From mike.gabriel@das-netzwerkteam.de Fri Dec 6 12:21:57 2013 Received: (at submit) by bugs.x2go.org; 6 Dec 2013 11:21:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 28FAB5DB05 for ; Fri, 6 Dec 2013 12:21:57 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D641F1EBB7; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5C0E53C2DB; Fri, 6 Dec 2013 12:21:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXjXiLb3oHZ4; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 29FE93C1DE; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from pD9E9F4D9.dip0.t-ipconnect.de (pD9E9F4D9.dip0.t-ipconnect.de [217.233.244.217]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 06 Dec 2013 11:21:55 +0000 Date: Fri, 06 Dec 2013 11:21:55 +0000 Message-ID: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Cc: Nick Ingegneri Subject: Make x2goagent listening to TCP connections configurable in x2goserver.conf User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 217.233.244.217 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_W7q4CCA4wXrmUEPv7g9XuQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_W7q4CCA4wXrmUEPv7g9XuQ1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Package: x2goserver Severity: wishlist Debbugs-Cc: Make x2goagent listening to TCP connections configurable in x2goserver.conf. This was requested by Nick Ingegneri on x2go-user ML. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_W7q4CCA4wXrmUEPv7g9XuQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSobNTAAoJEJr0azAldxsxybIQAKU1r6xoJSc9gJm7NL5TaPxs XUokvS3XRnXMl9SkjJUUGx5n+lEEyEBMdqQ6p7TVoTvNgRDcjTRaJaunkLtCDJmO bUhPgQx95iJjSm/PmyWGucqMmJmaXl4f4yXsTzWQTC1YF0t/Hk4rfWiALshg0dvY cjKpHut2buQDEV1vs07nB3AMUo/SUtCm7jXy7wuKpjYII9loucPA+acYO2WkaM2u CKnD0qbph1VWMo0LLIdpl9L/BC0oxQAHp9QXCNPiPlk3Nnsn1JZJwLb1S7dUaa4S K68xxIZLNShZET0xoK+tMuyv3EO7YiK+wg9jF3UBVpKoBgsvnD76OMfc94PuQqsM z9YCd0UJQnukoCVzAGPn+oaFxPZsmIigKwEIre3RPppgxpPgQvL1HyMKrTO0CCVf Ku22Sf/AENiPoO1pPCh6NXliwUP3wR9EU1/zHP6VYAiOovPt0muKgvJc4XrybMrT pTJNQcYPeqPwSgdGHXAzjR0OEqlIv8bhWPAcmY+CQZ0iSrJ+rA/gvisM5EJilwgg 95EaW1fYRY5iJVYi1AD+24PPAfR/K4lAGLNht83/yQiAVaGs9ag87zgkb7JCCwfP OfeLrKPvSvFB8nMghioPnYaJ8g7KCG9f9OwjgHdAYpeql+mGEIUxOJWnUND6XQat PaMqZ6pn2anMZOsjENcl =1fG6 -----END PGP SIGNATURE----- --=_W7q4CCA4wXrmUEPv7g9XuQ1-- From mike.gabriel@das-netzwerkteam.de Fri Dec 6 13:06:26 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 12:06:26 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id EF3595DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 13:06:25 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id AEB0F1EBC4; Fri, 6 Dec 2013 13:06:25 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 9398B3C084; Fri, 6 Dec 2013 13:06:25 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3t+YePb++aCG; Fri, 6 Dec 2013 13:06:25 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 5653A3C06E; Fri, 6 Dec 2013 13:06:25 +0100 (CET) Received: from pD9E9F4D9.dip0.t-ipconnect.de (pD9E9F4D9.dip0.t-ipconnect.de [217.233.244.217]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 06 Dec 2013 12:06:25 +0000 Date: Fri, 06 Dec 2013 12:06:25 +0000 Message-ID: <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Stefan Baur Cc: 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> In-Reply-To: <52A1BBAE.90909@stefanbaur.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 217.233.244.217 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_PqYJWdTfxWtpnGKvWMUBlA5"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_PqYJWdTfxWtpnGKvWMUBlA5 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Stefan, On Fr 06 Dez 2013 12:57:34 CET, Stefan Baur wrote: > Am 06.12.2013 12:21, schrieb Mike Gabriel: > >> Make x2goagent listening to TCP connections configurable in >> x2goserver.conf. > >> This was requested by Nick Ingegneri on x2go-user ML. > > IIRC, nolisten TCP was set for security reasons > (Message-ID: > <20120512013211.50944typ0bgbjypn@mail.das-netzwerkteam.de>, Date: > Sat, 12 May 2012 01:32:11 +0200 might trigger some memories ...). > > Are we sure we want to make that option available? The default should be ,,disabled'', of course. However, I think that we should support people that want to use X2Go in their setup as a replacement for *NX*. Making something configurable and putting a big red warning sign above the configuration should be ok IMHO. Feedback? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_PqYJWdTfxWtpnGKvWMUBlA5 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSob3BAAoJEJr0azAldxsxElIP/2jRI+V0JdWIZN+uD1l+GBLm bRCxPuZZCB5YVJirr7K5EMaEpxAdu6/b8RT12yAM+wC0f/BpeCbvbl/Us5dRdL4D wacFJZE70IRuEEeOZVEck+WRNFwvwRgLT+9SKQDoVa+3x2C6O5Up8SFEmWDCToSB C4iv/2IAsMhCiAJ+znclkcK4pKn4BF/+k7tOOvAoeuYyW8O3Is7HyD5MKFxtHDuZ njF55h1Ewe9GwOo82yMNe4L+CHWRhtkOHNfQtDmLzY+1geTAqck1U7LehBpE32j5 6j2QNTMOqXrVssmCE8r55P91JaK7CX3mVauggYyUJx1HjXIaRaOMfiGWaT4NvCSc y2QyL2HzxvCj2gYUSfAWhs5l3VFm6SI7cm/Slo+BHS3NzywN5sj6zoqZlEqFtclE 61cEr2Pnz9rIl9XNbzdfnmgp3FhYs/yiYU28qedMlQMF5+/Dfu21bylC3uY6dq15 s5Gko8/OGedCNdJ36w6b4wYbcf/93CzI8B9ukRqEp68cAaZjsPnz97x4HcrVTcqp Chl7dIuvny3Cgzk1Y3hdd1IjIKPv+XqRgznwYk8WhUFhDsEtT7IC9QT1zzKO3z9f CYl3Qdn1twfrcPfBXKCj/A//2DXhObE20n3M2ZPNhq8hq+MJ99XUTr74HR2tOR8N 8pIk8rbVp6Rhbl8YbmGW =RM7q -----END PGP SIGNATURE----- --=_PqYJWdTfxWtpnGKvWMUBlA5-- From newsgroups.mail2@stefanbaur.de Fri Dec 6 13:08:16 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 12:08:24 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable version=3.3.2 X-Greylist: delayed 755 seconds by postgrey-1.34 at ymir; Fri, 06 Dec 2013 13:08:16 CET Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ymir (Postfix) with ESMTP id 3B01F5DB05; Fri, 6 Dec 2013 13:08:16 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0LcC9p-1V7Ytj3Dpl-00jd8W; Fri, 06 Dec 2013 12:55:38 +0100 Message-ID: <52A1BBAE.90909@stefanbaur.de> Date: Fri, 06 Dec 2013 12:57:34 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: x2go-dev@lists.berlios.de, 354@bugs.x2go.org, submit@bugs.x2go.org CC: Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> In-Reply-To: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:ZvpCsHDtDn8cqyvMM/3Yijys4uecXvM9YxlygSYjopa gmCzfb1yug6ukHL5XQSzY9BpboQtdZMgE3OSDAEvwS3b4BqCzy vyP4sspLZE3viBj7ZFILV3KAM59CL0ki7M0lq+DsQ/JliIIn4d 2EVnqCCvlGLKlF9VZ0NOWjeVovvrgoMvuzR8nW2I/XhZ7+b1EN GuTS9RgnMGkS8mwQlJHrD716yOPtCwOF3gX2ZPqbaKoYxcVUpN oe5kQ62gWYsGIbh6UQmYKaYZ8OyA55eWWmYL9pz3sk6bAtaoaX c01aOMB8gk+nIKdSp0i1x75r1sAVrtAwIIbfc1qWSYmJ7h6tEO RAPxdw/MIM5ppSCECEtxvMhCxpkR1gObzjrz/9uHh Am 06.12.2013 12:21, schrieb Mike Gabriel: > Make x2goagent listening to TCP connections configurable in > x2goserver.conf. > This was requested by Nick Ingegneri on x2go-user ML. IIRC, nolisten TCP was set for security reasons (Message-ID: <20120512013211.50944typ0bgbjypn@mail.das-netzwerkteam.de>, Date: Sat, 12 May 2012 01:32:11 +0200 might trigger some memories ...). Are we sure we want to make that option available? -Stefan From newsgroups.mail2@stefanbaur.de Fri Dec 6 13:09:52 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 12:09:52 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Greylist: delayed 549 seconds by postgrey-1.34 at ymir; Fri, 06 Dec 2013 13:09:52 CET Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by ymir (Postfix) with ESMTP id 1D0165DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 13:09:52 +0100 (CET) Received: from [192.168.0.3] (dslb-088-067-145-018.pools.arcor-ip.net [88.67.145.18]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MOELI-1VuNsP0KiS-006LZ7; Fri, 06 Dec 2013 13:09:49 +0100 Message-ID: <52A1BF06.3010200@stefanbaur.de> Date: Fri, 06 Dec 2013 13:11:50 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Mike Gabriel CC: 354@bugs.x2go.org, Nick Ingegneri , x2go-dev@lists.berlios.de Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> In-Reply-To: <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:vUspRHaIkLgQD/ulFIciMlVfTgq1Nx8uxarGN54STFZ NVog2N/+BAkeY90kDYJPH5OVw9TjwXVlp4bOIUDeNGejlCfvpx UNhN06/kVEgKLGVWdWjBggvW3Ise/IxhHLk+d3Z3/RbbyLbeiG y8zo1esZyTv5DQqjmUBbbu9iF062/KLILwsle6fbmfelvEtESB iFbU8/sIokjyn+GEPM3tycRD9suPUQ5iIhkBd5yX780R42+2NH SjyPkAZr2KD7bBEnu6HMMIgY1kCU7PrP1BTvEl4fXWeCGGZUk2 AkAvAx9QmzdIAgnkaiZRw9b1/wDiIYVToj5MQYTOPRElHRxye7 XhHj0RaJkfdgVrP1fFy/Tp10qbP0vkGV2y+RAsrHS Am 06.12.2013 13:06, schrieb Mike Gabriel: >> IIRC, nolisten TCP was set for security reasons [...] > The default should be ,,disabled'', of course. However, I think that we > should support people that want to use X2Go in their setup as a > replacement for *NX*. Making something configurable and putting a big > red warning sign above the configuration should be ok IMHO. http://www.youtube.com/watch?v=tsXEToflqGs (Can't watch videos/don't have sound while you're reading this? Go here for a textual description: http://tinyurl.com/3dhhzb) -Stefan From newsgroups.mail2@stefanbaur.de Fri Dec 6 13:16:19 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 12:16:20 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by ymir (Postfix) with ESMTP id B21945DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 13:16:19 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0M5L11-1Vf6wZ2BiR-00yjXf; Fri, 06 Dec 2013 13:16:16 +0100 Message-ID: <52A1C089.3090709@stefanbaur.de> Date: Fri, 06 Dec 2013 13:18:17 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Mike Gabriel CC: 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> In-Reply-To: <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:d3Wzv4/kPQek3HASAIu4PmdfZLNPMgbjeP3LggvM/gm kDA+HKdBRjEl0/rc/8fYXZNDglvs9duUVvMUYzkaO5or+02LR6 ypCx10/gCYIpU/yQiRVtsLeyykY8Xql/js1EFqd9r31pqDKymA XZ2iw/ZgsF1Egui63j2m0rjZ+Lr2m2fp2Ig8MXZipZfUHqCGUW pK5vczwMAuIMSYGwE4105hm2E9S8PJ+Kwv+QsF0TgTIMdYQ/nz diL6zP8+hC2LFJ9r6rxXBwxhDQaJiYoBhIceflgtX7W3CkldmZ Vqc5zxGgcrYrs3hzYZSNphm8mmvHpFNG9PGaV6xgsNGsR4OLoi F0gPJdg9aT5nHwIwLyRYbBF3Xn3zcyh5ZYe3uaFwY Am 06.12.2013 13:06, schrieb Mike Gabriel: > The default should be ,,disabled'', of course. However, I think that we > should support people that want to use X2Go in their setup as a > replacement for *NX*. Making something configurable and putting a big > red warning sign above the configuration should be ok IMHO. > Feedback? Is there no way of assisting this user in migrating away from NX, other than raping our codebase like that? What's wrong with using ssh -X / ssh -Y, which was previously suggested to the user? Maybe some more information on what the user is trying to accomplish would help us come up with a better solution. -Stefan From n_ingegneri@yahoo.com Fri Dec 6 18:44:17 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 17:44:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from nm14-vm3.bullet.mail.ne1.yahoo.com (nm14-vm3.bullet.mail.ne1.yahoo.com [98.138.91.144]) by ymir (Postfix) with SMTP id 478955DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 18:44:17 +0100 (CET) Received: from [98.138.100.118] by nm14.bullet.mail.ne1.yahoo.com with NNFMP; 06 Dec 2013 17:44:16 -0000 Received: from [98.138.101.173] by tm109.bullet.mail.ne1.yahoo.com with NNFMP; 06 Dec 2013 17:44:16 -0000 Received: from [127.0.0.1] by omp1084.mail.ne1.yahoo.com with NNFMP; 06 Dec 2013 17:44:16 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 28980.33625.bm@omp1084.mail.ne1.yahoo.com Received: (qmail 74721 invoked by uid 60001); 6 Dec 2013 17:44:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1386351855; bh=HaGThh4jyZwSUAo75BDgjXaGidz5VM/53BsnYXO2AyY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Vn65PnLExZ/V0Cvm4jFty8jiyeJyhF7CjmcnoSdisHHhJihjlYAZhIgtM1s+MtDusbrEv+YfetUCxmOGbBMf0G5369yj79Plw90GMU8KiglzU2TQ9Xr6Pt5u8SMFzzALvTpuQSjCNL5GeB6WtckIT1qWsTGVfHbNWiKG9vOTSRo= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=zWYT1Y0tUUHsnHG2+zizcbR6ucVRumUcpOm5SwvXWajLgQigvYzggmR4NcKl+C/Dfi8ZqqkQAYrZFUmjygJoNgJ7XriOYZFh6cxQ2g1CbxyAJ7QBlHS55tCPmQ0OGD7HFw47Q5HxvGJNn98+9V9qRzV5daNpTqM9u86Uynoi+LI=; X-YMail-OSG: zteU.RIVM1l6fAyCvDAR6an7Ehp746Gw9IO0.22qw7lw0gr wL9PSxOTQO3XaUahKwlFf0XI.aJ1sDEEDLVpnY7TIKlYDX93hmEfhiqyHA1D beQePj4LIUMoHDyZfiVa6VqxhbObg0bSU5LhQCua3ltrkUqNTmAirRrYZUVF 02FIvQzUAME_mXsJ7UXDzr9lWxWMwFU51Y3ZDJS5TUHFZiCXsI6IBCHyZTC2 hre4xz.t.vMGx_fXd29WYwZSvZSDcqaLRB_XTOMSu7gfcTFcEHBYILQIQTGe iRukhk36yPrkhdmJW9dDmOUwHEIuKLy6_Pmuyw3a_FrHBktynffUzkVeI9d5 OxUD9pOKfc7CcB0wMB.gh.LkS_pcNyGV74ZnuxNL1QpPqDMLHDW.vqtt8_D5 QIIGcSMWIgNwCBIfC6MnXVQIggP45R.sM2EK4WMiB4xvcHM1CAcrHoZhoslL ovrggeFVT2Y4MNqgliM55A36O0i.wRSlUttPJ4aBv4PhyrviULsWwVlv_ZQp IKJAsmdrZ_FcapgXoJuFCgwk_X5TbGwqtFiEio089ZYrr2cWude0eb3djS9A hcAfA88LCPN6jJdehL5Y- Received: from [107.1.64.82] by web122101.mail.ne1.yahoo.com via HTTP; Fri, 06 Dec 2013 09:44:15 PST X-Rocket-MIMEInfo: 002.001,SGkgTWlrZSwgU3RlZmFuLAoKClNpbmNlIEknbSB0aGUgb25lIHdobyBicm91Z2h0IHRoaXMgdXAsIEknbGwgdHJ5IHRvIGJlIGFuIGFkdm9jYXRlIGZvciB3aHkgdGhpcyBjaGFuZ2UgaXMgYSBnb29kIHRoaW5nIGZvciBjZXJ0YWluIHVzZXJzLgoKCldlIGFyZSBldmFsdWF0aW5nIFgyR28gZm9yIHVzZSBpbiBhbiBleGlzdGluZyBjb3Jwb3JhdGUgdGVjaG5pY2FsIGNvbXB1dGUgZW52aXJvbm1lbnQuIFRoZXJlIGlzIGEgc2hvcnRjb21pbmcgaW4gb3VyIGN1cnJlbnQgdGhpbiBjbGllbnQgc29sdXRpb24gKG4BMAEBAQE- X-Mailer: YahooMailWebService/0.8.169.609 References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> Message-ID: <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> Date: Fri, 6 Dec 2013 09:44:15 -0800 (PST) From: Nick Ingegneri Reply-To: Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf To: Stefan Baur , Mike Gabriel Cc: "354@bugs.x2go.org" <354@bugs.x2go.org>, "x2go-dev@lists.berlios.de" In-Reply-To: <52A1C089.3090709@stefanbaur.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1593584224-1574623545-1386351855=:74486" ---1593584224-1574623545-1386351855=:74486 Content-Type: text/plain; charset=us-ascii Hi Mike, Stefan, Since I'm the one who brought this up, I'll try to be an advocate for why this change is a good thing for certain users. We are evaluating X2Go for use in an existing corporate technical compute environment. There is a shortcoming in our current thin client solution (not NX) and we need to identify a replacement. This environment contains hundreds of users, hundreds of systems, dozens of applications, and an uncountable number of scripts. X2Go is being considered against several alternatives. Whatever solution we choose has to work within the existing environment and support the existing workflow. Our current workflow uses a mixture of xhost and xauth to allow xclients to connect to xservers. While "ssh -Y" may technically be an elegant solution, requiring it would break our existing tools, processes, and scripts. Simply put, any thin client solution we deploy has to support TCP connections if it is to meet our requirement of not disrupting how work is currently done. I acknowledge that there is a security issue with TCP connections in X11, but that is an architectural issue with X11 itself and not with X2Go per se. If the developers of X2Go were to make TCP connections impossible then effectively the defined security model of X11 (as documented in places like the XSecurity and Xauth man pages) would be broken. TCP is part of how X11 works. Once it became apparent in our testing that exporting displays didn't work as expected, the system administrator who installed it went through the configuration files and documentation looking for a solution. He couldn't find one, so he escalated it to me to look into. If we hadn't been able to find a fix it would have ruled out X2Go from further consideration, which would have been unfortunate as it is currently our leading choice for this particular need. Hopefully the above helps persuade you that there is a need for some users to be able to continue to support the existing X11 security model (including TCP). If you accept that point, then it seems there should be a more elegant way of enabling TCP than editing the x2gostartagent file. As someone brand new to looking at the project, files like x2goagent.options or x2goserver.conf are the obvious places I would expect to find an option to make this change. Thanks, Nick On Friday, December 6, 2013 5:16 AM, Stefan Baur wrote: Am 06.12.2013 13:06, schrieb Mike Gabriel: > The default should be ,,disabled'', of course. However, I think that we > should support people that want to use X2Go in their setup as a > replacement for *NX*. Making something configurable and putting a big > red warning sign above the configuration should be ok IMHO. > Feedback? Is there no way of assisting this user in migrating away from NX, other than raping our codebase like that? What's wrong with using ssh -X / ssh -Y, which was previously suggested to the user? Maybe some more information on what the user is trying to accomplish would help us come up with a better solution. -Stefan ---1593584224-1574623545-1386351855=:74486 Content-Type: text/html; charset=us-ascii
Hi Mike, Stefan,

