From unknown Fri Mar 29 07:01:47 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#354: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf Reply-To: Nick Ingegneri , 354@bugs.x2go.org Resent-From: Nick Ingegneri Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sun, 08 Dec 2013 15:18:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 354 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: wontfix Received: via spool by 354-submit@bugs.x2go.org id=B354.138651558623352 (code B ref 354); Sun, 08 Dec 2013 15:18:01 +0000 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 15:13:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from nm7-vm0.bullet.mail.ne1.yahoo.com (nm7-vm0.bullet.mail.ne1.yahoo.com [98.138.91.66]) by ymir (Postfix) with SMTP id 17E525DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 16:13:03 +0100 (CET) Received: from [98.138.101.132] by nm7.bullet.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 Received: from [98.138.89.161] by tm20.bullet.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 Received: from [127.0.0.1] by omp1017.mail.ne1.yahoo.com with NNFMP; 08 Dec 2013 15:13:02 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 816773.44313.bm@omp1017.mail.ne1.yahoo.com Received: (qmail 58840 invoked by uid 60001); 8 Dec 2013 15:13:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1386515582; bh=HeDG37EwrTAdjdLnqDBiXJDEhw114l+cxmSYLqBEtyo=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=mbeqcXKfQ4fuWJVrmrOgvNHxXwdC8rfudRvKwOPNhACU1yngM0u2e8AWYt1HomWGRll2YG79c7TgDn0ggn6E+BrOo2AMGF28RPfVKerdv0HicVT2eY5qng4R3VAAaMfiPX1E+RJII7yGUor6YJz8TM7INIonGHfdbBZOrQENq7Y= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=oO9DLpjqb55hLNv9Kja1iRIKoLj6ABJfAAHtRl3TYvN3BblPGm/Mu0LBP1qeiYjoWUws54bzv0d+bRA4j57vjBN7y6y519V1mqX3aW4vTRdYiEjLgMp7bfWKaYU0KWzCJQzjsR5ZhTMaJincyO1pfL+BhjAOmH8laSENTLUVhQA=; X-YMail-OSG: 8RV4M4sVM1kYeNo5GKyw2lLEdKIiYcox4p5oH96rCbwH28x EsoUHDcwJXw8oaI2AfvDiQNzSexuNcKR3EmaEj1StvZ2Tnb2J2Jq1On1BPwT lrCkBmyW6BPkuerdFX_LVo0ifd5RGEz4_2ZekeKN93EqrQ01vqmqHDXgbOU5 mzFY_lWQwaABifdSvu1CKvuyKjPl45I8CzM2yVGwvRuXkH4tloQNFKrxIWr3 fVV3NTxkFZGpJa0dutmozGnqcwvJd7xRVOpxSIJdfVHwVm0t7lwVP.1YguO5 .4yF6kE5JOE7uH9RRpP6kJ8Ax8sAprsp_0.05KfjwGZa84bVMeu6f6ZqRXzl g69dFIYRlkrB7Vn7waePHqA4BFjpTbKdulXWHAv6imuAf7KW9y6F2_x1xAhZ .6ZmKdUumQmaRVGV1XHWw2.2dtlAvK6eFsQBasFliFPvORmzrWBuIoazg4H9 Y5LCWF0I4OlZCwVWIgm4pqspEjXOJQ7n69_SlG4HpFdT4Xfughfk7YmV.LVy nvZqyb9yZy8ZlLBkcSQsQW2w87vub8PvNrhMHm8KnTcXXjeeoZCTi4hqIdQW ltlNdN0ao6gUmpL3KuhvaQlGGfUhoTb4PBamYkSGwGASFsCVjQzTzqu7SJ7N XVTY2GPovQctVkNcgID15g3QkXSxnpezg Received: from [97.124.169.17] by web122106.mail.ne1.yahoo.com via HTTP; Sun, 08 Dec 2013 07:13:02 PST X-Rocket-MIMEInfo: 002.001,TWlrZSwgU3RlZmFuLCBBbGV4YW5kZXIsIGV0IGFsLiwKCkkgd2FzIHdhdGNoaW5nIHRoaXMgY29udmVyc2F0aW9uIHBsYXkgb3V0IGJlZm9yZSByZXBseWluZy4KCkl0IGlzbid0IGdvaW5nIHRvIGJlIGZydWl0ZnVsIHRvIGJlIHB1bGxlZCBpbnRvIGEgbG9uZyBkaXNjdXNzaW9uIGFib3V0IHRoZSBzcGVjaWZpY3Mgb2Ygb3VyIGNvbXB1dGUgZW52aXJvbm1lbnQuIFRoZXJlIGFyZSBtYW55IGFzc3VtcHRpb25zIGJlaW5nIG1hZGUgaW4gdGhpcyBkaXNjdXNzaW9uIHRoYXQgYXJlbid0IGNvcnJlY3QsIGFuZCABMAEBAQE- X-Mailer: YahooMailWebService/0.8.169.609 References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> Message-ID: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> Date: Sun, 8 Dec 2013 07:13:02 -0800 (PST) From: Nick Ingegneri To: Mike Gabriel , Stefan Baur Cc: Alexander Wuerstlein , "354@bugs.x2go.org" <354@bugs.x2go.org> In-Reply-To: <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="61789334-543769667-1386515582=:31556" --61789334-543769667-1386515582=:31556 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Mike, Stefan, Alexander, et al.,=0A=0AI was watching this conversation play= out before replying.