X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #89 received at control@bugs.x2go.org (full text, mbox, reply):

Received: (at control) by bugs.x2go.org; 17 Aug 2013 18:43:04 +0000
From mike.gabriel@das-netzwerkteam.de  Sat Aug 17 20:42:56 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED
	autolearn=unavailable version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id EB7475DA6C;
	Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A13FC9CF;
	Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 94F383BB75;
	Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hnPrIRDN108S; Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 742803BBB0;
	Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5582A3BB75;
	Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 0C59C3BBB0; Sat, 17 Aug 2013 20:42:55 +0200 (CEST)
Received: from 83-68-217-98.cable.dc13.debconf.org
 (83-68-217-98.cable.dc13.debconf.org [83.68.217.98]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 17 Aug 2013
 20:42:55 +0200
Message-ID: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Sat, 17 Aug 2013 20:42:55 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 287@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X
 server sessions by default
References: <loom.20130816T163241-4@post.gmane.org>
 <520F983C.6040904@stefanbaur.de>
In-Reply-To: <520F983C.6040904@stefanbaur.de>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_7jk3unb0c2lq";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)

[Message part 1 (text/plain, inline)]
title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks

Hi all,

On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:

> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true

We (David and I) just figured out the same... (what a race  
condition...). Thanks! What a security leakage if people start using  
Linux Mint in multi-user operation mode (like with X2Go or locally or  
with LTSP).

With xhost + for every user you can launch applications on other  
people's desktops and also read out their clipboards' contents.

/me rarely has to puke at other people's work, but this time... Well, yes.

> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?

No! We won't work around such grave issues in distributions or in  
other packages. This needs to be immediately fixed in Linux Mint  
upstream.

> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?

Nope! In default setups no other distro evokes xhost + on session  
startup. This is just insane!!! So we ignore this issue in X2Go  
upstream completely.

Stay away from Linux Mint with X2Go (or actually at all) till this has  
been fixed in Mint.

light+love,
Mike

PS: quote me freely if needed...


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 19:35:56 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.