From unknown Thu Mar 28 15:47:46 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#666: [X2Go-Dev] Bug#666: point out that x2gobroker is not a security feature Reply-To: Mike Gabriel , 666@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Thu, 08 Jan 2015 23:45:00 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 666 X-X2Go-PR-Package: x2gobroker X-X2Go-PR-Keywords: Received: via spool by 666-submit@bugs.x2go.org id=B666.142076066624308 (code B ref 666); Thu, 08 Jan 2015 23:45:00 +0000 Received: (at 666) by bugs.x2go.org; 8 Jan 2015 23:44:26 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 1C20F3BC4F for <666@bugs.x2go.org>; Fri, 9 Jan 2015 00:44:25 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C8CDD9F3; Fri, 9 Jan 2015 00:44:24 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B480D3BA1F; Fri, 9 Jan 2015 00:44:24 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVhLXny9kVXo; Fri, 9 Jan 2015 00:44:24 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 5D27D3BA08; Fri, 9 Jan 2015 00:44:24 +0100 (CET) Received: from p5B3B8A30.dip0.t-ipconnect.de (p5B3B8A30.dip0.t-ipconnect.de [91.59.138.48]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Thu, 08 Jan 2015 23:44:24 +0000 Date: Thu, 08 Jan 2015 23:44:24 +0000 Message-ID: <20150108234424.Horde.ofgocuZ8EobF8khVLgaqLg2@mail.das-netzwerkteam.de> From: Mike Gabriel To: Stefan Baur , 666@bugs.x2go.org In-Reply-To: <545C095F.2020707@baur-itcs.de> User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 91.59.138.48 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_4ML1exOe5JmNiMKgENfGKg3"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_4ML1exOe5JmNiMKgENfGKg3 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Stefan, On Fr 07 Nov 2014 00:50:55 CET, Stefan Baur wrote: > Package: x2gobroker > Severity: wishlist > > Please add a prominent note to x2gobroker's man page that it is *not* > intended as a security feature - a user can still launch x2goclient > without the broker parameter and set it to run any executable the user > has exec permission for on the server. > > As always, group membership and file permissions *MUST* (MUST as > defined in RFC2119 https://www.ietf.org/rfc/rfc2119.txt) be used to > limit a user's access to executables on the server. > > - -Stefan Do you think you could write down such an additional note for the man=20=20 page=20and send it back to this bug (in plain text)? I will work that text into the man page then. Thanks, Mike PS: if you will, tag this bug with "patch" once you have sent that=20=20 text=20passage... --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_4ML1exOe5JmNiMKgENfGKg3 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUrxZYAAoJEJr0azAldxsxQpoP/jmPyK/OjB+1DEr7oQFvqmb/ XTvAjEHqjZD+uAIvFbOg+r73DscdpWkrqD1G/atZFenx0k3pBKWdF7mL7yoxlXrk yWRL1QW6AccjvuD/UQShRrpVmQpLldhfUwysYQAE+MoYKOkndUsVjnFAR+R9+61J KjbPMAhfpkt+6HH/toxJKlFPUg0yNILAUNljPw33omuveasz/IUizb6Ov3UT+y0S Rh31uUT3QnGIpCT+K8ORnujie72K7FBbipaLaDM74tKx0ZK65hLe22qzBZ/rQT28 tU85NEMgIObRtsBuIAxexYJukxtP4h+AjDTKRcqDmK0NpDiyVZIeL/iIFKUQBUv3 crr16ADgCGxPeCbkLyO/T3KL/OhKfaEDxxPnhmdFwhd9BlwUibF8j+paC5HicOl9 xiVaSyKYH0Y64AgW1x5Qh17s6I0j/E2wYU6prLog01HH/GeADk0ObsTSNu3Lw2/n gJg387QHs7WSF9ypiRJ+3W+g1xpv5vVp+5qaaAJCon6u0451Flpm5oZzlt5qfPvG XV9z72w/239FjeIVOvrADupeN1gqvjFML0+899yVWQ3IjhWOYvVvyDpwFc+Ham3V UwJGnpWwbTsTEroxaiAkoQ0xYFpxek/29DYwepi+i06CXHLHpZdwXTU9nczPLYhG J2xfxUKa/K9WuNM9agXj =ldA+ -----END PGP SIGNATURE----- --=_4ML1exOe5JmNiMKgENfGKg3--