X2Go Bug report logs - #334
Don't allow users to override X2Go commands via ~/bin (or similar)

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Tue, 29 Oct 2013 12:41:16 UTC

Severity: important

Tags: pending

Fixed in version 0.5.0.0

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#334; Package x2goclient. (Tue, 29 Oct 2013 12:41:16 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 29 Oct 2013 12:41:16 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: Don't allow users to override X2Go commands via ~/bin (or similar)
Date: Tue, 29 Oct 2013 12:41:06 +0000
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: important

In X2Go it is currently possible to replace every command in X2Go  
Server by a command of the same name in ~/bin.

An attacker could use this to infiltrate X2Go Client with arbitrary data.

IMHO, we should make sure, X2Go Client only uses system-wide paths  
when evoking commands on X2Go Servers.

This, of course, will boycott installing X2Go Server into ~<user>  
space, but actually, I prefer a safe setup to such custom installation  
tweaks.

Feedback?!?

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#334; Package x2goclient. (Tue, 29 Oct 2013 13:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 29 Oct 2013 13:48:02 GMT) (full text, mbox, link).


Message #10 received at 334@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 334@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)
Date: Tue, 29 Oct 2013 13:43:08 +0000
[Message part 1 (text/plain, inline)]
clone #334 -1
reassign #334 python-x2go
thanks

Hi all,

On  Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote:

> Package: x2goclient
> Severity: important
>
> In X2Go it is currently possible to replace every command in X2Go  
> Server by a command of the same name in ~/bin.
>
> An attacker could use this to infiltrate X2Go Client with arbitrary data.
>
> IMHO, we should make sure, X2Go Client only uses system-wide paths  
> when evoking commands on X2Go Servers.
>
> This, of course, will boycott installing X2Go Server into ~<user>  
> space, but actually, I prefer a safe setup to such custom  
> installation tweaks.
>
> Feedback?!?
>
> Mike

This issue also applies to Python X2Go.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Bug 334 cloned as bug 336 Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 29 Oct 2013 13:48:03 GMT) (full text, mbox, link).


Bug reassigned from package 'x2goclient' to 'python-x2go'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 29 Oct 2013 13:48:03 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#334; Package python-x2go. (Mon, 16 Jun 2014 06:40:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 16 Jun 2014 06:40:02 GMT) (full text, mbox, link).


Message #19 received at 334@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 334-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 334@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as pending for release
Date: Mon, 16 Jun 2014 08:35:21 +0200 (CEST)
tag #334 pending
fixed #334 0.5.0.0
thanks

Hello,

X2Go issue #334 (src:python-x2go) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=754bf16

The issue will most likely be fixed in src:python-x2go (0.5.0.0).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 754bf16bb2d9f380da16963fd6eb4866cfbfd875
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Mon Jun 16 08:34:16 2014 +0200

    Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #334).

diff --git a/debian/changelog b/debian/changelog
index 00f6ec1..67943f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -58,6 +58,8 @@ python-x2go (0.5.0.0-0x2go1) UNRELEASED; urgency=low
       instance (happens with polyinstantiated /tmp dirs).
     - Don't start telekinesis client if not support server-side. Don't attempt
       at starting telekinesis client, if it is not installed.
+    - Disallow server-side users to override X2Go Server commands via
+      ~/bin (or similar). (Fixes: #334).
   * debian/control:
     + Add dependencies: python-requests, python-simplejson.
   * python-x2go.spec:


Added tag(s) pending. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 16 Jun 2014 06:40:02 GMT) (full text, mbox, link).


Marked as fixed in versions 0.5.0.0. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 16 Jun 2014 06:40:02 GMT) (full text, mbox, link).


Message sent on to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug#334. (Mon, 16 Jun 2014 06:40:03 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#334; Package python-x2go. (Mon, 20 Oct 2014 10:55:04 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 20 Oct 2014 10:55:05 GMT) (full text, mbox, link).


Message #31 received at 334@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 334-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 334@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as closed
Date: Mon, 20 Oct 2014 12:50:22 +0200 (CEST)
close #334
thanks

Hello,

we are very hopeful that X2Go issue #334 reported by you
has been resolved in the new release (0.5.0.0) of the
X2Go source project »src:python-x2go«.