=0A=0AIt isn't going to be fruitful to be pulled into = a long discussion about the specifics of our compute environment. There are= many assumptions being made in this discussion that aren't correct, and sa= ying "don't use TCP" without knowing these specifics is ignorant. There are= industry-standard commercial products that disabling TCP breaks. Our IT de= partment cannot decide to stop supporting TCP; it is the users and our comm= ercial suppliers who determine what IT has to support.=0A=0AI think that be= cause I used "xhost +" in my original debugging example, the assumption was= immediately made that "xhost +" was my primary concern. My primary concern= is that disabling TCP=0A breaks almost every possible use model except for= one narrow case (ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-= 1 mechanism. While there are very valid concerns regarding use of TCP on th= e internet, we have a different hierarchy of concerns regarding what happen= s on our internal network.=0A=0AOne incorrect assumption that is being made= in this discussion is that some action to initiate the display can take pl= ace on the system the user is logged into, or that the user is even involve= d in initiating the display.=A0 Consider this use model:=0A=0A1: User's dis= play is system100:24=0A2: Automated processes, with no user involvement, la= unch a program on a randomly chosen system (let's say it is system204).=0A3= : The new program running on system204 now has to connect back to the displ= ay on system100:24=0A=0APersonally, the problem is solved for us for at lea= st the moment and we can move forward with what we are trying to do. Having= to=0A edit /usr/bin/x2gostartagent every time we install or upgrade the pa= ckage is inelegant and creates additional administrative overhead, but it i= s manageable.=0A=0AThis is your project, not mine, I merely came to the mai= ling list with a problem looking for a solution. I can tell you that our us= e model is extremely common in industry and that breaking it will render X2= Go unusable. Of the five alternatives we are looking at, X2Go was the only = one with TCP disabled. Most system administrators trying to set up an evalu= ation of X2Go aren't typically going to dig further than the documentation = and config files in trying to fix this problem. If you make fixing it so ob= scure that it escapes these system administrators, then X2Go isn't going to= get very far in those evaluations.=0A=0AHow accessible or obscure you make= this setting is up to you as developers, but saying to users "your use mod= el is wrong" doesn't show appreciation for the diversity of ways that X is = used in production.=0A=0ACheers,=0ANick=0A=0A=0A=0A=0A=0A=0AOn Saturday, De= cember 7, 2013 2:51 PM, Mike Gabriel wro= te:=0A =0AControl: tag -1 wontfix=0AControl: close -1=0A=0AHi Stefan,=0A=0A= On=A0 Sa 07 Dez 2013 22:30:17 CET, Stefan Baur wrote:=0A=0A> [...]=0A=0A> M= an, where are my pills, I don't want to go into full Theo de Raadt mode ...= =0A=0AOkokokok... heard!=0A=0A@Nick: please place a copy of x2gostartagent = into=0A /usr/local/bin for a=A0 =0Atransition period and modify it to your = needs. We won't reenable TCP=A0 =0Alistening in upstream X2Go. For long ter= m usage of X2Go, adapt your=A0 =0Aworkflows to a more secure model.=0A=0AMi= ke=0A-- =0A=0ADAS-NETZWERKTEAM=0Amike gabriel, herweg 7, 24357 fleckeby=0Af= on: +49 (1520) 1976 148=0A=0AGnuPG Key ID 0x25771B31=0A=0Amail: mike.gabrie= l@das-netzwerkteam.de, http://das-netzwerkteam.de=0A=0AfreeBusy:=0Ahttps://= mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --61789334-543769667-1386515582=:31556 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Mike, Stefan, Alexander, et a= l.,

