X2Go Bug report logs - #354
Make x2goagent listening to TCP connections configurable in x2goserver.conf

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 6 Dec 2013 11:33:02 UTC

Severity: wishlist

Tags: pending

Fixed in version 4.0.1.10

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #76 received at 354@bugs.x2go.org (full text, mbox, reply):

Received: (at 354) by bugs.x2go.org; 8 Dec 2013 20:05:22 +0000
From nable.maininbox@googlemail.com  Sun Dec  8 21:05:21 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-bk0-f52.google.com (mail-bk0-f52.google.com [209.85.214.52])
	by ymir (Postfix) with ESMTPS id B92DE5DB1E
	for <354@bugs.x2go.org>; Sun,  8 Dec 2013 21:05:21 +0100 (CET)
Received: by mail-bk0-f52.google.com with SMTP id u14so1049956bkz.25
        for <354@bugs.x2go.org>; Sun, 08 Dec 2013 12:05:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=3E1Dc4gd8g05rJ4sVTIXwzHkT4VTDDoUi0O3xqeu2Zc=;
        b=dBDaeQJxD7YsqnzyIS+oHeCygBw/E/tSGGOo8hrSYHCeHz4nCCFIKXFt4f6SZTvmC5
         u4kE/Zcq3mTFouNCoXfsVV5BNVjb+NlVTYocK8zoVAhXopicU5qUygorrAWBjywkegWj
         1PcqNELLipc/wSggkwYftJzzcrrTB33S4DgRX6MBbzlqn1ANgDZ0MRmWBtuaPw/vggHx
         ql1Uu5m8BND+GfuSLqG7+bPbKYW3jF/E4QaxkRtg6VYDTXSlFUYqbwJbS6uYeQrQ66bw
         QU4dh7h8zlEa9YBqGz9LGVspnDEClrA9LIwJ68ElcPr3cpemugBMANtU2vgwVPNJhnLR
         gevw==
MIME-Version: 1.0
X-Received: by 10.205.36.81 with SMTP id sz17mr4949861bkb.29.1386533121237;
 Sun, 08 Dec 2013 12:05:21 -0800 (PST)
Received: by 10.204.61.72 with HTTP; Sun, 8 Dec 2013 12:05:21 -0800 (PST)
In-Reply-To: <52A4C9F2.5090904@stefanbaur.de>
References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de>
	<52A1BBAE.90909@stefanbaur.de>
	<20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de>
	<52A1C089.3090709@stefanbaur.de>
	<1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com>
	<52A21285.7090407@stefanbaur.de>
	<20131206195600.GA26961@cip.informatik.uni-erlangen.de>
	<20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de>
	<52A39369.8050408@stefanbaur.de>
	<20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de>
	<1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com>
	<52A4C9F2.5090904@stefanbaur.de>
Date: Mon, 9 Dec 2013 00:05:21 +0400
Message-ID: <CALxOYEYJYwmwYAJO39sF2avcq=N0jbGwE4Zj-jMcVQc_xyvvyQ@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#354: Things you should know about X (was: Re:
 Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf)
From: Nable 80 <nable.maininbox@googlemail.com>
To: Stefan Baur <newsgroups.mail2@stefanbaur.de>, 354@bugs.x2go.org, 
	x2go-dev@lists.berlios.de
Content-Type: text/plain; charset=ISO-8859-1
Thanks a lot for this interesting discussion.

Although I should comment this thing from the linked article: it
begins with the following words:
> log into the victim's desktop, become root
It's too obvious that with root one can do almost anything, not only
grab X sessions.
So, you article is not a proof of X11 insecurity (after all, we know
that it's not secure, but example is not good), just a howto for root
usage.
One should notice that without root ( who would give root access to
generic employee? except (possibly) on his workstation) you still
cannot access other users' cookies (except cases when one have too
wide permissions or known vulnerabilitites with privelege escalation),
so you cannot grab their X sessions, can you?

2013/12/8, Stefan Baur <newsgroups.mail2@stefanbaur.de>:
> Am 08.12.2013 16:13, schrieb Nick Ingegneri:
>> I think that because I used "xhost +" in my original debugging example,
>> the assumption was immediately made that "xhost +" was my primary
>> concern. My primary concern is that disabling TCP breaks almost every
>> possible use model except for one narrow case (ssh). Among other things,
>> it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid
>> concerns regarding use of TCP on the internet, we have a different
>> hierarchy of concerns regarding what happens on our internal network.
>
> [long blahblah snipped]
>
> If you believe Xauth Cookies alone will protect you from nastiness,
> think again:
> http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11
> for fun and passwords."
>
> All the nastiness shown in that write-up works *with* .Xauthority in place.
> And this was published in 2004, so every script kiddie, every
> pimple-faced youth among your trainees, every disgruntled employee knows
> about this. (And so does the NSA.)
>
> Seriously, I've been in the IT Security business for quite a few years
> *ahem ahem* - and the real enemy usually isn't some obscure Chinese
> hacker, it's an employee, either a lazy and careless one or a malicious
> one that has been turned over by a competitor. So do not trust anyone
> and anything on your network. Encrypt even your internal traffic.
> I've even seen reports of power plugs with surge protectors containing
> Network sniffers. So the spying device has unlimited power supply and
> sits right in your network, logging all your traffic and sending it out
> either via innocuous http requests or via a seperate WiFi network.
>
> And please, do not fool yourself into thinking "but we don't have
> anything to hide". Yes, you have. We all have. Unless you see "1984" as
> an instruction manual.
>
> -Stefan
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
>


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:13:16 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.