Since I'm the one who brought this up, I'll try to be an advocate for why this change is a good thing for certain users.

We are evaluating X2Go for use in an existing corporate technical compute environment. There is a shortcoming in our current thin client solution (not NX) and we need to identify a replacement. This environment contains hundreds of users, hundreds of systems, dozens of applications, and an uncountable number of scripts. X2Go is being considered against several alternatives.

Whatever solution we choose has to work within the existing environment and support the existing workflow. Our current workflow uses a mixture of xhost and xauth to allow xclients to connect to xservers. While "ssh -Y" may technically be an elegant solution, requiring it would break our existing tools, processes, and scripts. Simply put, any thin client solution we deploy has to support TCP connections if it is to meet our requirement of not disrupting how work is currently done.

I acknowledge that there is a security issue with TCP connections in X11, but that is an architectural issue with X11 itself and not with X2Go per se. If the developers of X2Go were to make TCP connections impossible then effectively the defined security model of X11 (as documented in places like the XSecurity and Xauth man pages) would be broken. TCP is part of how X11 works.

Once it became apparent in our testing that exporting displays didn't work as expected, the system administrator who installed it went through the configuration files and documentation looking for a solution. He couldn't find one, so he escalated it to me to look into. If we hadn't been able to find a fix it would have ruled out X2Go from further consideration, which would have been unfortunate as it is currently our leading choice for this particular need.

Hopefully the above helps persuade you that there is a need for some users to be able to continue to support the existing X11 security model (including TCP).

If you accept that point, then it seems there should be a more elegant way of enabling TCP than editing the x2gostartagent file. As someone brand new to looking at the project, files like x2goagent.options or x2goserver.conf are the obvious places I would expect to find an option to make this change.

Thanks,
Nick




On Friday, December 6, 2013 5:16 AM, Stefan Baur <newsgroups.mail2@stefanbaur.de> wrote:
Am 06.12.2013 13:06, schrieb Mike Gabriel:
> The default should be ,,disabled'', of course. However, I think that we
> should support people that want to use X2Go in their setup as a
> replacement for *NX*. Making something configurable and putting a big
> red warning sign above the configuration should be ok IMHO.

> Feedback?

Is there no way of assisting this user in migrating away from NX, other
than raping our codebase like that?

What's wrong with using ssh -X / ssh -Y, which was previously suggested
to the user?

Maybe some more information on what the user is trying to accomplish
would help us come up with a better solution.


