X2Go Bug report logs - #354
Make x2goagent listening to TCP connections configurable in x2goserver.conf

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 6 Dec 2013 11:33:02 UTC

Severity: wishlist

Tags: pending

Fixed in version 4.0.1.10

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#354: [X2Go-Dev] Bug#354: Things you should know about X
Reply-To: Stefan Baur <newsgroups.mail2@stefanbaur.de>, 354@bugs.x2go.org
Resent-From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Sun, 08 Dec 2013 20:18:01 +0000
Resent-Message-ID: <handler.354.B354.138653344512548@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 354
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: wontfix
Received: via spool by 354-submit@bugs.x2go.org id=B354.138653344512548
          (code B ref 354); Sun, 08 Dec 2013 20:18:01 +0000
Received: (at 354) by bugs.x2go.org; 8 Dec 2013 20:10:45 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS autolearn=ham version=3.3.2
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171])
	by ymir (Postfix) with ESMTP id B0DD95DB1E
	for <354@bugs.x2go.org>; Sun,  8 Dec 2013 21:10:44 +0100 (CET)
Received: from [192.168.0.3] (dslb-188-099-204-091.pools.arcor-ip.net [188.99.204.91])
	by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis)
	id 0Le960-1VD9EF1XY4-00qieY; Sun, 08 Dec 2013 21:10:43 +0100
Message-ID: <52A4D251.1080508@stefanbaur.de>
Date: Sun, 08 Dec 2013 21:10:57 +0100
From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Nable 80 <nable.maininbox@googlemail.com>, 354@bugs.x2go.org, 
 x2go-dev@lists.berlios.de
References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de>	<52A1BBAE.90909@stefanbaur.de>	<20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de>	<52A1C089.3090709@stefanbaur.de>	<1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com>	<52A21285.7090407@stefanbaur.de>	<20131206195600.GA26961@cip.informatik.uni-erlangen.de>	<20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de>	<52A39369.8050408@stefanbaur.de>	<20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de>	<1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com>	<52A4C9F2.5090904@stefanbaur.de> <CALxOYEYJYwmwYAJO39sF2avcq=N0jbGwE4Zj-jMcVQc_xyvvyQ@mail.gmail.com>
In-Reply-To: <CALxOYEYJYwmwYAJO39sF2avcq=N0jbGwE4Zj-jMcVQc_xyvvyQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:m5o++Dk166HXNYvANqb+EH3fSL0DxrHTCAXpHocDsrA
 cKqGvzqwg9qTYDk5KCbbcNKwDUTm7dfRwLK5Bq7CdoWL+r0sRt
 pwecMfxSDMWaY5BPWEBEU+heYk3H2f4AbB4aC4JOOufUi0zCTb
 5fT2PYotI+b1SJldQH+wEx2ezYyHJq0CDnbTkPMwXAEe6CGe3f
 ETSyPcyX2oYdEG7CsEypHtPTcGg9mEf6VMTgEUcvySD99rjlju
 bN4MLdOtWRmfRz237/eIMStBlvfUZs6pPhIbe8ugeD5mAI+FAP
 OY8Ei+dRX81pu4p16tmLLvhzvb73omDwpFlYAsezgl/dDLJcGE
 esE+gaZC4FHHVEI9Kh7wQp+DX8yW2mGKFjpmrpmOd
Am 08.12.2013 21:05, schrieb Nable 80:
> One should notice that without root ( who would give root access to
> generic employee? except (possibly) on his workstation) you still
> cannot access other users' cookies (except cases when one have too
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> wide permissions or known vulnerabilitites with privelege escalation),
  ^^^^^^^^^^^^^^^^
> so you cannot grab their X sessions, can you?

And here we are again at "Hey, $FOO doesn't work, I'll just do chmod -R 
777 * and see if that makes it work."

Plus, the rogue employee may as well be the admin, and thus have root 
rights on the machine where you're logged in.

-Stefan

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 11:40:52 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.