X2Go Bug report logs -
#287
Linux Mint desktops configured too insecurely for multi-user mode
Reported by: David Fuhrmann <fuhrmann_mail@web.de>
Date: Wed, 7 Aug 2013 05:48:02 UTC
Severity: critical
Tags: confirmed, moreinfo, wontfix
Found in version 4.0.1.6
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Full log
🔗
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the x2goserver package:
#287: x2goserver allows to connect to ALL X server sessions by default
It has been closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mike Gabriel <mike.gabriel@das-netzwerkteam.de> by
replying to this email.
--
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks
Hi all,
On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:
> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true
We (David and I) just figured out the same... (what a race
condition...). Thanks! What a security leakage if people start using
Linux Mint in multi-user operation mode (like with X2Go or locally or
with LTSP).
With xhost + for every user you can launch applications on other
people's desktops and also read out their clipboards' contents.
/me rarely has to puke at other people's work, but this time... Well, yes.
> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?
No! We won't work around such grave issues in distributions or in
other packages. This needs to be immediately fixed in Linux Mint
upstream.
> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?
Nope! In default setups no other distro evokes xhost + on session
startup. This is just insane!!! So we ignore this issue in X2Go
upstream completely.
Stay away from Linux Mint with X2Go (or actually at all) till this has
been fixed in Mint.
light+love,
Mike
PS: quote me freely if needed...
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 4 (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
Package: x2goserver
Version: 4.0.1.6
Severity: critical
Hi,
I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.
This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.
Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Wed Dec 4 12:58:31 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.