-Stefan


---1593584224-1574623545-1386351855=:74486-- From newsgroups.mail2@stefanbaur.de Fri Dec 6 19:08:06 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 18:08:07 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ymir (Postfix) with ESMTP id E739E5DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 19:08:06 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MBWuQ-1Vgmci1D42-00Aedj; Fri, 06 Dec 2013 19:08:06 +0100 Message-ID: <52A21285.7090407@stefanbaur.de> Date: Fri, 06 Dec 2013 19:08:05 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Nick Ingegneri , Mike Gabriel CC: "354@bugs.x2go.org" <354@bugs.x2go.org>, "x2go-dev@lists.berlios.de" Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> In-Reply-To: <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:7QTiC4V0GJYsiyBd28up5rrpdgF3VjB59MnWQvaDTNG ZCfnBAqDZQsZue1y7AMkwUAtG3EY7n6HnUtGhqAdKjjug+fj9T n3ITSqA0IO7kgClA3y3nLppvM78Yy0ViGv2Od1mE9O85nmEnyk zxi4/Jz9CfL5JqweGrqQJ1kvlPu6nmaC4mNkWe6xaZHQ+FC2WB E7HxtqJKYqdY2cku0+9XdZkEzEwrvqxvb6cdTdpoocUb4elirQ KoHdCwbAjvb0ZkAi6RxwV+NvpB+hGRTCdYarznsVV0fRiWWgkN /eJ0H3o8ysUgr9oOv+j1hO3tvpkIlYURNXywIZT+DtpNEVkjUO j6N9n3ZC4hnAtf24SxbTUwzkctlc0KxOdaMdaiNre Am 06.12.2013 18:44, schrieb Nick Ingegneri: > Whatever solution we choose has to work within the existing environment > and support the existing workflow. Our current workflow uses a mixture > of xhost and xauth to allow xclients to connect to xservers. While "ssh > -Y" may technically be an elegant solution, requiring it would break our > existing tools, processes, and scripts. Well, guys, it's 2013, almost 2014, and we live in the Post-NSA-Scandal world. The times of using "xhost +" and not having to worry about it are long over. Do yourself a favor and change your scripts. > I acknowledge that there is a security issue with TCP connections in > X11, but that is an architectural issue with X11 itself and not with > X2Go per se. If the developers of X2Go were to make TCP connections > impossible then effectively the defined security model of X11 (as > documented in places like the XSecurity and Xauth man pages) would be > broken. TCP is part of how X11 works. As a side-note, I hope you're aware that those newfangled GUI thingies like Wayland and Mir are ditching TCP in their core design? Just sayin' (I don't like them, either) - not that that comes to bite you in the lower back in a few years when you don't expect it. > Once it became apparent in our testing that exporting displays didn't > work as expected, the system administrator who installed it went through > the configuration files and documentation looking for a solution. He > couldn't find one, so he escalated it to me to look into. If we hadn't > been able to find a fix it would have ruled out X2Go from further > consideration, which would have been unfortunate as it is currently our > leading choice for this particular need. In my opinion, Mike is a bit too customer-friendly here by turning your request into a wishlist item that lets every newbie shoot him-/herself in the foot, security-wise, by toggling a setting in the configuration. Sorry, but I've seen way too many people go "chmod 777 -R /*" as soon as something doesn't work as expected, and I'm fearing the same for an easily reachable option to allow TCP connections - because "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the filesystem. Of course, everybody is free to shoot him-/herself in the foot, that's why it's Linux - but merely leaving a "this is dangerous" note next to the parameter is like sticking a tag "please don't use this unless you know what you're doing" on a loaded 12-gauge in a room full of toddlers. > Hopefully the above helps persuade you that there is a need for some > users to be able to continue to support the existing X11 security model > (including TCP). Sorry, but you don't have me convinced that this is something anyone should use for a prolonged period of time. > If you accept that point, then it seems there should be a more elegant > way of enabling TCP than editing the x2gostartagent file. As someone > brand new to looking at the project, files like x2goagent.options or > x2goserver.conf are the obvious places I would expect to find an option > to make this change. My understanding of the issue is: It's possible to allow TCP connections, and the fact that it's not easily reachable - but can be reached - is a Good Thing(TM). We should leave it that way. You can manually allow TCP connections in your environment to ease transition to X2Go - but by all means, go ahead and fix your scripts so they use ssh -X/-Y, and do that soon. And reconfigure X2Go to "nolisten TCP" the second you're done fixing your scripts. -Stefan From snalwuer@stud.informatik.uni-erlangen.de Fri Dec 6 21:06:00 2013 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 20:06:01 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 600 seconds by postgrey-1.34 at ymir; Fri, 06 Dec 2013 21:06:00 CET Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id 770F85DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 21:06:00 +0100 (CET) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 6557B680310; Fri, 6 Dec 2013 20:56:00 +0100 (CET) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 60686B280CD; Fri, 6 Dec 2013 20:56:00 +0100 (CET) Date: Fri, 6 Dec 2013 20:56:00 +0100 From: Alexander Wuerstlein To: Stefan Baur , 354@bugs.x2go.org, x2go-dev@lists.berlios.de Cc: Nick Ingegneri , Mike Gabriel Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf Message-ID: <20131206195600.GA26961@cip.informatik.uni-erlangen.de> References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52A21285.7090407@stefanbaur.de> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-12-06 19:18, Stefan Baur wrote: > Am 06.12.2013 18:44, schrieb Nick Ingegneri: > >Once it became apparent in our testing that exporting displays didn't > >work as expected, the system administrator who installed it went through > >the configuration files and documentation looking for a solution. He > >couldn't find one, so he escalated it to me to look into. If we hadn't > >been able to find a fix it would have ruled out X2Go from further > >consideration, which would have been unfortunate as it is currently our > >leading choice for this particular need. > > In my opinion, Mike is a bit too customer-friendly here by turning > your request into a wishlist item that lets every newbie shoot > him-/herself in the foot, security-wise, by toggling a setting in > the configuration. > Sorry, but I've seen way too many people go "chmod 777 -R /*" as > soon as something doesn't work as expected, and I'm fearing the same > for an easily reachable option to allow TCP connections - because > "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the > filesystem. > > Of course, everybody is free to shoot him-/herself in the foot, > that's why it's Linux - but merely leaving a "this is dangerous" > note next to the parameter is like sticking a tag "please don't use > this unless you know what you're doing" on a loaded 12-gauge in a > room full of toddlers. There is one more aspect to this: If there is such a configuration option, then sooner or later the likes of Linux Mint will enable it by default for all their users, leaving them wide open to the whole world, despite all the warnings. They did that with 'xhost +'[0]. So I agree that even just having such an option hidden away somewhere would be very very bad. It needs to be hard and a lot of work to break security or somebody will do it by default and deploy it on a wide scale. Ciao, Alexander Wuerstlein. [0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520 From mike.gabriel@das-netzwerkteam.de Sat Dec 7 21:48:00 2013 Received: (at 354) by bugs.x2go.org; 7 Dec 2013 20:48:01 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id B49775DB05 for <354@bugs.x2go.org>; Sat, 7 Dec 2013 21:48:00 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 210021ECD8; Sat, 7 Dec 2013 21:48:00 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id BB63A3C2DA; Sat, 7 Dec 2013 21:47:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dDA6SsiSaja; Sat, 7 Dec 2013 21:47:59 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 809313C065; Sat, 7 Dec 2013 21:47:59 +0100 (CET) Received: from p4FE5F10B.dip0.t-ipconnect.de (p4FE5F10B.dip0.t-ipconnect.de [79.229.241.11]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 07 Dec 2013 20:47:59 +0000 Date: Sat, 07 Dec 2013 20:47:59 +0000 Message-ID: <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> From: Mike Gabriel To: Alexander Wuerstlein Cc: Stefan Baur , 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> In-Reply-To: <20131206195600.GA26961@cip.informatik.uni-erlangen.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 79.229.241.11 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_hNrHBJgb3b6_ZSmFcs-t7Q1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_hNrHBJgb3b6_ZSmFcs-t7Q1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Stefan, hi Alexander, On Fr 06 Dez 2013 20:56:00 CET, Alexander Wuerstlein wrote: > On 13-12-06 19:18, Stefan Baur wrote: >> Am 06.12.2013 18:44, schrieb Nick Ingegneri: >> >Once it became apparent in our testing that exporting displays didn't >> >work as expected, the system administrator who installed it went through >> >the configuration files and documentation looking for a solution. He >> >couldn't find one, so he escalated it to me to look into. If we hadn't >> >been able to find a fix it would have ruled out X2Go from further >> >consideration, which would have been unfortunate as it is currently our >> >leading choice for this particular need. >> >> [...] >> Sorry, but I've seen way too many people go "chmod 777 -R /*" as >> soon as something doesn't work as expected, and I'm fearing the same >> for an easily reachable option to allow TCP connections - because >> "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the >> filesystem. >> >> Of course, everybody is free to shoot him-/herself in the foot, >> that's why it's Linux - but merely leaving a "this is dangerous" >> note next to the parameter is like sticking a tag "please don't use >> this unless you know what you're doing" on a loaded 12-gauge in a >> room full of toddlers. > > There is one more aspect to this: If there is such a configuration > option, then sooner or later the likes of Linux Mint will enable it by > default for all their users, leaving them wide open to the whole world, > despite all the warnings. They did that with 'xhost +'[0]. > > So I agree that even just having such an option hidden away somewhere > would be very very bad. It needs to be hard and a lot of work to break > security or somebody will do it by default and deploy it on a wide > scale. > > > > Ciao, > > Alexander Wuerstlein. > > [0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520 From a security point of view: is there really a severe difference in having to edit x2gostartagent or vs. x2goserver.conf as root to enable TCP listening for x2goagent? If people want to deploy X2Go and need TCP enabled they will do that anyway. You do not have to rebuild some binary to make that happen even, you just have to create a custom copy of x2gostartagent in /usr/local/bin. @Nick: The above may very well be your workaround... >> In my opinion, Mike is a bit too customer-friendly here by turning >> your request into a wishlist item that lets every newbie shoot >> him-/herself in the foot, security-wise, by toggling a setting in >> the configuration. My current focus is to spread X2Go, get more people interested in X2Go and get more people interested in developing / financing X2Go. If I here of a use case that involves hundreds of users, then I am open to supporting that use case one way or another. I don't think making TCP-listening configurable is a security problem. Once you enable that option, you should be aware of what you are doing. For sure. The Linux Mint argument does not really count to me, either. As a package maintainer of a linux distribution, I can do anything patchy to the upstream code I like. People with the Linux Mint attitude may very easily patch x2gostartagent and ship a TCP-listening X2Go Server by default in their package archive. Wouldn't it make more sense, having that option configurable from the start then and providing the switch-off in an obvious place (i.e. a conffile)? My point is: if you want to enable TCP listening of x2goagent, you have to switch one line in x2gostartagent. What I propose is a config parameter for x2goserver.conf that avoids people from nastily hacking x2gostartagent. I know several setups in intranet where display managers and X-servers run in TCP listen mode and for the local network that is ok and wanted. Of course for X2Go this should not be the default (that's why we closed down TCP listening earlier when it was still enabled by accident). And Nick, I also think that you should seriously consider looking at the security aspects of your current IT setup. It seems quite hackable and you should really be sure that all of your staff members are really good friends (which normally is not the case for everyone at $WORK). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_hNrHBJgb3b6_ZSmFcs-t7Q1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSo4l/AAoJEJr0azAldxsxdNMQAIJPeiu1SGyr+NP5KKN/pKvL 0jk/CRXyHuCHYk1aR531rEgHplN47kWRk/Pv7kqJVsICgCPaPyA0Zi/wBBTowuL7 YbgP8/rq9eP5lYC+oprzHFowI/ETrwAu1xBd/yyDhCTaXwgNHYpeG2PXiMdXjt8c aD+TWcosyfsObzXFifp2u1/VokWeGOAsYYFT5QM0hLxq0fppK/5GaNZjT2VrYsQZ s7/HkD9ViMEHR+4ubzwpNpJgYcWnqZcCDGtLJcX5v7f090ky7IdNVJJVJu0m0rVY eLQoBylMv8pLUQZRNkCVM+TL2r6hL/eWcNIs5hCQkuHcN2uRj03wSR1Pzyx/k9PT xqWpMBZlQk/LIRO6CyGQClJqfpniJx80odfKuhogyq2GSKq1NWTaLGlR3WT44r+s FCAJqDP7BHv8jEcZR4Ic9GzCROR2Q8UKbg7urt5XuskbeVX54FoYM9iVL5RKNiMS eGMPze43g/L+kbPVLioZ9UZtLE0bn8Qhau1cyPeetnR1d4oN9kVd8meKWnBMez1p KuSlSMTHOq0pkaVoopEXwRT4eH5AYUgm+hJaSL8N+Ntwtx51YiSTgPcmesnvPFLT OvxC16v2zpBEvUE7PwyAS48G0YR/WV0UvRKRDgS7ZlZfHzWg4dIePJ3YxsHFi4tw fLpdUs6Vvnf8C4aVp2JV =aHFL -----END PGP SIGNATURE----- --=_hNrHBJgb3b6_ZSmFcs-t7Q1-- From newsgroups.mail2@stefanbaur.de Sat Dec 7 22:30:13 2013 Received: (at 354) by bugs.x2go.org; 7 Dec 2013 21:30:14 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, T_FRT_PROFILE2 autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by ymir (Postfix) with ESMTP id 90B7B5DB05 for <354@bugs.x2go.org>; Sat, 7 Dec 2013 22:30:13 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0Mefts-1WDfTO1x60-00ODAj; Sat, 07 Dec 2013 22:30:10 +0100 Message-ID: <52A39369.8050408@stefanbaur.de> Date: Sat, 07 Dec 2013 22:30:17 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Mike Gabriel , Alexander Wuerstlein CC: 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> In-Reply-To: <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:4fenWVPSL0K0/JpDOJH2Q4iMwlDQn9bUYrI2YbO1dJN HZ7KNljGyqk/CEnTDX7VO2aHp835lVMaUrRNdQxGg07DIVtOjt 6ghAZpgMDe9oYsG0tv6cWmWA5TbAmlkqBBV5VB9KZG/GD4LZJz W883GrTUfuf+ZRF9WKFBPggDD0TDcNeo1Je+ODSG4hMVmNu8EK fE7bnPAkkhbXbOBzR1KYLrIJpeG3n8YLmwsrdHInvsBiK3bLBn 6jZYykZpWCNKM8JyWhMebHudhMHSewPfzsH1CLCC/KZ/ic5wE6 KjQ33gq7P/zZY9r8JBVPZiEi0+hrBZB73rWR2wy2+SaaJ37ltS nC8IqssNJmRfKvwzh1zwrY12MYvXJ92yCdIVJN8az Am 07.12.2013 21:47, schrieb Mike Gabriel: [copying the last paragraph of your mail to the top, b/c this is the most important statement of it] > And Nick, I also think that you should seriously consider looking at > the security aspects of your current IT setup. It seems quite > hackable and you should really be sure that all of your staff > members are really good friends (which normally is not the case > for everyone at $WORK). This, this, and exactly this. [by Alexander Wuerstlein] >> So I agree that even just having such an option hidden away somewhere >> would be very very bad. It needs to be hard and a lot of work to break >> security or somebody will do it by default and deploy it on a wide >> scale. [from Mike] > From a security point of view: is there really a severe difference in > having to edit x2gostartagent or vs. x2goserver.conf as root to enable > TCP listening for x2goagent? Yes, there is. Putting it in the config file is convenient for the security-ignorant folks. Disabling security features should never be convenient. > If people want to deploy X2Go and need TCP > enabled they will do that anyway. You do not have to rebuild some binary > to make that happen even, you just have to create a custom copy of > x2gostartagent in /usr/local/bin. And exactly that means extra work. Most security-ignorant folks are security-ignorant because they are lazy, they just don't want to bother with it. A config file remains in place during package upgrades. With x2gostartagent, they'll have to make sure that their copy in /usr/local/bin gets pulled (And we should make it hard for them, by specifying /usr/bin/x2gostartagent instead of x2gostartagent without a path), or they have to change/patch /usr/bin/x2gostartagent with every new package version. This means work. This means paying attention. Things that such folks don't like. In fact, if we could, we should make disabling security on X2Go a harder and more complex task than re-writing all those insecure scripts the user might have. Sadly, we can't. > @Nick: The above may very well be your workaround... And indeed it is, for a short-lived migration path. >>> In my opinion, Mike is a bit too customer-friendly here by turning >>> your request into a wishlist item that lets every newbie shoot >>> him-/herself in the foot, security-wise, by toggling a setting in >>> the configuration. > > My current focus is to spread X2Go, get more people interested in X2Go > and get more people interested in developing / financing X2Go. If I here > of a use case that involves hundreds of users, then I am open to > supporting that use case one way or another. I don't think making > TCP-listening configurable is a security problem. Once you enable that > option, you should be aware of what you are doing. For sure. I'm saying it again, you're being too customer-friendly. In this particular case, the issue can be fixed by locally patching x2gostartagent. With more obscure stuff, you should tell them to contract you or Alex for a forked x2go package and have them pay for the B**ls**t they want. That way, we don't pollute our main codebase with it, plus you get some extra cash. Man, where are my pills, I don't want to go into full Theo de Raadt mode ... > The Linux Mint argument does not really count to me, either. As a > package maintainer of a linux distribution, I can do anything patchy to > the upstream code I like. People with the Linux Mint attitude may very > easily patch x2gostartagent and ship a TCP-listening X2Go Server by > default in their package archive. See above, it is extra work for them, an extra file outside the config tree that they have to monitor for changes, etc. While we can't stop them, we can at least make it hard for them to follow through with such a plan. > Wouldn't it make more sense, having > that option configurable from the start then and providing the > switch-off in an obvious place (i.e. a conffile)? No. Just no. > My point is: if you want to enable TCP listening of x2goagent, you have > to switch one line in x2gostartagent. What I propose is a config > parameter for x2goserver.conf that avoids people from nastily hacking > x2gostartagent. Again, those who know what they are doing are already able to make the change, and should realize the consequences (having to look for changes in x2gostartagent with every new release). Those who do not know what they are doing should not be given access to the setting. There's a reason why you need licenses for firearms, cars, airplanes, etc. - and this is the software equivalent. If one has proven enough coding proficiency to have located the code part in x2gostartagent, one is worthy of being allowed to change it on one's own. If you have to ask here, you should either listen to the more experienced folks telling you not to change it, or pay one of the core developers for a fork, that's my opinion (and not being a core developer myself, flames like "you're a greedy a**h**e that thinks of X2Go users as cash cows ready for milking" directed at me are outright silly, so - shove them, folks). -Stefan From mike.gabriel@das-netzwerkteam.de Sat Dec 7 22:50:58 2013 Received: (at 354) by bugs.x2go.org; 7 Dec 2013 21:50:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 0FCDA5DB05 for <354@bugs.x2go.org>; Sat, 7 Dec 2013 22:50:58 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 6F02C1EC26; Sat, 7 Dec 2013 22:50:57 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 127673C084; Sat, 7 Dec 2013 22:50:57 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFcKssrvD9Jw; Sat, 7 Dec 2013 22:50:55 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id BA8CF3C204; Sat, 7 Dec 2013 22:50:54 +0100 (CET) Received: from p4FE5F10B.dip0.t-ipconnect.de (p4FE5F10B.dip0.t-ipconnect.de [79.229.241.11]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 07 Dec 2013 21:50:54 +0000 Date: Sat, 07 Dec 2013 21:50:54 +0000 Message-ID: <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> From: Mike Gabriel To: Stefan Baur Cc: Alexander Wuerstlein , 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> In-Reply-To: <52A39369.8050408@stefanbaur.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 79.229.241.11 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_GPsb7BwiSCD3dPHGsM4pkQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_GPsb7BwiSCD3dPHGsM4pkQ1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Control: tag -1 wontfix Control: close -1 Hi Stefan, On Sa 07 Dez 2013 22:30:17 CET, Stefan Baur wrote: > [...] > Man, where are my pills, I don't want to go into full Theo de Raadt mode ... Okokokok... heard! @Nick: please place a copy of x2gostartagent into /usr/local/bin for a transition period and modify it to your needs. We won't reenable TCP listening in upstream X2Go. For long term usage of X2Go, adapt your workflows to a more secure model. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_GPsb7BwiSCD3dPHGsM4pkQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSo5g9AAoJEJr0azAldxsxfVEQAIwQuk3+1EveEJRs9LZxw7DN IliUeAUnly4z1sQtlwqhcEFB4/m2zPFcLt/CvNaKrDNqIFIWJ2QwWQ35F0a6tIGD QqN+Bn3ZycbRJ9mn/a4hmv43MZujxe9nzXnUtpTWC7ZkWpMHmKhZACAd6jDS2Fz+ AExaFpV17j7R/tH59G9ypa7mzPlfpp0LihsU+cYfUylLko7VZWdRwPcaaf76IW1s apM252BXzRysTYjKMjBQv1zQTSMHeq8OPRaYhMr4kPRpKA71D3+FsbJWoOMaWbia fhQcluhOs5ccojw5mU7JWDCSM0BWHNOyxBmSfoPOp5RkFl6EsPXx3ZiyY/dS/eHg fwbiTqJ6YSCnoiE0nTiG0R0UfnSo2+s7CAPJXXNRVEW8nkaOZ929hNgP1WGvKK1n I+E9RGAj5XzjONt3z03zzjM2UCyaYRPpVNDW4XjlZrFX2IEBkbVyWtwp4Y3+INYx B5wES/dd421iOAlC1VnzvRCzk/WnEJBRZFZhj0Ym7Ay4d3CTx0NppxbFKVhiDn+v 9hudiPFt6kTBGoqaPf1o5T/XnViHA1hzLFJcSuNXXC5PbUMp7ZnjhF6dP7rMRBGc /j5rtshoNwS4Pbwgxx8IKlgYqnc1qZSRkfo9oE6tvhF3TXuUK1+iwdRl9zWkzAq3 FejfoL+EM0h7m8MFjsnb =SOEa -----END PGP SIGNATURE----- --=_GPsb7BwiSCD3dPHGsM4pkQ1-- From n_ingegneri@yahoo.com Sun Dec 8 16:13:04 2013 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 15:13:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from nm7-vm0.bullet.mail.ne1.yahoo.com (nm7-vm0.bullet.mail.ne1.yahoo.com [98.138.91.66]) by ymir (Postfix) with SMTP id 17E525DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 16:13:03 +0100 (CET) Received: from [98.138.101.132] by nm7.bullet.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 Received: from [98.138.89.161] by tm20.bullet.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 Received: from [127.0.0.1] by omp1017.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 816773.44313.bm@omp1017.mail.ne1.yahoo.com Received: (qmail 58840 invoked by uid 60001); 8 Dec 2013 15:13:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1386515582; bh=HeDG37EwrTAdjdLnqDBiXJDEhw114l+cxmSYLqBEtyo=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=mbeqcXKfQ4fuWJVrmrOgvNHxXwdC8rfudRvKwOPNhACU1yngM0u2e8AWYt1HomWGRll2YG79c7TgDn0ggn6E+BrOo2AMGF28RPfVKerdv0HicVT2eY5qng4R3VAAaMfiPX1E+RJII7yGUor6YJz8TM7INIonGHfdbBZOrQENq7Y= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=oO9DLpjqb55hLNv9Kja1iRIKoLj6ABJfAAHtRl3TYvN3BblPGm/Mu0LBP1qeiYjoWUws54bzv0d+bRA4j57vjBN7y6y519V1mqX3aW4vTRdYiEjLgMp7bfWKaYU0KWzCJQzjsR5ZhTMaJincyO1pfL+BhjAOmH8laSENTLUVhQA=; X-YMail-OSG: 8RV4M4sVM1kYeNo5GKyw2lLEdKIiYcox4p5oH96rCbwH28x EsoUHDcwJXw8oaI2AfvDiQNzSexuNcKR3EmaEj1StvZ2Tnb2J2Jq1On1BPwT lrCkBmyW6BPkuerdFX_LVo0ifd5RGEz4_2ZekeKN93EqrQ01vqmqHDXgbOU5 mzFY_lWQwaABifdSvu1CKvuyKjPl45I8CzM2yVGwvRuXkH4tloQNFKrxIWr3 fVV3NTxkFZGpJa0dutmozGnqcwvJd7xRVOpxSIJdfVHwVm0t7lwVP.1YguO5 .4yF6kE5JOE7uH9RRpP6kJ8Ax8sAprsp_0.05KfjwGZa84bVMeu6f6ZqRXzl g69dFIYRlkrB7Vn7waePHqA4BFjpTbKdulXWHAv6imuAf7KW9y6F2_x1xAhZ .6ZmKdUumQmaRVGV1XHWw2.2dtlAvK6eFsQBasFliFPvORmzrWBuIoazg4H9 Y5LCWF0I4OlZCwVWIgm4pqspEjXOJQ7n69_SlG4HpFdT4Xfughfk7YmV.LVy nvZqyb9yZy8ZlLBkcSQsQW2w87vub8PvNrhMHm8KnTcXXjeeoZCTi4hqIdQW ltlNdN0ao6gUmpL3KuhvaQlGGfUhoTb4PBamYkSGwGASFsCVjQzTzqu7SJ7N XVTY2GPovQctVkNcgID15g3QkXSxnpezg Received: from [97.124.169.17] by web122106.mail.ne1.yahoo.com via HTTP; Sun, 08 Dec 2013 07:13:02 PST X-Rocket-MIMEInfo: 002.001,TWlrZSwgU3RlZmFuLCBBbGV4YW5kZXIsIGV0IGFsLiwKCkkgd2FzIHdhdGNoaW5nIHRoaXMgY29udmVyc2F0aW9uIHBsYXkgb3V0IGJlZm9yZSByZXBseWluZy4KCkl0IGlzbid0IGdvaW5nIHRvIGJlIGZydWl0ZnVsIHRvIGJlIHB1bGxlZCBpbnRvIGEgbG9uZyBkaXNjdXNzaW9uIGFib3V0IHRoZSBzcGVjaWZpY3Mgb2Ygb3VyIGNvbXB1dGUgZW52aXJvbm1lbnQuIFRoZXJlIGFyZSBtYW55IGFzc3VtcHRpb25zIGJlaW5nIG1hZGUgaW4gdGhpcyBkaXNjdXNzaW9uIHRoYXQgYXJlbid0IGNvcnJlY3QsIGFuZCABMAEBAQE- X-Mailer: YahooMailWebService/0.8.169.609 References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> Message-ID: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> Date: Sun, 8 Dec 2013 07:13:02 -0800 (PST) From: Nick Ingegneri Reply-To: Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf To: Mike Gabriel , Stefan Baur Cc: Alexander Wuerstlein , "354@bugs.x2go.org" <354@bugs.x2go.org> In-Reply-To: <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="61789334-543769667-1386515582=:31556" --61789334-543769667-1386515582=:31556 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Mike, Stefan, Alexander, et al.,=0A=0AI was watching this conversation play= out before replying.=0A=0AIt isn't going to be fruitful to be pulled into = a long discussion about the specifics of our compute environment. There are= many assumptions being made in this discussion that aren't correct, and sa= ying "don't use TCP" without knowing these specifics is ignorant. There are= industry-standard commercial products that disabling TCP breaks. Our IT de= partment cannot decide to stop supporting TCP; it is the users and our comm= ercial suppliers who determine what IT has to support.=0A=0AI think that be= cause I used "xhost +" in my original debugging example, the assumption was= immediately made that "xhost +" was my primary concern. My primary concern= is that disabling TCP=0A breaks almost every possible use model except for= one narrow case (ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-= 1 mechanism. While there are very valid concerns regarding use of TCP on th= e internet, we have a different hierarchy of concerns regarding what happen= s on our internal network.=0A=0AOne incorrect assumption that is being made= in this discussion is that some action to initiate the display can take pl= ace on the system the user is logged into, or that the user is even involve= d in initiating the display.=A0 Consider this use model:=0A=0A1: User's dis= play is system100:24=0A2: Automated processes, with no user involvement, la= unch a program on a randomly chosen system (let's say it is system204).=0A3= : The new program running on system204 now has to connect back to the displ= ay on system100:24=0A=0APersonally, the problem is solved for us for at lea= st the moment and we can move forward with what we are trying to do. Having= to=0A edit /usr/bin/x2gostartagent every time we install or upgrade the pa= ckage is inelegant and creates additional administrative overhead, but it i= s manageable.=0A=0AThis is your project, not mine, I merely came to the mai= ling list with a problem looking for a solution. I can tell you that our us= e model is extremely common in industry and that breaking it will render X2= Go unusable. Of the five alternatives we are looking at, X2Go was the only = one with TCP disabled. Most system administrators trying to set up an evalu= ation of X2Go aren't typically going to dig further than the documentation = and config files in trying to fix this problem. If you make fixing it so ob= scure that it escapes these system administrators, then X2Go isn't going to= get very far in those evaluations.=0A=0AHow accessible or obscure you make= this setting is up to you as developers, but saying to users "your use mod= el is wrong" doesn't show appreciation for the diversity of ways that X is = used in production.=0A=0ACheers,=0ANick=0A=0A=0A=0A=0A=0A=0AOn Saturday, De= cember 7, 2013 2:51 PM, Mike Gabriel wro= te:=0A =0AControl: tag -1 wontfix=0AControl: close -1=0A=0AHi Stefan,=0A=0A= On=A0 Sa 07 Dez 2013 22:30:17 CET, Stefan Baur wrote:=0A=0A> [...]=0A=0A> M= an, where are my pills, I don't want to go into full Theo de Raadt mode ...= =0A=0AOkokokok... heard!=0A=0A@Nick: please place a copy of x2gostartagent = into=0A /usr/local/bin for a=A0 =0Atransition period and modify it to your = needs. We won't reenable TCP=A0 =0Alistening in upstream X2Go. For long ter= m usage of X2Go, adapt your=A0 =0Aworkflows to a more secure model.=0A=0AMi= ke=0A-- =0A=0ADAS-NETZWERKTEAM=0Amike gabriel, herweg 7, 24357 fleckeby=0Af= on: +49 (1520) 1976 148=0A=0AGnuPG Key ID 0x25771B31=0A=0Amail: mike.gabrie= l@das-netzwerkteam.de, http://das-netzwerkteam.de=0A=0AfreeBusy:=0Ahttps://= mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --61789334-543769667-1386515582=:31556 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Mike, Stefan, Alexander, et a= l.,