You can view the complete changelog entry of src:python-x2go (0.5.0.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=3fec411b839b53c0e51a73dd05c7a77dcde800e8;hp=3088eda9bf1494527afecc4b36c56a8caff314d0

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:python-x2go
Version: 0.5.0.0-0x2go1
Status: RELEASE
Date: Mon, 20 Oct 2014 12:40:34 +0200
Fixes: 334 358 500 508 532 537 588 602
Changes: 
 python-x2go (0.5.0.0-0x2go1) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream version (0.5.0.0):
     - Split up session profile backend into generic and storage specific
       parts.
     - Fully rework backend concept in Python X2Go. Breaks compatibility
       with earlier versions of Python X2Go concerning backends (probably
       not really used by third-party products, if at all).
     - Fix setting default values in X2GoClientXConfig class.
     - Default to xdg-open as default PDF viewer command.
     - Provide session profile backend for a http broker.
     - Make session profile backends more unicode robust.
     - X2GoSessionProfile.get_server_hostname must return unicode objects.
     - Speed-optimize session profile ID <-> name mapping.
     - Handle injection of PKey (Paramiko SSH key) objects for authentication
       from the broker session profiles backend.
     - Allow catching "connection refused" errors while talking to an X2Go
       Session Broker (X2GoBrokerConnectionException).
     - Support cookie based authentication against a http(s) session broker.
     - On Windows: Improve debugging when a new X-Server port has to be
       allocated.
     - Capture broker connection problems during selectsession calls to the
       broker via a HOOK method.
     - Allow user interaction via a HOOK if broker connection problems occur.
     - Handle broker setups that don't require credentials. Connection can
       be established simply by leaving the password (and authid) empty.
     - Fix detection of matching path names in X2GoIniFiles.
     - Make sure X2GoClientXConfig config file really gets written to disk
       (after we changed the internas of X2GoIniFile for this new major release).
     - Rename hook method HOOK_no_known_xserver_found to
       HOOK_no_installed_xservers_found. Call this new hook if no installed
       X-Servers could be found on the system.
     - Only check running X-Servers that have the same WMI SessionId as the
       current X2Go application.
     - Session profiles: default value type for exports session profile option
       is an empty dictionary.
     - Make X2GoClient's constructor aware of non-usable X-Server ports.
     - Windows: Fix crash while attempting to find the session window.
     - Support SSH proxy autologin feature of X2Go Session Broker.
     - Provide Telekinesis support in Python X2Go.
     - Stop manipulating session profiles in X2GoSshProxy class. Esp. stop
       manipulating session profiles with deprecated session options.
     - Type-hardening of X2GoSshProxy class. Accept hosts as list and strings.
       If hosts are given as a list, a random list element will be taken as
       host (for connecting and for the SSH proxy tunnel setup).
     - Type-hardening of X2GoControlSession class's C{connect()} method.
       Handle hostnames that come in as lists gracefully.
     - Don't construct the sshproxy_tunnel parameter in x2go/utils.py. Leave
       that to higher level classes that know more about X2Go internals.
     - Add support for a subsystem string when setting up port forwarding
       tunnels.
     - Use gevent to spawn the TeKi client start-up process (instead of waiting
       for it to return).
     - Provide support for new session parameter: clipboard. (Fixes: #508).
     - Split up NX output and NX errors into two separate files.
     - Silent ignore it if we cannot detect the local Xlib.display.Display()
       instance (happens with polyinstantiated /tmp dirs).
     - Don't start telekinesis client if not support server-side. Don't attempt
       at starting telekinesis client, if it is not installed.
     - Disallow server-side users to override X2Go Server commands via
       ~/bin (or similar). (Fixes: #334).
     - Handle non-available color depth in X2Go session name gracefully.
       (Fixes: #358).
     - Make sure that the x2gosuspend-session/x2goterminate-session commands
       are sent to the X2Go Server before we take down the NX proxy subprocess.
     - Create a "session.window" file in the session directory. This file for now
       contains one line "ID:<window-id>". The file appears once a session window
       comes up (start/resume), and disappears once the session window closes
       (suspend/terminate).
