From X2Go-ML-1@baur-itcs.de Fri Nov 7 00:55:41 2014 Received: (at submit) by bugs.x2go.org; 6 Nov 2014 23:55:42 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 09B475DEA7 for ; Fri, 7 Nov 2014 00:55:41 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-078-043-170-197.hsi4.kabel-badenwuerttemberg.de [78.43.170.197]) by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis) id 0M8hmN-1Y0mFX0FN5-00wFtX; Fri, 07 Nov 2014 00:50:40 +0100 Message-ID: <545C095F.2020707@baur-itcs.de> Date: Fri, 07 Nov 2014 00:50:55 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: submit@bugs.x2go.org Subject: point out that x2gobroker is not a security feature Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V02:K0:m8LNWoQmEuzRwnakkAPyKKbg34uesauIohxoLVE37vk EqitIA6oZMxOTQr1sRXl6rMgBV3nlicY04sEBwhPhWi6SqTGC/ eVnN/Oescp5mXzQEmqLp682qgjCHtLcBrDMAHhmLVRq491ap1h 33rF3OiRk7iN+0LPwwuIV6hRkfKa6rNvMtXhhZWh4TMUEAAWPF U1NHfj7yK4rk5S6OAxRYKOC881XV7lHgvOdh8+URH/JFoCcrqw uxMLTWOCL/pDdu7fbJy9oCWydmKj2Eb3RmpmIVK/Upe0VjyURb zAOIErGbJcTsXaNQdFJxcP8UN20jEW0SQ6+rqFXQfJuAoxDoh/ 4fvq6pZfJQxA5PtZhaHbPb2wTVrjy/kmDs36tv6yH X-UI-Out-Filterresults: notjunk:1; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: x2gobroker Severity: wishlist Please add a prominent note to x2gobroker's man page that it is *not* intended as a security feature - a user can still launch x2goclient without the broker parameter and set it to run any executable the user has exec permission for on the server. As always, group membership and file permissions *MUST* (MUST as defined in RFC2119 https://www.ietf.org/rfc/rfc2119.txt) be used to limit a user's access to executables on the server. - -Stefan - -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUXAlfAAoJEG7d9BjNvlEZ+eAH/06sGKiAbYx5Lzf5ehEZcM/R 5lumXu0SOVHsCIen/KRAHP+MQ+wvGngNawo0PZsJBZyhvHQ/SeUMrotR3MSPFB3S ZDYvznt4LEfBbKbm4uabBmFOiSndFaFlyZzwt95z/SrAdaLidphUXlkTI0Mu5UOI qVQbZWtBUNmEF+I1MalAvpGCZ+JK3BpSg88Y7XDqZvQfTcUUBxr9MGWBxKL5CHlK Lt6jIZzXdxX+RWK7SmA5zYpUCG7yZcR6EzSnq7U1cDqW3XNG/QvddvS4IL04/u/U 068Tl/gHhKr3vquDjyMjXnuP8TbBFuTmDb6qbJeyY+UrC/n5kmXIlFRrBkZPnKM= =ej1y -----END PGP SIGNATURE-----