I was watching this conversation p= lay out before replying.

It isn't goin= g to be fruitful to be pulled into a long discussion about the specifics of= our compute environment. There are many assumptions being made in this dis= cussion that aren't correct, and saying "don't use TCP" without knowing the= se specifics is ignorant. There are industry-standard commercial products t= hat disabling TCP breaks. Our IT department cannot decide to stop supportin= g TCP; it is the users and our commercial suppliers who determine what IT h= as to support.

I think that because I used = "xhost +" in my original debugging example, the assumption was immediately = made that "xhost +" was my primary concern. My primary concern is that disa= bling TCP=0A breaks almost every possible use model except for one narrow c= ase (ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-1 mechanism. = While there are very valid concerns regarding use of TCP on the internet, w= e have a different hierarchy of concerns regarding what happens on our inte= rnal network.

One incorrect assumption= that is being made in this discussion is that some action to initiate the = display can take place on the system the user is logged into, or that the u= ser is even involved in initiating the display.  Consider this use mod= el:

1: User's display is system100:24<= br clear=3D"none">2: Automated processes, with no user involvement, launch = a program on a randomly chosen system (let's say it is system204).
3: The new program running on system204 now has to connect back t= o the display on system100:24

Personal= ly, the problem is solved for us for at least the moment and we can move forward with what we= are trying to do. Having to=0A edit /usr/bin/x2gostartagent every time we = install or upgrade the package is inelegant and creates additional administ= rative overhead, but it is manageable.

This is your project, not mine, I merely came to the mailing list with a p= roblem looking for a solution. I can tell you that our use model is extreme= ly common in industry and that breaking it will render X2Go unusable. Of th= e five alternatives we are looking at, X2Go was the only one with TCP disab= led. Most system administrators trying to set up an evaluation of X2Go aren= 't typically going to dig further than the documentation and config files i= n trying to fix this problem. If you make fixing it so obscure that it esca= pes these system administrators, then X2Go isn't going to get very far in t= hose evaluations.

How accessible or obscure you make this setting is= up to you as developers, but saying to users "your use model is wrong" doe= sn't show appreciation for the diversity of ways that X is used in production.

Cheers,
Nick




On Saturday, December 7, 2013 2:= 51 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Con= trol: tag -1 wontfix
Control: close -1

Hi S= tefan,

On  Sa 07 Dez 2013 22:30:1= 7 CET, Stefan Baur wrote:

> [...]
> Man, where are my pills, I don't w= ant to go into full Theo de Raadt mode ...

Okokokok... heard!

@Nick: please = place a copy of x2gostartagent into=0A /usr/local/bin for a 
transition period and modify it to your needs. We won't reenable = TCP 
listening in upstream X2Go. For long term usag= e of X2Go, adapt your 
workflows to a more secure m= odel.

Mike
--

DAS-NETZWERKTEAM
mike gab= riel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31

mail:
mike.gabriel@das-netzwerkteam.de, http:= //das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkt= eam.de.xfb



