X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.502 (Entity 5.502)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#287 closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 (Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server
 sessions by default)
Message-ID: <handler.287.c.13767649844857.notifdone@bugs.x2go.org>
References: <20130817204255.119582nheui8tcfj@mail.das-netzwerkteam.de>
X-X2go-PR-Keywords: confirmed moreinfo wontfix
X-X2go-PR-Message: they-closed 287
X-X2go-PR-Package: x2goserver
X-X2go-PR-Source: x2goserver
Date: Sat, 17 Aug 2013 18:48:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1376765282-5884-0"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the x2goserver package:

#287: x2goserver allows to connect to ALL X server sessions by default

It has been closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mike Gabriel <mike.gabriel@das-netzwerkteam.de> by
replying to this email.


-- 
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 287@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
Date: Sat, 17 Aug 2013 20:42:55 +0200
[Message part 3 (text/plain, inline)]
title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks

Hi all,

On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:

> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true

We (David and I) just figured out the same... (what a race  
condition...). Thanks! What a security leakage if people start using  
Linux Mint in multi-user operation mode (like with X2Go or locally or  
with LTSP).

With xhost + for every user you can launch applications on other  
people's desktops and also read out their clipboards' contents.

/me rarely has to puke at other people's work, but this time... Well, yes.

> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?

No! We won't work around such grave issues in distributions or in  
other packages. This needs to be immediately fixed in Linux Mint  
upstream.

> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?

Nope! In default setups no other distro evokes xhost + on session  
startup. This is just insane!!! So we ignore this issue in X2Go  
upstream completely.

Stay away from Linux Mint with X2Go (or actually at all) till this has  
been fixed in Mint.

light+love,
Mike

PS: quote me freely if needed...


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 4 (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: David Fuhrmann <fuhrmann_mail@web.de>
To: submit@bugs.x2go.org
Subject: x2goserver allows to connect to ALL X server sessions by default
Date: Wed, 7 Aug 2013 07:36:18 +0200
Package: x2goserver
Version: 4.0.1.6
Severity: critical

Hi,

I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.

This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.

Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 4 12:58:31 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.