I was watching this conversation p= lay out before replying.

It isn't goin= g to be fruitful to be pulled into a long discussion about the specifics of= our compute environment. There are many assumptions being made in this dis= cussion that aren't correct, and saying "don't use TCP" without knowing the= se specifics is ignorant. There are industry-standard commercial products t= hat disabling TCP breaks. Our IT department cannot decide to stop supportin= g TCP; it is the users and our commercial suppliers who determine what IT h= as to support.

I think that because I used = "xhost +" in my original debugging example, the assumption was immediately = made that "xhost +" was my primary concern. My primary concern is that disa= bling TCP=0A breaks almost every possible use model except for one narrow c= ase (ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-1 mechanism. = While there are very valid concerns regarding use of TCP on the internet, w= e have a different hierarchy of concerns regarding what happens on our inte= rnal network.

One incorrect assumption= that is being made in this discussion is that some action to initiate the = display can take place on the system the user is logged into, or that the u= ser is even involved in initiating the display.  Consider this use mod= el:

1: User's display is system100:24<= br clear=3D"none">2: Automated processes, with no user involvement, launch = a program on a randomly chosen system (let's say it is system204).
3: The new program running on system204 now has to connect back t= o the display on system100:24

Personal= ly, the problem is solved for us for at least the moment and we can move forward with what we= are trying to do. Having to=0A edit /usr/bin/x2gostartagent every time we = install or upgrade the package is inelegant and creates additional administ= rative overhead, but it is manageable.

This is your project, not mine, I merely came to the mailing list with a p= roblem looking for a solution. I can tell you that our use model is extreme= ly common in industry and that breaking it will render X2Go unusable. Of th= e five alternatives we are looking at, X2Go was the only one with TCP disab= led. Most system administrators trying to set up an evaluation of X2Go aren= 't typically going to dig further than the documentation and config files i= n trying to fix this problem. If you make fixing it so obscure that it esca= pes these system administrators, then X2Go isn't going to get very far in t= hose evaluations.

How accessible or obscure you make this setting is= up to you as developers, but saying to users "your use model is wrong" doe= sn't show appreciation for the diversity of ways that X is used in production.

Cheers,
Nick




On Saturday, December 7, 2013 2:= 51 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Con= trol: tag -1 wontfix
Control: close -1

Hi S= tefan,

On  Sa 07 Dez 2013 22:30:1= 7 CET, Stefan Baur wrote:

> [...]
> Man, where are my pills, I don't w= ant to go into full Theo de Raadt mode ...

Okokokok... heard!

@Nick: please = place a copy of x2gostartagent into=0A /usr/local/bin for a 
transition period and modify it to your needs. We won't reenable = TCP 
listening in upstream X2Go. For long term usag= e of X2Go, adapt your 
workflows to a more secure m= odel.

Mike
--

DAS-NETZWERKTEAM
mike gab= riel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31

mail:
mike.gabriel@das-netzwerkteam.de, http:= //das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkt= eam.de.xfb



=
--61789334-543769667-1386515582=:31556--