X2Go Bug report logs - #354
Make x2goagent listening to TCP connections configurable in x2goserver.conf

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 6 Dec 2013 11:33:02 UTC

Severity: wishlist

Tags: pending

Fixed in version 4.0.1.10

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #40 received at 354@bugs.x2go.org (full text, mbox, reply):

Received: (at 354) by bugs.x2go.org; 6 Dec 2013 20:06:01 +0000
From snalwuer@stud.informatik.uni-erlangen.de  Fri Dec  6 21:06:00 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
X-Greylist: delayed 600 seconds by postgrey-1.34 at ymir; Fri, 06 Dec 2013 21:06:00 CET
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id 770F85DB05
	for <354@bugs.x2go.org>; Fri,  6 Dec 2013 21:06:00 +0100 (CET)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 6557B680310;
	Fri,  6 Dec 2013 20:56:00 +0100 (CET)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 60686B280CD; Fri,  6 Dec 2013 20:56:00 +0100 (CET)
Date: Fri, 6 Dec 2013 20:56:00 +0100
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Stefan Baur <newsgroups.mail2@stefanbaur.de>, 354@bugs.x2go.org,
	x2go-dev@lists.berlios.de
Cc: Nick Ingegneri <n_ingegneri@yahoo.com>,
	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP
 connections configurable in x2goserver.conf
Message-ID: <20131206195600.GA26961@cip.informatik.uni-erlangen.de>
References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de>
 <52A1BBAE.90909@stefanbaur.de>
 <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de>
 <52A1C089.3090709@stefanbaur.de>
 <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com>
 <52A21285.7090407@stefanbaur.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52A21285.7090407@stefanbaur.de>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)

On 13-12-06 19:18, Stefan Baur <newsgroups.mail2@stefanbaur.de> wrote:
> Am 06.12.2013 18:44, schrieb Nick Ingegneri:
> >Once it became apparent in our testing that exporting displays didn't
> >work as expected, the system administrator who installed it went through
> >the configuration files and documentation looking for a solution. He
> >couldn't find one, so he escalated it to me to look into. If we hadn't
> >been able to find a fix it would have ruled out X2Go from further
> >consideration, which would have been unfortunate as it is currently our
> >leading choice for this particular need.
> 
> In my opinion, Mike is a bit too customer-friendly here by turning
> your request into a wishlist item that lets every newbie shoot
> him-/herself in the foot, security-wise, by toggling a setting in
> the configuration.
> Sorry, but I've seen way too many people go "chmod 777 -R /*" as
> soon as something doesn't work as expected, and I'm fearing the same
> for an easily reachable option to allow TCP connections - because
> "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the
> filesystem.
> 
> Of course, everybody is free to shoot him-/herself in the foot,
> that's why it's Linux - but merely leaving a "this is dangerous"
> note next to the parameter is like sticking a tag "please don't use
> this unless you know what you're doing" on a loaded 12-gauge in a
> room full of toddlers.

There is one more aspect to this: If there is such a configuration
option, then sooner or later the likes of Linux Mint will enable it by
default for all their users, leaving them wide open to the whole world,
despite all the warnings. They did that with 'xhost +'[0].

So I agree that even just having such an option hidden away somewhere
would be very very bad. It needs to be hard and a lot of work to break
security or somebody will do it by default and deploy it on a wide
scale.



Ciao,

Alexander Wuerstlein.

[0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:06:56 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.