From unknown Fri Mar 29 14:53:42 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#354: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf Reply-To: Alexander Wuerstlein , 354@bugs.x2go.org Resent-From: Alexander Wuerstlein Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Fri, 06 Dec 2013 20:18:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 354 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by 354-submit@bugs.x2go.org id=B354.13863603616339 (code B ref 354); Fri, 06 Dec 2013 20:18:02 +0000 Received: (at 354) by bugs.x2go.org; 6 Dec 2013 20:06:01 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 600 seconds by postgrey-1.34 at ymir; Fri, 06 Dec 2013 21:06:00 CET Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id 770F85DB05 for <354@bugs.x2go.org>; Fri, 6 Dec 2013 21:06:00 +0100 (CET) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 6557B680310; Fri, 6 Dec 2013 20:56:00 +0100 (CET) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 60686B280CD; Fri, 6 Dec 2013 20:56:00 +0100 (CET) Date: Fri, 6 Dec 2013 20:56:00 +0100 From: Alexander Wuerstlein To: Stefan Baur , 354@bugs.x2go.org, x2go-dev@lists.berlios.de Cc: Nick Ingegneri , Mike Gabriel Message-ID: <20131206195600.GA26961@cip.informatik.uni-erlangen.de> References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52A21285.7090407@stefanbaur.de> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-12-06 19:18, Stefan Baur wrote: > Am 06.12.2013 18:44, schrieb Nick Ingegneri: > >Once it became apparent in our testing that exporting displays didn't > >work as expected, the system administrator who installed it went through > >the configuration files and documentation looking for a solution. He > >couldn't find one, so he escalated it to me to look into. If we hadn't > >been able to find a fix it would have ruled out X2Go from further > >consideration, which would have been unfortunate as it is currently our > >leading choice for this particular need. > > In my opinion, Mike is a bit too customer-friendly here by turning > your request into a wishlist item that lets every newbie shoot > him-/herself in the foot, security-wise, by toggling a setting in > the configuration. > Sorry, but I've seen way too many people go "chmod 777 -R /*" as > soon as something doesn't work as expected, and I'm fearing the same > for an easily reachable option to allow TCP connections - because > "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the > filesystem. > > Of course, everybody is free to shoot him-/herself in the foot, > that's why it's Linux - but merely leaving a "this is dangerous" > note next to the parameter is like sticking a tag "please don't use > this unless you know what you're doing" on a loaded 12-gauge in a > room full of toddlers. There is one more aspect to this: If there is such a configuration option, then sooner or later the likes of Linux Mint will enable it by default for all their users, leaving them wide open to the whole world, despite all the warnings. They did that with 'xhost +'[0]. So I agree that even just having such an option hidden away somewhere would be very very bad. It needs to be hard and a lot of work to break security or somebody will do it by default and deploy it on a wide scale. Ciao, Alexander Wuerstlein. [0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520