X2Go Bug report logs - #666
point out that x2gobroker is not a security feature

version graph

Package: x2gobroker; Maintainer for x2gobroker is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2gobroker is src:x2gobroker.

Reported by: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Date: Fri, 7 Nov 2014 00:00:02 UTC

Severity: wishlist

Tags: patch, pending

Fixed in version 0.0.3.0

Done: X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log


đź”— View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#666: point out that x2gobroker is not a security feature
Reply-To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 666@bugs.x2go.org
Resent-From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 07 Nov 2014 00:00:02 +0000
Resent-Message-ID: <handler.666.B.141531814222456@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 666
X-X2Go-PR-Package: x2gobroker
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.141531814222456
          (code B); Fri, 07 Nov 2014 00:00:02 +0000
Received: (at submit) by bugs.x2go.org; 6 Nov 2014 23:55:42 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 09B475DEA7
	for <submit@bugs.x2go.org>; Fri,  7 Nov 2014 00:55:41 +0100 (CET)
Received: from [192.168.0.3] (HSI-KBW-078-043-170-197.hsi4.kabel-badenwuerttemberg.de [78.43.170.197])
	by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis)
	id 0M8hmN-1Y0mFX0FN5-00wFtX; Fri, 07 Nov 2014 00:50:40 +0100
Message-ID: <545C095F.2020707@baur-itcs.de>
Date: Fri, 07 Nov 2014 00:50:55 +0100
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Provags-ID: V02:K0:m8LNWoQmEuzRwnakkAPyKKbg34uesauIohxoLVE37vk
 EqitIA6oZMxOTQr1sRXl6rMgBV3nlicY04sEBwhPhWi6SqTGC/
 eVnN/Oescp5mXzQEmqLp682qgjCHtLcBrDMAHhmLVRq491ap1h
 33rF3OiRk7iN+0LPwwuIV6hRkfKa6rNvMtXhhZWh4TMUEAAWPF
 U1NHfj7yK4rk5S6OAxRYKOC881XV7lHgvOdh8+URH/JFoCcrqw
 uxMLTWOCL/pDdu7fbJy9oCWydmKj2Eb3RmpmIVK/Upe0VjyURb
 zAOIErGbJcTsXaNQdFJxcP8UN20jEW0SQ6+rqFXQfJuAoxDoh/
 4fvq6pZfJQxA5PtZhaHbPb2wTVrjy/kmDs36tv6yH
X-UI-Out-Filterresults: notjunk:1;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: x2gobroker
Severity: wishlist

Please add a prominent note to x2gobroker's man page that it is *not*
intended as a security feature - a user can still launch x2goclient
without the broker parameter and set it to run any executable the user
has exec permission for on the server.

As always, group membership and file permissions *MUST* (MUST as
defined in RFC2119 https://www.ietf.org/rfc/rfc2119.txt) be used to
limit a user's access to executables on the server.

- -Stefan

- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXAlfAAoJEG7d9BjNvlEZ+eAH/06sGKiAbYx5Lzf5ehEZcM/R
5lumXu0SOVHsCIen/KRAHP+MQ+wvGngNawo0PZsJBZyhvHQ/SeUMrotR3MSPFB3S
ZDYvznt4LEfBbKbm4uabBmFOiSndFaFlyZzwt95z/SrAdaLidphUXlkTI0Mu5UOI
qVQbZWtBUNmEF+I1MalAvpGCZ+JK3BpSg88Y7XDqZvQfTcUUBxr9MGWBxKL5CHlK
Lt6jIZzXdxX+RWK7SmA5zYpUCG7yZcR6EzSnq7U1cDqW3XNG/QvddvS4IL04/u/U
068Tl/gHhKr3vquDjyMjXnuP8TbBFuTmDb6qbJeyY+UrC/n5kmXIlFRrBkZPnKM=
=ej1y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Oct 17 01:18:29 2021; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.