From mike.gabriel@das-netzwerkteam.de Sun Sep 16 09:49:30 2012 Received: (at submit) by bugs.x2go.org; 16 Sep 2012 07:49:30 +0000 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 7D5FB5DB34 for ; Sun, 16 Sep 2012 09:49:30 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 31ABAC05 for ; Sun, 16 Sep 2012 09:49:30 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 013AC3BB3F for ; Sun, 16 Sep 2012 09:49:29 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRVNPCOG+XBf for ; Sun, 16 Sep 2012 09:49:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id CC01F3BC02 for ; Sun, 16 Sep 2012 09:49:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A76BF3BB3F for ; Sun, 16 Sep 2012 09:49:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on grimnir.das-netzwerkteam.de X-Spam-Flag: NO X-Spam-Status: No, hits=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 running as userid= X-Spam-Level: X-Spam-Bayes-Score: 0.0000 Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 434CC3BC02; Sun, 16 Sep 2012 09:49:29 +0200 (CEST) Received: from 29-141-142-46.pool.kielnet.net (29-141-142-46.pool.kielnet.net [46.142.141.29]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sun, 16 Sep 2012 09:49:29 +0200 Message-ID: <20120916094929.12371k8sl5num3d5@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sun, 16 Sep 2012 09:49:29 +0200 From: Mike Gabriel To: submit@bugs.x2go.org Subject: http broker client in X2Go Client: setpass task does not require old password MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_1hjy0ln4lvux"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_1hjy0ln4lvux Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit Package: x2goclient Severity: important Version: 3.99.3.0-prerelease Hi Alex, The current implementation of the http session broker code in X2Go Client has a task called setpass. From reading the code of the example session broker you sent me some weeks ago and from looking at the X2Go Client code in httpbrokerclient.cpp you do not request the user to enter his old password before changing it to a new password. From my perspective this is a no-go feature and it should be changed to something that also PAM and other passwd tools would do. Request the old passwd, set the new password (twice on the GUI). Even if there is an authentication happening prior to changing the password, the old password should be queried again, before a password change is possible. With x2gobroker in Git, I I would like to work in this direction and we will need an adaptation in X2Go Client sooner or later, I guess. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_1hjy0ln4lvux Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJQVYSJAAoJEJr0azAldxsxSq4P/1+0bU/ziZjPfVnDQJdR4/Lk Au9BxYC/GRnNN2nd2jWFfxPapHuepSPXtu0mH/FGcZ8meAgpBGBwmCAhc0OfJyhp AGffV/myCVC4pOPd9XLVTPPEZ0B7eAr9eH8k9FgOAb3eW/hyqngiXWPOc6/ufebL EjSzd3HSY0gHk6gTidVv2MdOFhno4TIqPyfpFPDgzO6m56IWA/8St3DxhaKmU9ws aknL9k6F9vC4qbNg2vdf5OnD8iV6dwqHxRKr9ldQBxkQFNYp/Zudmr3KQPDiY6Yf lgUZcZgoiSD/67U9iL9+A76NRuit50SkkkyDccAutlWjhuhGo11UjkLABgLFASr4 mta5RSyHaf841DGPlu320/fSCxhTkhBiXr50Qame/JO2Q7dncO5WXhW4EtU1RJpf yKMiMU0mItkvbN49p95XatTtiEKiPpCRGENPkp3yBrhduQz5saJkr49HhquyQUMH 4kIvMOpe+K+sJB/Bl4I7NYdBlKAKqClaO5NKqdoDv/HThEqy1h4caSSOWn7VWxMX 4Rt07v/FQUNkoNj9x7i+GAhU0ZKINL69XHRQsNuZ0KlKhS5Er8uL1yc/NB7zvjc2 PLk92YRxGMPSLE0Sk04nSU70NE7XMgWjsDM7e5ubJzXWRQcK5TmsgIL5pIoLLkha sLpoHWeXhcKTMVtOojII =m6Ss -----END PGP SIGNATURE----- --=_1hjy0ln4lvux--