X2Go Bug report logs - #354
Make x2goagent listening to TCP connections configurable in x2goserver.conf

Full log

Message #50 received at 354@bugs.x2go.org (full text, mbox, reply):

Received: (at 354) by bugs.x2go.org; 7 Dec 2013 21:30:14 +0000
From newsgroups.mail2@stefanbaur.de  Sat Dec  7 22:30:13 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
	T_FRT_PROFILE2 autolearn=ham version=3.3.2
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186])
	by ymir (Postfix) with ESMTP id 90B7B5DB05
	for <354@bugs.x2go.org>; Sat,  7 Dec 2013 22:30:13 +0100 (CET)
Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27])
	by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis)
	id 0Mefts-1WDfTO1x60-00ODAj; Sat, 07 Dec 2013 22:30:10 +0100
Message-ID: <52A39369.8050408@stefanbaur.de>
Date: Sat, 07 Dec 2013 22:30:17 +0100
From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 
 Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
CC: 354@bugs.x2go.org, Nick Ingegneri <n_ingegneri@yahoo.com>
Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP
 connections configurable in x2goserver.conf
References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de>
In-Reply-To: <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:4fenWVPSL0K0/JpDOJH2Q4iMwlDQn9bUYrI2YbO1dJN
 HZ7KNljGyqk/CEnTDX7VO2aHp835lVMaUrRNdQxGg07DIVtOjt
 6ghAZpgMDe9oYsG0tv6cWmWA5TbAmlkqBBV5VB9KZG/GD4LZJz
 W883GrTUfuf+ZRF9WKFBPggDD0TDcNeo1Je+ODSG4hMVmNu8EK
 fE7bnPAkkhbXbOBzR1KYLrIJpeG3n8YLmwsrdHInvsBiK3bLBn
 6jZYykZpWCNKM8JyWhMebHudhMHSewPfzsH1CLCC/KZ/ic5wE6
 KjQ33gq7P/zZY9r8JBVPZiEi0+hrBZB73rWR2wy2+SaaJ37ltS
 nC8IqssNJmRfKvwzh1zwrY12MYvXJ92yCdIVJN8az

Am 07.12.2013 21:47, schrieb Mike Gabriel:

[copying the last paragraph of your mail to the top, b/c this is the 
most important statement of it]
> And Nick, I also think that you should seriously consider looking at
> the security aspects of your current IT setup. It seems quite
> hackable and you should really be sure that all of your staff
> members are really good friends (which normally is not the case
> for everyone at $WORK).

This, this, and exactly this.


[by Alexander Wuerstlein]
>> So I agree that even just having such an option hidden away somewhere
>> would be very very bad. It needs to be hard and a lot of work to break
>> security or somebody will do it by default and deploy it on a wide
>> scale.

[from Mike]
>  From a security point of view: is there really a severe difference in
> having to edit x2gostartagent or vs. x2goserver.conf as root to enable
> TCP listening for x2goagent?

Yes, there is. Putting it in the config file is convenient for the 
security-ignorant folks. Disabling security features should never be 
convenient.


> If people want to deploy X2Go and need TCP
> enabled they will do that anyway. You do not have to rebuild some binary
> to make that happen even, you just have to create a custom copy of
> x2gostartagent in /usr/local/bin.

And exactly that means extra work. Most security-ignorant folks are 
security-ignorant because they are lazy, they just don't want to bother 
with it.
A config file remains in place during package upgrades.
With x2gostartagent, they'll have to make sure that their copy in 
/usr/local/bin gets pulled (And we should make it hard for them, by 
specifying /usr/bin/x2gostartagent instead of x2gostartagent without a 
path), or they have to change/patch /usr/bin/x2gostartagent with every 
new package version.

This means work. This means paying attention. Things that such folks 
don't like. In fact, if we could, we should make disabling security on 
X2Go a harder and more complex task than re-writing all those insecure 
scripts the user might have. Sadly, we can't.


> @Nick: The above may very well be your workaround...

And indeed it is, for a short-lived migration path.


>>> In my opinion, Mike is a bit too customer-friendly here by turning
>>> your request into a wishlist item that lets every newbie shoot
>>> him-/herself in the foot, security-wise, by toggling a setting in
>>> the configuration.
>
> My current focus is to spread X2Go, get more people interested in X2Go
> and get more people interested in developing / financing X2Go. If I here
> of a use case that involves hundreds of users, then I am open to
> supporting that use case one way or another. I don't think making
> TCP-listening configurable is a security problem. Once you enable that
> option, you should be aware of what you are doing. For sure.

I'm saying it again, you're being too customer-friendly. In this 
particular case, the issue can be fixed by locally patching 
x2gostartagent. With more obscure stuff, you should tell them to 
contract you or Alex for a forked x2go package and have them pay for the 
B**ls**t they want. That way, we don't pollute our main codebase with 
it, plus you get some extra cash.

Man, where are my pills, I don't want to go into full Theo de Raadt mode ...


> The Linux Mint argument does not really count to me, either. As a
> package maintainer of a linux distribution, I can do anything patchy to
> the upstream code I like. People with the Linux Mint attitude may very
> easily patch x2gostartagent and ship a TCP-listening X2Go Server by
> default in their package archive.

See above, it is extra work for them, an extra file outside the config 
tree that they have to monitor for changes, etc. While we can't stop 
them, we can at least make it hard for them to follow through with such 
a plan.


> Wouldn't it make more sense, having
> that option configurable from the start then and providing the
> switch-off in an obvious place (i.e. a conffile)?

No. Just no.


> My point is: if you want to enable TCP listening of x2goagent, you have
> to switch one line in x2gostartagent. What I propose is a config
> parameter for x2goserver.conf that avoids people from nastily hacking
> x2gostartagent.

Again, those who know what they are doing are already able to make the 
change, and should realize the consequences (having to look for changes 
in x2gostartagent with every new release).

Those who do not know what they are doing should not be given access to 
the setting.

There's a reason why you need licenses for firearms, cars, airplanes, 
etc. - and this is the software equivalent.
If one has proven enough coding proficiency to have located the code 
part in x2gostartagent, one is worthy of being allowed to change it on 
one's own.
If you have to ask here, you should either listen to the more 
experienced folks telling you not to change it, or pay one of the core 
developers for a fork, that's my opinion (and not being a core developer 
myself, flames like "you're a greedy a**h**e that thinks of X2Go users 
as cash cows ready for milking" directed at me are outright silly, so - 
shove them, folks).

-Stefan

Send a report that this bug log contains spam.