X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-User] Limiting clipboard sharing
Reply-To: Kris Ilowiecki <kril@sourcecap.ch>, 258@bugs.x2go.org
Resent-From: Kris Ilowiecki <kril@sourcecap.ch>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 28 Jan 2014 16:20:01 +0000
Resent-Message-ID: <handler.258.B258.139092579422773@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.139092579422773
          (code B ref 258); Tue, 28 Jan 2014 16:20:01 +0000
Received: (at 258) by bugs.x2go.org; 28 Jan 2014 16:16:34 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
X-Greylist: delayed 324 seconds by postgrey-1.34 at ymir; Tue, 28 Jan 2014 17:16:33 CET
Received: from mail.sourcecap.ch (mail.sourcecap.ch [])
	by ymir (Postfix) with ESMTP id AE0C65DB13
	for <258@bugs.x2go.org>; Tue, 28 Jan 2014 17:16:33 +0100 (CET)
Received: from [] (kril.rem.sc.int [])
	by mail.sourcecap.ch (Postfix) with ESMTPSA id 61D13320AB;
	Tue, 28 Jan 2014 17:11:09 +0100 (CET)
Message-ID: <52E7D6B8.6070208@sourcecap.ch>
Date: Tue, 28 Jan 2014 17:11:36 +0100
From: Kris Ilowiecki <kril@sourcecap.ch>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: x2go-user@lists.berlios.de
CC: 258@bugs.x2go.org
References: <52E69B93.8010904@sourcecap.ch> <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de>
In-Reply-To: <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96 at pmx4
X-Virus-Status: Clean
Hi Mike#1,

On 01/28/2014 04:49 PM, Mike Gabriel wrote:
> There should be two approaches...
>   1) disable clipboard server-side for all users
>   2) disable clipboard in X2Go Client / PyHoca-GUI on the client-side
> The first is easy. Please look at /usr/bin/x2gostartagent of x2goserver
> package and make clipboard configurable via /etc/x2go/x2goserver.conf.
> Send a patch to our BTS [1].

Thank you very much!
The first approach is indeed what is needed in my case.
I will have a look there.

I have been looking through the sources, and my most recent idea was
experimenting with editing /usr/bin/nxagent to run nxagent.bin
with something like "-clipboard no"

I will try the exact approach you are suggesting, though
my bash+awk aren't that good

Many thanks,

> The second approach is for us devs, I guess...
> The workaround provided by Mike#2 is a fine approach, but not a real
> solution to this problem.
> Mike#1
> [1] http://wiki.x2go.org/doku.php/wiki:bugs

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 13:57:06 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.