=
--61789334-543769667-1386515582=:31556-- From newsgroups.mail2@stefanbaur.de Sun Dec 8 20:35:02 2013 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 19:35:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8]) by ymir (Postfix) with ESMTP id 7639E5DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 20:35:02 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MN8wu-1VwLqG1NRw-007SGO; Sun, 08 Dec 2013 20:35:00 +0100 Message-ID: <52A4C9F2.5090904@stefanbaur.de> Date: Sun, 08 Dec 2013 20:35:14 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Nick Ingegneri , "354@bugs.x2go.org" <354@bugs.x2go.org> Subject: Things you should know about X (was: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf) References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> In-Reply-To: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:t51pxeHomEecRkJMd5HXC8vCeup7DXN8zyJQ9JUqNXL j+YHVpKT1hIhkOFQUfpvf/kjPcPhcJAOP+YiNVdVayfJ0zYtbd 5ClOqfw9uB7azFzIghFY/P9LEU0WeDJRzhyxjssHVQLXzLYwPT TVgaoxC0ODUE0gWsHx4jdXMdfmroPtfudp9ukrYjwv4diG8T3m iZyMGxrfky//pd7c7PbK9czeWJ3ukrUXL666VG/q7VcQyI7+SX otpVpD2JYIk56av4W8Vr8r3jOcK+433RBJHTGAK9FU3zHx8+Ao hc4ogQJriivylmdhgokGkdtl1DItPRNFCdECBsFWEPRRhOqlbX 275ickV16ASvw4XZGK8exyQ3CPG28xPzk7DCkmc2x Am 08.12.2013 16:13, schrieb Nick Ingegneri: > I think that because I used "xhost +" in my original debugging example, > the assumption was immediately made that "xhost +" was my primary > concern. My primary concern is that disabling TCP breaks almost every > possible use model except for one narrow case (ssh). Among other things, > it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid > concerns regarding use of TCP on the internet, we have a different > hierarchy of concerns regarding what happens on our internal network. [long blahblah snipped] If you believe Xauth Cookies alone will protect you from nastiness, think again: http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 for fun and passwords." All the nastiness shown in that write-up works *with* .Xauthority in place. And this was published in 2004, so every script kiddie, every pimple-faced youth among your trainees, every disgruntled employee knows about this. (And so does the NSA.) Seriously, I've been in the IT Security business for quite a few years *ahem ahem* - and the real enemy usually isn't some obscure Chinese hacker, it's an employee, either a lazy and careless one or a malicious one that has been turned over by a competitor. So do not trust anyone and anything on your network. Encrypt even your internal traffic. I've even seen reports of power plugs with surge protectors containing Network sniffers. So the spying device has unlimited power supply and sits right in your network, logging all your traffic and sending it out either via innocuous http requests or via a seperate WiFi network. And please, do not fool yourself into thinking "but we don't have anything to hide". Yes, you have. We all have. Unless you see "1984" as an instruction manual. -Stefan From nable.maininbox@googlemail.com Sun Dec 8 21:05:21 2013 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 20:05:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-bk0-f52.google.com (mail-bk0-f52.google.com [209.85.214.52]) by ymir (Postfix) with ESMTPS id B92DE5DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 21:05:21 +0100 (CET) Received: by mail-bk0-f52.google.com with SMTP id u14so1049956bkz.25 for <354@bugs.x2go.org>; Sun, 08 Dec 2013 12:05:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=3E1Dc4gd8g05rJ4sVTIXwzHkT4VTDDoUi0O3xqeu2Zc=; b=dBDaeQJxD7YsqnzyIS+oHeCygBw/E/tSGGOo8hrSYHCeHz4nCCFIKXFt4f6SZTvmC5 u4kE/Zcq3mTFouNCoXfsVV5BNVjb+NlVTYocK8zoVAhXopicU5qUygorrAWBjywkegWj 1PcqNELLipc/wSggkwYftJzzcrrTB33S4DgRX6MBbzlqn1ANgDZ0MRmWBtuaPw/vggHx ql1Uu5m8BND+GfuSLqG7+bPbKYW3jF/E4QaxkRtg6VYDTXSlFUYqbwJbS6uYeQrQ66bw QU4dh7h8zlEa9YBqGz9LGVspnDEClrA9LIwJ68ElcPr3cpemugBMANtU2vgwVPNJhnLR gevw== MIME-Version: 1.0 X-Received: by 10.205.36.81 with SMTP id sz17mr4949861bkb.29.1386533121237; Sun, 08 Dec 2013 12:05:21 -0800 (PST) Received: by 10.204.61.72 with HTTP; Sun, 8 Dec 2013 12:05:21 -0800 (PST) In-Reply-To: <52A4C9F2.5090904@stefanbaur.de> References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> <52A4C9F2.5090904@stefanbaur.de> Date: Mon, 9 Dec 2013 00:05:21 +0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#354: Things you should know about X (was: Re: Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf) From: Nable 80 To: Stefan Baur , 354@bugs.x2go.org, x2go-dev@lists.berlios.de Content-Type: text/plain; charset=ISO-8859-1 Thanks a lot for this interesting discussion. Although I should comment this thing from the linked article: it begins with the following words: > log into the victim's desktop, become root It's too obvious that with root one can do almost anything, not only grab X sessions. So, you article is not a proof of X11 insecurity (after all, we know that it's not secure, but example is not good), just a howto for root usage. One should notice that without root ( who would give root access to generic employee? except (possibly) on his workstation) you still cannot access other users' cookies (except cases when one have too wide permissions or known vulnerabilitites with privelege escalation), so you cannot grab their X sessions, can you? 2013/12/8, Stefan Baur : > Am 08.12.2013 16:13, schrieb Nick Ingegneri: >> I think that because I used "xhost +" in my original debugging example, >> the assumption was immediately made that "xhost +" was my primary >> concern. My primary concern is that disabling TCP breaks almost every >> possible use model except for one narrow case (ssh). Among other things, >> it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid >> concerns regarding use of TCP on the internet, we have a different >> hierarchy of concerns regarding what happens on our internal network. > > [long blahblah snipped] > > If you believe Xauth Cookies alone will protect you from nastiness, > think again: > http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 > for fun and passwords." > > All the nastiness shown in that write-up works *with* .Xauthority in place. > And this was published in 2004, so every script kiddie, every > pimple-faced youth among your trainees, every disgruntled employee knows > about this. (And so does the NSA.) > > Seriously, I've been in the IT Security business for quite a few years > *ahem ahem* - and the real enemy usually isn't some obscure Chinese > hacker, it's an employee, either a lazy and careless one or a malicious > one that has been turned over by a competitor. So do not trust anyone > and anything on your network. Encrypt even your internal traffic. > I've even seen reports of power plugs with surge protectors containing > Network sniffers. So the spying device has unlimited power supply and > sits right in your network, logging all your traffic and sending it out > either via innocuous http requests or via a seperate WiFi network. > > And please, do not fool yourself into thinking "but we don't have > anything to hide". Yes, you have. We all have. Unless you see "1984" as > an instruction manual. > > -Stefan > _______________________________________________ > X2Go-Dev mailing list > X2Go-Dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/x2go-dev > From newsgroups.mail2@stefanbaur.de Sun Dec 8 21:10:44 2013 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 20:10:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by ymir (Postfix) with ESMTP id B0DD95DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 21:10:44 +0100 (CET) Received: from [192.168.0.3] (dslb-188-099-204-091.pools.arcor-ip.net [188.99.204.91]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0Le960-1VD9EF1XY4-00qieY; Sun, 08 Dec 2013 21:10:43 +0100 Message-ID: <52A4D251.1080508@stefanbaur.de> Date: Sun, 08 Dec 2013 21:10:57 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Nable 80 , 354@bugs.x2go.org, x2go-dev@lists.berlios.de Subject: Re: [X2Go-Dev] Bug#354: Things you should know about X References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> <52A4C9F2.5090904@stefanbaur.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:m5o++Dk166HXNYvANqb+EH3fSL0DxrHTCAXpHocDsrA cKqGvzqwg9qTYDk5KCbbcNKwDUTm7dfRwLK5Bq7CdoWL+r0sRt pwecMfxSDMWaY5BPWEBEU+heYk3H2f4AbB4aC4JOOufUi0zCTb 5fT2PYotI+b1SJldQH+wEx2ezYyHJq0CDnbTkPMwXAEe6CGe3f ETSyPcyX2oYdEG7CsEypHtPTcGg9mEf6VMTgEUcvySD99rjlju bN4MLdOtWRmfRz237/eIMStBlvfUZs6pPhIbe8ugeD5mAI+FAP OY8Ei+dRX81pu4p16tmLLvhzvb73omDwpFlYAsezgl/dDLJcGE esE+gaZC4FHHVEI9Kh7wQp+DX8yW2mGKFjpmrpmOd Am 08.12.2013 21:05, schrieb Nable 80: > One should notice that without root ( who would give root access to > generic employee? except (possibly) on his workstation) you still > cannot access other users' cookies (except cases when one have too ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > wide permissions or known vulnerabilitites with privelege escalation), ^^^^^^^^^^^^^^^^ > so you cannot grab their X sessions, can you? And here we are again at "Hey, $FOO doesn't work, I'll just do chmod -R 777 * and see if that makes it work." Plus, the rogue employee may as well be the admin, and thus have root rights on the machine where you're logged in. -Stefan From mike.gabriel@das-netzwerkteam.de Mon Dec 9 09:03:01 2013 Received: (at 354) by bugs.x2go.org; 9 Dec 2013 08:03:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 5DB945DA7B for <354@bugs.x2go.org>; Mon, 9 Dec 2013 09:03:01 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5DD101E92B; Mon, 9 Dec 2013 09:03:00 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 28C593C05F; Mon, 9 Dec 2013 09:03:00 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAwnyIiW5zn6; Mon, 9 Dec 2013 09:03:00 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id DD18A3C059; Mon, 9 Dec 2013 09:02:58 +0100 (CET) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 09 Dec 2013 08:02:56 +0000 Date: Mon, 09 Dec 2013 08:02:56 +0000 Message-ID: <20131209080256.Horde.2D3T_T19MBF-guIGrOhPwg2@mail.das-netzwerkteam.de> From: Mike Gabriel To: x2go-dev@lists.berlios.de, Stefan Baur Cc: Nable 80 , 354@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#354: Things you should know about X References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> <52A4C9F2.5090904@stefanbaur.de> <52A4D251.1080508@stefanbaur.de> In-Reply-To: <52A4D251.1080508@stefanbaur.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 213.178.75.58 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_6rTtEW2RCMV92B_OvKLo5w1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_6rTtEW2RCMV92B_OvKLo5w1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Stefan, On So 08 Dez 2013 21:10:57 CET, Stefan Baur wrote: > Am 08.12.2013 21:05, schrieb Nable 80: >> One should notice that without root ( who would give root access to >> generic employee? except (possibly) on his workstation) you still >> cannot access other users' cookies (except cases when one have too > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> wide permissions or known vulnerabilitites with privelege escalation), > ^^^^^^^^^^^^^^^^ >> so you cannot grab their X sessions, can you? > > And here we are again at "Hey, $FOO doesn't work, I'll just do chmod > -R 777 * and see if that makes it work." > > Plus, the rogue employee may as well be the admin, and thus have > root rights on the machine where you're logged in. > > -Stefan For X2Go we must assume that the root user is a trustworthy person. Otherwise we are completely lost. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_6rTtEW2RCMV92B_OvKLo5w1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSpXkwAAoJEJr0azAldxsxAMEQAIsJtVO0dkoVGPN7zKwC/fYt qz4oEL+maKbuJ7VLn3rF8D232+jBe8Cb6zogs5fBbR9g3bsK86efA7Mig7GqOb+V f1dqWm/33jvd/vFUulJUTmwF6ljvMS1/M2yTf/2hpuPo/yqKJb0WFV+ySWHPTjzU Dr5oOKggRuJWwBylGh9u77OWqkUcqsr8iV5hAcxnyZC4vxQsCzQ4uL1FmtTjC+r7 d/COegLiseozRDeFHURxfMkU/jgtc1Ey1y2pnyGj1WQwbcBcbnJzg71MPzk3k18j ICAgOkJn6uFM4BHEV7jIx1V9ovzOF2iLQAQUAvDbQ3oGR+dUzdmkoTqt4YsxfKOk GAXyQaU4XugmZPTvRmfIYwcSWZ28R/R1n8kip5IXCeQzqpIr5wAgAXI0htaF1yyj xdNzEsHVrhoziTrukg6KHME6UxvJjEBrlLSfwkWNSDVEOz4gM4b7EptIJWYzg8SP DQbePiL4Kk9LZ9LTRqD23K23ZC48iMKFY7Bh4Nfv0RrNyWtxnZ7Re//LA1NvSEBw mO3qbtOzYGAujTp0GsqGViJoDQLsoy6LQGw52iWsRcC0qmHcJYMAWJzOQxMxynsX qE3VpFv0ucFzkdbHC0RSIpBAWtClzwSBlJm9kn91WG0D/PWrn+4X8sKI6VSavTRq 8zJWKB4pa/dXu9rsC+82 =Y+S0 -----END PGP SIGNATURE----- --=_6rTtEW2RCMV92B_OvKLo5w1-- From mike.gabriel@das-netzwerkteam.de Mon Dec 9 09:08:32 2013 Received: (at 354) by bugs.x2go.org; 9 Dec 2013 08:08:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 27F975DA7B for <354@bugs.x2go.org>; Mon, 9 Dec 2013 09:08:32 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C3B0AA37; Mon, 9 Dec 2013 09:08:30 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B10143C058; Mon, 9 Dec 2013 09:08:30 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J81cf3mhcLgc; Mon, 9 Dec 2013 09:08:30 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 55E0A3C015; Mon, 9 Dec 2013 09:08:29 +0100 (CET) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 09 Dec 2013 08:08:29 +0000 Date: Mon, 09 Dec 2013 08:08:29 +0000 Message-ID: <20131209080829.Horde.Lo0aSm7GN8VVLm26eoL6wA1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Nick Ingegneri , Stefan Baur Cc: Alexander Wuerstlein , "354@bugs.x2go.org" <354@bugs.x2go.org> Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> In-Reply-To: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 213.178.75.58 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_IYbgqfo1V7bk8hZ1RGA3xA4"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_IYbgqfo1V7bk8hZ1RGA3xA4 Content-Type: text/plain; charset=ISO-8859-1; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Nick, On So 08 Dez 2013 16:13:02 CET, Nick Ingegneri wrote: >> On Saturday, December 7, 2013 2:51 PM, Mike Gabriel=20=20 >>=20 wrote: >> >> Control: tag -1 wontfix >> Control: close -1 >> >> Hi Stefan, >> >> On Sa 07 Dez 2013 22:30:17 CET, Stefan Baur wrote: >> >>> [...] >> >>> Man, where are my pills, I don't want to go into full Theo de=20=20 >>>=20Raadt mode ... >> >> Okokokok... heard! >> >> @Nick: please place a copy of x2gostartagent into >> /usr/local/bin for a transition period and modify it to your=20=20 >>=20needs. We won't reenable TCP listening in upstream X2Go. For long=20= =20 >>=20term usage of X2Go, adapt your workflows to a more secure model. >> >> Mike > Mike, Stefan, Alexander, et al., > > I was watching this conversation play out before replying. > > It isn't going to be fruitful to be pulled into a long discussion=20=20 >=20about the specifics of our compute environment. There are many=20=20 >=20assumptions being made in this discussion that aren't correct, and=20= =20 >=20saying "don't use TCP" without knowing these specifics is ignorant.=20= =20 >=20There are industry-standard commercial products that disabling TCP=20= =20 >=20breaks. Our IT department cannot decide to stop supporting TCP; it=20= =20 >=20is the users and our commercial suppliers who determine what IT has=20= =20 >=20to support. > > I think that because I used "xhost +" in my original debugging=20=20 >=20example, the assumption was immediately made that "xhost +" was my=20= =20 >=20primary concern. My primary concern is that disabling TCP > breaks almost every possible use model except for one narrow case=20=20 >=20(ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-1=20=20 >=20mechanism. While there are very valid concerns regarding use of TCP=20= =20 >=20on the internet, we have a different hierarchy of concerns regarding=20= =20 >=20what happens on our internal network. > > One incorrect assumption that is being made in this discussion is=20=20 >=20that some action to initiate the display can take place on the=20=20 >=20system the user is logged into, or that the user is even involved in=20= =20 >=20initiating the display.