <loom.20130816T163241-4@post.gmane.org>


which I just forwarded to the bugtracker (seems it went to the list, but 
not the bugtracker).

Looks like the root cause for the problem has been found and it is 
indeed a Linux Mint configuration stupidity.

-Stefan

Am 17.08.2013 17:28, schrieb Mike Gabriel:
> Hi David,
>
> On Sa 17 Aug 2013 09:03:21 CEST David Fuhrmann wrote:
>
>> Any news regarding this bug?
>
> I have set up a test VM for this issue today and I can absolute 
> confirm what you report.
>
> I will investigate on that further today/tomorrow, and I am quite sure 
> of being able to exploit this without X2Go as well.
>
> My guess is a mis-configuration in Linux mint around the local X-Server.
>
> Mike
>
>
>
>
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 12:40:29 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.