     - Only enable Telekinesis client debugging if the logger instance is in
       debug mode.
     - Performance tests have shown, that enabling SSH compression is not a
       good idea. NX should handle that instead (and does).
     - Better control the startup bootstrap of the Telekinesis client
       subsystem.
     - Newly understand our own Paramiko/SSH forwarding tunnel code. Become
       aware of handling multiple connects on the same tunnel.
     - Rename LICENSE.txt to COPYING.
     - Be more exact when detecting the NX proxy window id.
     - On non-Windows platforms, enforce usage of the "ares" DNS resolver in
       python-gevent (which is available since Python gevent 1.0~). (Fixes:
       #588).
     - Use Xlib to detect client-side destop geometry.
     - For reverse port forwardings use IPv4 localhost address only.
     - Assure proper NX Proxy cleanup when sessions suspends/
       terminates.
     - Assure proper Telekinesis client cleanup when sessions suspends/
       terminates.
     - Clean up terminal sessions properly when the clean_sessions() method
       of the control session has got called.
     - Don't use compression on  TeKi sshfs mounts.
     - Handle duplicate profile names gracefully (i.e. append a " (1)",
       " (2)", ... to the session profile name). (Fixes: #500).
     - Support server-side Telekinesis versions that ship their own
       (teki-)sftpserver.
     - Use session_name, not session_info object's __str__() method to obtain
       session name (in X2GoTelekinesis).
     - Handle socket errors on the reverse port forwarding tunnels more
       gracefully.
     - Handle sudden control session death during local folder sharing
       gracefully.
     - Don't choke on non-initialized SSH transport objects when initializing
       SFTP client.
     - Fix transport lock release in X2GoControlSession._x2go_sftp_put().
     - Fix session lock release in various methods of the X2GoSession class.
     - Release _share_local_folder_lock on instance X2GoTerminalSession
       destruction.
     - Detect non-installed sshfs (required for Telekinesis).
     - X2GoControlSession: Don't mess with the associated_terminals dict if
       the control session has already died away (i.e. been forcefully
       disconnect).
     - If the listsessions command detects a terminated or suspended session,
       we have to destroy the corresponding X2GoTerminalSession() to trigger
       a proper cleanup of that instance.
     - Fix various hrefs in __doc__ strings.
     - Fix creating/renaming/reconfiguring session profiles. Handle host
       option properly (as list).
     - Make sure we do a deepcopy of the default session profile parameters.
     - Detect more exceptions in the requests module when authenticating against a
       session broker.
     - Only convert the value of the export session profile option if not
       already a Python dictionary.
     - Capture X2GoControlSessionException occurrences during client-side folder
       sharing initializaation while starting/resuming a session.
     - X2GoSessionRegistry: Don't report about sessions that have a not yet
       fully assigned session name / profile name / profile id.
   * debian/control:
     + Add dependencies: python-requests, python-simplejson.
     + Add R (python-x2go): sshfs.
     + Add S (python-x2go): telekinesis-client, mteleplayer-clientside.
     + Update D (python-x2go): python-paramiko (>= 1.15.1-0~). (Fixes: #602).
   * python-x2go.spec:
     + Add dependencies: python-requests, python-simplejson.
     + Additionally adapt to building on openSUSE/SLES.
     + Add all python packages under R to BR (for epydoc run).
     + Update R for python-x2go: python-paramiko >= 1.15.1.
 .
   [ Mike DePaulo ]
   * New upstream version (0.5.0.0):
     - Windows: Fix compatibility with PulseAudio 3.0 & later (Fixes: #532)
     - Windows: Prevent high PulseAudio CPU usage on Windows XP by lowering
       PulseAudio's CPU priority from "high" to "normal" on XP specifically.
       Also do so on Windows Server 2003 (R2) (Fixes: #537)


Marked Bug as done Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 20 Oct 2014 10:55:20 GMT) (full text, mbox, link).


Notification sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug acknowledged by developer. (Mon, 20 Oct 2014 10:55:20 GMT) (full text, mbox, link).


Message sent on to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug#334. (Mon, 20 Oct 2014 10:55:27 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Tue, 18 Nov 2014 06:24:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 19:56:42 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.