=A0 Consider this use model: > > 1: User's display is system100:24 > 2: Automated processes, with no user involvement, launch a program=20=20 >=20on a randomly chosen system (let's say it is system204). > 3: The new program running on system204 now has to connect back to=20=20 >=20the display on system100:24 > > Personally, the problem is solved for us for at least the moment and=20= =20 >=20we can move forward with what we are trying to do. Having to > edit /usr/bin/x2gostartagent every time we install or upgrade the=20=20 >=20package is inelegant and creates additional administrative overhead,=20= =20 >=20but it is manageable. > > This is your project, not mine, I merely came to the mailing list=20=20 >=20with a problem looking for a solution. I can tell you that our use=20= =20 >=20model is extremely common in industry and that breaking it will=20=20 >=20render X2Go unusable. Of the five alternatives we are looking at,=20=20 >=20X2Go was the only one with TCP disabled. Most system administrators=20= =20 >=20trying to set up an evaluation of X2Go aren't typically going to dig=20= =20 >=20further than the documentation and config files in trying to fix=20=20 >=20this problem. If you make fixing it so obscure that it escapes these=20= =20 >=20system administrators, then X2Go isn't going to get very far in=20=20 >=20those evaluations. > > How accessible or obscure you make this setting is up to you as=20=20 >=20developers, but saying to users "your use model is wrong" doesn't=20=20 >=20show appreciation for the diversity of ways that X is used in=20=20 >=20production. > > Cheers, > Nick Thanks again for this valuable feedback. I must say, I am a little=20=20 undecided=20on this. I have been working at a university institute where=20= =20 X-servers=20with TCP disabled also simply would have blocked all=20=20 established=20workflows. I will discuss this issue personally with Alex (Oleksandr Shneyder)=20=20 and=20the two of use will then decide how to procede here. @Stefan: I completely get your concerns, but I also here quite a big=20=20 deal=20of paranoia. I am not working on X2Go to protect X2Go users from=20= =20 themselves,=20I am working on X2Go to provide a flexible remote desktop=20= =20 solution. light+love, Mike --=20 DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_IYbgqfo1V7bk8hZ1RGA3xA4 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSpXp9AAoJEJr0azAldxsxgiAQALe8emNMSMF5pxmZcc1kVuTd GCwMPFdTF6K954UhYic4QI8djCqOWgyWjHPaU4L3qaic6yMhZlgcOd39GQIC/eKj KID5HlYR09jCbx5jbqljjVhJxKNAiaWRnI9fkFGYV+RyFqNdRXpAVMuDkvDwLmzo qb1HXs9u33/AsMBa+/vAybg1qIZUSA78OicA0hjiq5Pv8B2PrjLRFQrd9X6B83y6 +P1qA+R5paep/0AEHmWopB6IYN45AF03ZI445xuRNqXNvz6wcr8YmhQ7gMOG/VNz 543kSKqgYHy9uerXM0DUitsB82PUX+8kKC7LU4edhNXjcDaQ1YMva9OjDHfnxqUn dE5Fj9M4Ri7xB+OU3SdZ0/nPXZtUmMKD/cLxeXYP1QcsRHtQfMwZZe7WbMrjE7Gh h4dPkHCIU8cTyy9o/LtZNDwnblDfVD0483RR9t5J3uZCcNJPPPDhHKjonXZJHMrL qWqnfCoGLD8/ugMF41xRarZtl5MGDGxV73U+HMVI5Wot81B3bfv7nXvvzchmLnNN 32CTM42iCBp7k0O1Nh6w6MtzvpgXcMYulMNNsRrJ1I+qvtxqgEbV4nc/yq7JExij jgM2azFgcMCM0t4pkFqZSaGgZ4icQrke5c4MKk1Oqs5BC3PNBYc0yFK7yEZDvIdn h1n2bsGUispRP5S9VUup =O0uX -----END PGP SIGNATURE----- --=_IYbgqfo1V7bk8hZ1RGA3xA4-- From mike.gabriel@das-netzwerkteam.de Mon Dec 9 15:51:06 2013 Received: (at 354) by bugs.x2go.org; 9 Dec 2013 14:51:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id D0A635DA7B for <354@bugs.x2go.org>; Mon, 9 Dec 2013 15:51:05 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C8B4C1ED3D; Mon, 9 Dec 2013 15:51:04 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 9E4D63BE24; Mon, 9 Dec 2013 15:51:04 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4a2tHLgXQ+z; Mon, 9 Dec 2013 15:51:04 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 58A443BD4B; Mon, 9 Dec 2013 15:51:04 +0100 (CET) Received: from listrac.informatik.uni-kiel.de (listrac.informatik.uni-kiel.de [134.245.252.114]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 09 Dec 2013 14:51:04 +0000 Date: Mon, 09 Dec 2013 14:51:04 +0000 Message-ID: <20131209145104.Horde.kMGvz01muTGbaQNcsMzQOw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: 354@bugs.x2go.org, x2go-dev@lists.berlios.de, Nick Ingegneri , Stefan Baur , o.shneyder@phoca-gmbh.de Subject: Re: [X2Go-Dev] Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> <20131209080829.Horde.Lo0aSm7GN8VVLm26eoL6wA1@mail.das-netzwerkteam.de> In-Reply-To: <20131209080829.Horde.Lo0aSm7GN8VVLm26eoL6wA1@mail.das-netzwerkteam.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.252.114 X-Remote-Browser: Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_ueiPZpzxcpUbRXjaO_dAAw1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_ueiPZpzxcpUbRXjaO_dAAw1 Content-Type: text/plain; charset=ISO-8859-1; format=flowed; DelSp=Yes Content-Disposition: inline Control: reopen -1 Control: tag -1 - wontfix Hi all, On Mo 09 Dez 2013 09:08:29 CET, Mike Gabriel wrote: > I will discuss this issue personally with Alex (Oleksandr Shneyder) > and the two of use will then decide how to procede here. I have talked to Alex. We will implement a config option that enables TCP listening of x2goagent. There will be a big red sign in the config and the default will be to TCP-nolisten. light+love Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_ueiPZpzxcpUbRXjaO_dAAw1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSpdjYAAoJEJr0azAldxsx6n8QAIMupaSkUod7DId8T9A/kUbG M8gw49M+ZXoCs0BlxvMd30BCLhtV84Rx4wejHpZbfji5cmEbfdoO52XtrCDHKnVs 6bLhftDlSD15AcVrbDB1SsiW5xNquz4WQqB+gTeiraB3z9XhUs0NCS/FcmSOu8cU G/DLanmCgD0WOgeJBoVdb3rE4WdzG6Ca9AQzyv1diJG2hHaeZa25UmExnyqSWXf/ HnU+ubhUpBkFxC/gVux7Lobj3XoEdp3zL52kj47QCtpvqLz85a+PPSJj7L0W/FQx F9OSwm9rk+fzvir8GOYFo5TdrbYQ/13l442/GGERS1nvTaa92VmIL+D/MdBdmOY0 QRcFUvUmrYJfRTGAiYagw87rVSIvnkv+w6kZdfLuCGTB1owe5ILXKZDciKhKo3er RPq/GhoMvSavNJbfEqWtJNJzTS7VJjJqA2n7kxUvwScL7Jp15Nqa6c1vNfv3OqX2 ejhwsz6zA+z7jyYCGv4Kd8hWED68snepLAiVQBHGXcJfJlXtC5p2zFhM0lCHmlVL PjQXAaKgVqk7lsXdsklCf385UV4nV8M/BXxI7sze8P+iAbFNnuwJXgqMjlmct5yj Ix5En/WpuEjAhoDOV0/EPx/Bav+pYRPPt1f5xwdzaIcoJY9sQ+780ILrsctsW5t2 7JcOFHsdQWZ9o1hwfFwX =FQQI -----END PGP SIGNATURE----- --=_ueiPZpzxcpUbRXjaO_dAAw1-- From x2go@ymir Tue Dec 10 09:51:29 2013 Received: (at 354) by bugs.x2go.org; 10 Dec 2013 08:51:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: by ymir (Postfix, from userid 1005) id 851085DB20; Tue, 10 Dec 2013 09:51:29 +0100 (CET) From: Mike Gabriel To: 354-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 354@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as pending for release Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Mailer: http://snipr.com/post-receive-tag-pending Message-Id: <20131210085129.851085DB20@ymir> Date: Tue, 10 Dec 2013 09:51:29 +0100 (CET) tag #354 pending fixed #354 4.0.1.10 thanks Hello, X2Go issue #354 (src:x2goserver) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=13ec71f The issue will most likely be fixed in src:x2goserver (4.0.1.10). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit 13ec71f7df3efae239c2dbe96a5abe9370fa7b2f Author: Mike Gabriel Date: Tue Dec 10 09:36:44 2013 +0100 Handle TCP listening of x2goagent in x2goagent.options. (Fixes: #354). diff --git a/debian/changelog b/debian/changelog index 3a54b9d..9c562e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ x2goserver (4.0.1.10-0x2go1) UNRELEASED; urgency=low - x2goserver-fmbindings/Makefile: install share/applications and share/mime. - x2goserver-printing/Makefile: create feature.d directory before installing files into it. + - Handle TCP listening of x2goagent in x2goagent.options. (Fixes: #354). * Grab systemd service file from Fedora and ship it upstream. * Add init script for RPM based distro. Taken from the Fedora package. From x2go@ymir Mon Jan 6 18:28:54 2014 Received: (at 354) by bugs.x2go.org; 6 Jan 2014 17:28:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.3.2 Received: by ymir (Postfix, from userid 1005) id EC48A5DB26; Mon, 6 Jan 2014 18:28:54 +0100 (CET) From: Mike Gabriel To: 354-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 354@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20140106172854.EC48A5DB26@ymir> Date: Mon, 6 Jan 2014 18:28:54 +0100 (CET) close #354 thanks Hello, we are very hopeful that X2Go issue #354 reported by you has been resolved in the new release (4.0.1.10) of the X2Go source project »src:x2goserver«. You can view the complete changelog entry of src:x2goserver (4.0.1.10) below, and you can use the following link to view all the code changes between this and the last release of src:x2goserver. http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=1a793e3d843bbeee3e597c762d9fe1d19c97baa7;hp=f26122424320ebdb563af072fc89cc03ce8bc158 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goserver. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goserver Version: 4.0.1.10-0x2go1 Status: RELEASE Date: Fri, 03 Jan 2014 11:34:36 +0100 Fixes: 354 355 Changes: x2goserver (4.0.1.10-0x2go1) RELEASED; urgency=low . * New upstream version (4.0.1.10): - Fix x2goresume-session. The several parameters placed into the NX options file are expected by x2goresume-session at very specific positions. This we broke by trying to fix the fullscreen/geometry issue in x2gostartagent. Thanks to Harvey Eneman for tracking this down!!! (Fixes: #355). - x2goserver-fmbindings/Makefile: install x2gofm. - x2goserver-fmbindings/Makefile: install share/applications and share/mime. - x2goserver-printing/Makefile: create feature.d directory before installing files into it. - Handle TCP listening of x2goagent in x2goagent.options. (Fixes: #354). - Clean up Makefiles, remove commented out lines. - Use xkb ruleset 'base' rather than xfree86 as on RHEL systems the xfree86 symlink to base ruleset does not exist. - Grab systemd service file from Fedora and ship it upstream. - Provide RHEL/Fedora support in x2goserver-xsession. - Only sanity check for existence of /etc/x2go/Xsession.d on Debian (derived) systems. - Provide man page for x2goserver.conf. * x2goserver.spec: + Ship x2goserver.spec (RPM package definitions) in upstream project. (Thanks to the Fedora package maintainers). File differs from the Fedora file already. + Add init script for RPM based distro. Taken from the Fedora package. + Clear (Fedora package) changelog. From unknown Fri Mar 29 09:02:28 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#354 closed by Mike Gabriel (X2Go issue (in src:x2goserver) has been marked as closed) Message-ID: References: <20140106172854.EC48A5DB26@ymir> X-X2go-PR-Keywords: pending X-X2go-PR-Message: they-closed 354 X-X2go-PR-Package: x2goserver X-X2go-PR-Source: x2goserver Date: Mon, 06 Jan 2014 17:30:05 +0000 Content-Type: multipart/mixed; boundary="----------=_1389029405-22937-0" This is a multi-part message in MIME format... ------------=_1389029405-22937-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goserver package: #354: Make x2goagent listening to TCP connections configurable in x2goserve= r.conf It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1389029405-22937-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 6 Jan 2014 17:29:27 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=unavailable version=3.3.2 Received: by ymir (Postfix, from userid 1005) id EC48A5DB26; Mon, 6 Jan 2014 18:28:54 +0100 (CET) From: Mike Gabriel To: 354-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 354@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20140106172854.EC48A5DB26@ymir> Date: Mon, 6 Jan 2014 18:28:54 +0100 (CET) close #354 thanks Hello, we are very hopeful that X2Go issue #354 reported by you has been resolved in the new release (4.0.1.10) of the X2Go source project »src:x2goserver«. You can view the complete changelog entry of src:x2goserver (4.0.1.10) below, and you can use the following link to view all the code changes between this and the last release of src:x2goserver. http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=1a793e3d843bbeee3e597c762d9fe1d19c97baa7;hp=f26122424320ebdb563af072fc89cc03ce8bc158 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goserver. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goserver Version: 4.0.1.10-0x2go1 Status: RELEASE Date: Fri, 03 Jan 2014 11:34:36 +0100 Fixes: 354 355 Changes: x2goserver (4.0.1.10-0x2go1) RELEASED; urgency=low . * New upstream version (4.0.1.10): - Fix x2goresume-session. The several parameters placed into the NX options file are expected by x2goresume-session at very specific positions. This we broke by trying to fix the fullscreen/geometry issue in x2gostartagent. Thanks to Harvey Eneman for tracking this down!!! (Fixes: #355). - x2goserver-fmbindings/Makefile: install x2gofm. - x2goserver-fmbindings/Makefile: install share/applications and share/mime. - x2goserver-printing/Makefile: create feature.d directory before installing files into it. - Handle TCP listening of x2goagent in x2goagent.options. (Fixes: #354). - Clean up Makefiles, remove commented out lines. - Use xkb ruleset 'base' rather than xfree86 as on RHEL systems the xfree86 symlink to base ruleset does not exist. - Grab systemd service file from Fedora and ship it upstream. - Provide RHEL/Fedora support in x2goserver-xsession. - Only sanity check for existence of /etc/x2go/Xsession.d on Debian (derived) systems. - Provide man page for x2goserver.conf. * x2goserver.spec: + Ship x2goserver.spec (RPM package definitions) in upstream project. (Thanks to the Fedora package maintainers). File differs from the Fedora file already. + Add init script for RPM based distro. Taken from the Fedora package. + Clear (Fedora package) changelog. ------------=_1389029405-22937-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 6 Dec 2013 11:21:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 28FAB5DB05 for ; Fri, 6 Dec 2013 12:21:57 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D641F1EBB7; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5C0E53C2DB; Fri, 6 Dec 2013 12:21:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXjXiLb3oHZ4; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 29FE93C1DE; Fri, 6 Dec 2013 12:21:56 +0100 (CET) Received: from pD9E9F4D9.dip0.t-ipconnect.de (pD9E9F4D9.dip0.t-ipconnect.de [217.233.244.217]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 06 Dec 2013 11:21:55 +0000 Date: Fri, 06 Dec 2013 11:21:55 +0000 Message-ID: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Cc: Nick Ingegneri Subject: Make x2goagent listening to TCP connections configurable in x2goserver.conf User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 217.233.244.217 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_W7q4CCA4wXrmUEPv7g9XuQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_W7q4CCA4wXrmUEPv7g9XuQ1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Package: x2goserver Severity: wishlist Debbugs-Cc: Make x2goagent listening to TCP connections configurable in x2goserver.conf. This was requested by Nick Ingegneri on x2go-user ML. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_W7q4CCA4wXrmUEPv7g9XuQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSobNTAAoJEJr0azAldxsxybIQAKU1r6xoJSc9gJm7NL5TaPxs XUokvS3XRnXMl9SkjJUUGx5n+lEEyEBMdqQ6p7TVoTvNgRDcjTRaJaunkLtCDJmO bUhPgQx95iJjSm/PmyWGucqMmJmaXl4f4yXsTzWQTC1YF0t/Hk4rfWiALshg0dvY cjKpHut2buQDEV1vs07nB3AMUo/SUtCm7jXy7wuKpjYII9loucPA+acYO2WkaM2u CKnD0qbph1VWMo0LLIdpl9L/BC0oxQAHp9QXCNPiPlk3Nnsn1JZJwLb1S7dUaa4S K68xxIZLNShZET0xoK+tMuyv3EO7YiK+wg9jF3UBVpKoBgsvnD76OMfc94PuQqsM z9YCd0UJQnukoCVzAGPn+oaFxPZsmIigKwEIre3RPppgxpPgQvL1HyMKrTO0CCVf Ku22Sf/AENiPoO1pPCh6NXliwUP3wR9EU1/zHP6VYAiOovPt0muKgvJc4XrybMrT pTJNQcYPeqPwSgdGHXAzjR0OEqlIv8bhWPAcmY+CQZ0iSrJ+rA/gvisM5EJilwgg 95EaW1fYRY5iJVYi1AD+24PPAfR/K4lAGLNht83/yQiAVaGs9ag87zgkb7JCCwfP OfeLrKPvSvFB8nMghioPnYaJ8g7KCG9f9OwjgHdAYpeql+mGEIUxOJWnUND6XQat PaMqZ6pn2anMZOsjENcl =1fG6 -----END PGP SIGNATURE----- --=_W7q4CCA4wXrmUEPv7g9XuQ1-- ------------=_1389029405-22937-0-- From dfoudray@gmail.com Tue Jan 28 20:41:00 2014 Received: (at 354) by bugs.x2go.org; 28 Jan 2014 19:41:00 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by ymir (Postfix) with ESMTPS id AF8A85DB13 for <354@bugs.x2go.org>; Tue, 28 Jan 2014 20:40:59 +0100 (CET) Received: by mail-pd0-f174.google.com with SMTP id z10so747234pdj.19 for <354@bugs.x2go.org>; Tue, 28 Jan 2014 11:40:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=w81Cjd7uy4U9tAD72RcIH5SFAyArAF06DkzCpkJT7xc=; b=ZZ9oayj90cDjWGyY5HOxLkNdoOL0IibfYpM6wDqwWqiPYUOL6MXsXxdIJOcUCy8JT0 GoxFWS18Asc6FeahwGNR7HZNd4xxDsQ6h2Eao+gkcx1wnpu7yhf3+TY47u902fmapNS6 1guo+bOD5jpXd7dy3UeYi3zwZ/z1+PmY2S/eLj5f4AozRjsTCeu15P6brpLaWP58mDOK idvjMg3x4QfO+NDtBgLcfy7wo4SrrfvJFgetnmobgQuHx1cpHG3RJCgAsonAtb7n5KkG KgvZguuLMHPC6FDFKJCnSu8KXsV/60ACv/6M0cOrdDaD1aeKYeAGj74S/bnvL4E8Nf+X BpmQ== X-Received: by 10.66.65.134 with SMTP id x6mr3477861pas.12.1390938057686; Tue, 28 Jan 2014 11:40:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.138.230 with HTTP; Tue, 28 Jan 2014 11:40:37 -0800 (PST) From: Dustin Foudray Date: Tue, 28 Jan 2014 12:40:37 -0700 Message-ID: Subject: Issue's with display forwarding in x2go To: 354@bugs.x2go.org Content-Type: multipart/alternative; boundary=001a11363354d5428c04f10d0097 --001a11363354d5428c04f10d0097 Content-Type: text/plain; charset=ISO-8859-1 Hello, With the support of setting this option through x2goagent.options, the way we previously worked around this issue no longer work's and I am not able to make tcp X forwarding work with the new option's file setting. Am I missing something. In the mean time is there a way we can downgrade back to the previous server version? -- -Dustin Foudray --001a11363354d5428c04f10d0097 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hello,
=A0=A0=A0=A0=A0=A0=A0 With the suppor= t of setting this option through x2goagent.options, the way we previously w= orked around this issue no longer work's and I am not able to make tcp = X forwarding work with the new option's file setting. =A0Am I missing s= omething. In the mean time is there a way we can downgrade back to the prev= ious server version?

