From mike.gabriel@das-netzwerkteam.de Sat Dec 7 21:48:00 2013 Received: (at 354) by bugs.x2go.org; 7 Dec 2013 20:48:01 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id B49775DB05 for <354@bugs.x2go.org>; Sat, 7 Dec 2013 21:48:00 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 210021ECD8; Sat, 7 Dec 2013 21:48:00 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id BB63A3C2DA; Sat, 7 Dec 2013 21:47:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dDA6SsiSaja; Sat, 7 Dec 2013 21:47:59 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 809313C065; Sat, 7 Dec 2013 21:47:59 +0100 (CET) Received: from p4FE5F10B.dip0.t-ipconnect.de (p4FE5F10B.dip0.t-ipconnect.de [79.229.241.11]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 07 Dec 2013 20:47:59 +0000 Date: Sat, 07 Dec 2013 20:47:59 +0000 Message-ID: <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> From: Mike Gabriel To: Alexander Wuerstlein Cc: Stefan Baur , 354@bugs.x2go.org, Nick Ingegneri Subject: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> In-Reply-To: <20131206195600.GA26961@cip.informatik.uni-erlangen.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 79.229.241.11 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_hNrHBJgb3b6_ZSmFcs-t7Q1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_hNrHBJgb3b6_ZSmFcs-t7Q1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Stefan, hi Alexander, On Fr 06 Dez 2013 20:56:00 CET, Alexander Wuerstlein wrote: > On 13-12-06 19:18, Stefan Baur wrote: >> Am 06.12.2013 18:44, schrieb Nick Ingegneri: >> >Once it became apparent in our testing that exporting displays didn't >> >work as expected, the system administrator who installed it went through >> >the configuration files and documentation looking for a solution. He >> >couldn't find one, so he escalated it to me to look into. If we hadn't >> >been able to find a fix it would have ruled out X2Go from further >> >consideration, which would have been unfortunate as it is currently our >> >leading choice for this particular need. >> >> [...] >> Sorry, but I've seen way too many people go "chmod 777 -R /*" as >> soon as something doesn't work as expected, and I'm fearing the same >> for an easily reachable option to allow TCP connections - because >> "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the >> filesystem. >> >> Of course, everybody is free to shoot him-/herself in the foot, >> that's why it's Linux - but merely leaving a "this is dangerous" >> note next to the parameter is like sticking a tag "please don't use >> this unless you know what you're doing" on a loaded 12-gauge in a >> room full of toddlers. > > There is one more aspect to this: If there is such a configuration > option, then sooner or later the likes of Linux Mint will enable it by > default for all their users, leaving them wide open to the whole world, > despite all the warnings. They did that with 'xhost +'[0]. > > So I agree that even just having such an option hidden away somewhere > would be very very bad. It needs to be hard and a lot of work to break > security or somebody will do it by default and deploy it on a wide > scale. > > > > Ciao, > > Alexander Wuerstlein. > > [0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520 From a security point of view: is there really a severe difference in having to edit x2gostartagent or vs. x2goserver.conf as root to enable TCP listening for x2goagent? If people want to deploy X2Go and need TCP enabled they will do that anyway. You do not have to rebuild some binary to make that happen even, you just have to create a custom copy of x2gostartagent in /usr/local/bin. @Nick: The above may very well be your workaround... >> In my opinion, Mike is a bit too customer-friendly here by turning >> your request into a wishlist item that lets every newbie shoot >> him-/herself in the foot, security-wise, by toggling a setting in >> the configuration. My current focus is to spread X2Go, get more people interested in X2Go and get more people interested in developing / financing X2Go. If I here of a use case that involves hundreds of users, then I am open to supporting that use case one way or another. I don't think making TCP-listening configurable is a security problem. Once you enable that option, you should be aware of what you are doing. For sure. The Linux Mint argument does not really count to me, either. As a package maintainer of a linux distribution, I can do anything patchy to the upstream code I like. People with the Linux Mint attitude may very easily patch x2gostartagent and ship a TCP-listening X2Go Server by default in their package archive. Wouldn't it make more sense, having that option configurable from the start then and providing the switch-off in an obvious place (i.e. a conffile)? My point is: if you want to enable TCP listening of x2goagent, you have to switch one line in x2gostartagent. What I propose is a config parameter for x2goserver.conf that avoids people from nastily hacking x2gostartagent. I know several setups in intranet where display managers and X-servers run in TCP listen mode and for the local network that is ok and wanted. Of course for X2Go this should not be the default (that's why we closed down TCP listening earlier when it was still enabled by accident). And Nick, I also think that you should seriously consider looking at the security aspects of your current IT setup. It seems quite hackable and you should really be sure that all of your staff members are really good friends (which normally is not the case for everyone at $WORK). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_hNrHBJgb3b6_ZSmFcs-t7Q1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSo4l/AAoJEJr0azAldxsxdNMQAIJPeiu1SGyr+NP5KKN/pKvL 0jk/CRXyHuCHYk1aR531rEgHplN47kWRk/Pv7kqJVsICgCPaPyA0Zi/wBBTowuL7 YbgP8/rq9eP5lYC+oprzHFowI/ETrwAu1xBd/yyDhCTaXwgNHYpeG2PXiMdXjt8c aD+TWcosyfsObzXFifp2u1/VokWeGOAsYYFT5QM0hLxq0fppK/5GaNZjT2VrYsQZ s7/HkD9ViMEHR+4ubzwpNpJgYcWnqZcCDGtLJcX5v7f090ky7IdNVJJVJu0m0rVY eLQoBylMv8pLUQZRNkCVM+TL2r6hL/eWcNIs5hCQkuHcN2uRj03wSR1Pzyx/k9PT xqWpMBZlQk/LIRO6CyGQClJqfpniJx80odfKuhogyq2GSKq1NWTaLGlR3WT44r+s FCAJqDP7BHv8jEcZR4Ic9GzCROR2Q8UKbg7urt5XuskbeVX54FoYM9iVL5RKNiMS eGMPze43g/L+kbPVLioZ9UZtLE0bn8Qhau1cyPeetnR1d4oN9kVd8meKWnBMez1p KuSlSMTHOq0pkaVoopEXwRT4eH5AYUgm+hJaSL8N+Ntwtx51YiSTgPcmesnvPFLT OvxC16v2zpBEvUE7PwyAS48G0YR/WV0UvRKRDgS7ZlZfHzWg4dIePJ3YxsHFi4tw fLpdUs6Vvnf8C4aVp2JV =aHFL -----END PGP SIGNATURE----- --=_hNrHBJgb3b6_ZSmFcs-t7Q1--