--
-Dustin Foudray
--001a11363354d5428c04f10d0097-- From tonyfoxdog@ds6357.dreamservers.com Tue Feb 18 23:13:36 2014 Received: (at 354) by bugs.x2go.org; 18 Feb 2014 22:13:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: **** X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_999,FORGED_YAHOO_RCVD, FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,T_REMOTE_IMAGE, URIBL_BLOCKED autolearn=no version=3.3.2 X-Greylist: delayed 326 seconds by postgrey-1.34 at ymir; Tue, 18 Feb 2014 23:13:36 CET Received: from ds6357.dreamservers.com (ds6357.dreamservers.com [208.113.205.253]) by ymir (Postfix) with ESMTP id 885C65DB1C for <354@bugs.x2go.org>; Tue, 18 Feb 2014 23:13:36 +0100 (CET) Received: by ds6357.dreamservers.com (Postfix, from userid 2870896) id 0086A1FCAC; Tue, 18 Feb 2014 14:08:21 -0800 (PST) Date: Tue, 18 Feb 2014 14:08:21 -0800 To: 354@bugs.x2go.org From: Yahoo!!! Reply-to: Subject: Yahoo Alert Message-ID: <953678fff7be24fea37ff01f5f0d414b@www.davidcostasblog.com> X-Priority: 3 X-Mailer: PHPMailer [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1"

Due to the recent upgrade in our SSL server to serve you better,
Please note that all users are mandated to update their login
details in other to enjoy the new upgrade. You are required to
update through the link below
.



Thanks for using Yahoo!
Yahoo Team.

From tonyfoxdog@ds6357.dreamservers.com Tue Feb 18 23:13:36 2014 Received: (at 354-submit) by bugs.x2go.org; 18 Feb 2014 22:13:53 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: **** X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_999,FORGED_YAHOO_RCVD, FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,T_REMOTE_IMAGE, URIBL_BLOCKED autolearn=no version=3.3.2 X-Greylist: delayed 326 seconds by postgrey-1.34 at ymir; Tue, 18 Feb 2014 23:13:36 CET Received: from ds6357.dreamservers.com (ds6357.dreamservers.com [208.113.205.253]) by ymir (Postfix) with ESMTP id 8730E5DB11 for <354-submit@bugs.x2go.org>; Tue, 18 Feb 2014 23:13:36 +0100 (CET) Received: by ds6357.dreamservers.com (Postfix, from userid 2870896) id 1FD591FCC2; Tue, 18 Feb 2014 14:08:21 -0800 (PST) Date: Tue, 18 Feb 2014 14:08:21 -0800 To: 354-submit@bugs.x2go.org From: Yahoo!!! Reply-to: Subject: Yahoo Alert Message-ID: X-Priority: 3 X-Mailer: PHPMailer [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1"

Due to the recent upgrade in our SSL server to serve you better,
Please note that all users are mandated to update their login
details in other to enjoy the new upgrade. You are required to
update through the link below
.



Thanks for using Yahoo!
Yahoo Team.

From tonyfoxdog@ds6357.dreamservers.com Tue Feb 18 23:13:36 2014 Received: (at 354-submit) by bugs.x2go.org; 18 Feb 2014 22:14:00 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: **** X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_999,FORGED_YAHOO_RCVD, FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,T_REMOTE_IMAGE, URIBL_BLOCKED autolearn=no version=3.3.2 Received: from ds6357.dreamservers.com (ds6357.dreamservers.com [208.113.205.253]) by ymir (Postfix) with ESMTP id 87BB25DB1B for <354-submit@bugs.x2go.org>; Tue, 18 Feb 2014 23:13:36 +0100 (CET) Received: by ds6357.dreamservers.com (Postfix, from userid 2870896) id 481901FC9E; Tue, 18 Feb 2014 14:08:10 -0800 (PST) Date: Tue, 18 Feb 2014 14:08:10 -0800 To: 354-submit@bugs.x2go.org From: Yahoo!!! Reply-to: Subject: Yahoo Alert Message-ID: X-Priority: 3 X-Mailer: PHPMailer [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1"

Due to the recent upgrade in our SSL server to serve you better,
Please note that all users are mandated to update their login
details in other to enjoy the new upgrade. You are required to
update through the link below
.



Thanks for using Yahoo!
Yahoo Team.

From tonyfoxdog@ds6357.dreamservers.com Tue Feb 18 23:13:36 2014 Received: (at 354-submitter) by bugs.x2go.org; 18 Feb 2014 22:13:37 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: **** X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_999,FORGED_YAHOO_RCVD, FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,T_REMOTE_IMAGE, URIBL_BLOCKED autolearn=no version=3.3.2 Received: from ds6357.dreamservers.com (ds6357.dreamservers.com [208.113.205.253]) by ymir (Postfix) with ESMTP id 896C75DB21 for <354-submitter@bugs.x2go.org>; Tue, 18 Feb 2014 23:13:36 +0100 (CET) Received: by ds6357.dreamservers.com (Postfix, from userid 2870896) id 5337B1FC9F; Tue, 18 Feb 2014 14:08:10 -0800 (PST) Date: Tue, 18 Feb 2014 14:08:10 -0800 To: 354-submitter@bugs.x2go.org From: Yahoo!!! Reply-to: Subject: Yahoo Alert Message-ID: X-Priority: 3 X-Mailer: PHPMailer [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1"

Due to the recent upgrade in our SSL server to serve you better,
Please note that all users are mandated to update their login
details in other to enjoy the new upgrade. You are required to
update through the link below
.



Thanks for using Yahoo!
Yahoo Team.

From tonyfoxdog@ds6357.dreamservers.com Tue Feb 18 23:13:36 2014 Received: (at 354-submitter) by bugs.x2go.org; 18 Feb 2014 22:14:09 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: **** X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_999,FORGED_YAHOO_RCVD, FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,T_REMOTE_IMAGE, URIBL_BLOCKED autolearn=no version=3.3.2 X-Greylist: delayed 326 seconds by postgrey-1.34 at ymir; Tue, 18 Feb 2014 23:13:36 CET Received: from ds6357.dreamservers.com (ds6357.dreamservers.com [208.113.205.253]) by ymir (Postfix) with ESMTP id 88ECE5DB20 for <354-submitter@bugs.x2go.org>; Tue, 18 Feb 2014 23:13:36 +0100 (CET) Received: by ds6357.dreamservers.com (Postfix, from userid 2870896) id 0AE141FCAB; Tue, 18 Feb 2014 14:08:21 -0800 (PST) Date: Tue, 18 Feb 2014 14:08:21 -0800 To: 354-submitter@bugs.x2go.org From: Yahoo!!! Reply-to: Subject: Yahoo Alert Message-ID: <2579dc68df116bccb79ab206a8c93b31@www.davidcostasblog.com> X-Priority: 3 X-Mailer: PHPMailer [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1"

Due to the recent upgrade in our SSL server to serve you better,
Please note that all users are mandated to update their login
details in other to enjoy the new upgrade. You are required to
update through the link below
.



Thanks for using Yahoo!
Yahoo Team.

From unknown Fri Mar 29 09:02:28 2024 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@bugs.x2go.org From: Debbugs Internal Request Subject: Internal Control Message-Id: Bug archived. Date: Mi, 19 =?UTF-8?Q?M=C3=83=C2=A4r?= 2014 06:24:01 +0000 User-Agent: Fakemail v42.6.9 # A New Hope # A long time ago, in a galaxy far, far away # something happened. # # Magically this resulted in the following # action being taken, but this fake control # message doesn't tell you why it happened # # The action: # Bug archived. thanks # This fakemail brought to you by your local debbugs # administrator