X2Go Bug report logs - #819
X2Go Client exposes all (network and local) drives on client-side folder sharing

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Mon, 16 Mar 2015 13:15:02 UTC

Severity: grave

Tags: build-win32

Found in version 4.0.3.2

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#819: X2Go Client exposes all (network and local) drives on client-side folder sharing
Reply-To: "Chavez, Christopher A. (Assoc)" <christopher.chavez@nist.gov>, 819@bugs.x2go.org
Resent-From: "Chavez, Christopher A. (Assoc)" <christopher.chavez@nist.gov>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 27 Jul 2016 01:00:01 +0000
Resent-Message-ID: <handler.819.B819.146958099221081@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 819
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: build-win32
Received: via spool by 819-submit@bugs.x2go.org id=B819.146958099221081
          (code B ref 819); Wed, 27 Jul 2016 01:00:01 +0000
Received: (at 819) by bugs.x2go.org; 27 Jul 2016 00:56:32 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=3.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id ECF565DDF5
	for <819@bugs.x2go.org>; Wed, 27 Jul 2016 02:56:26 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NdoNCa2Bu-11 for <819@bugs.x2go.org>;
	Wed, 27 Jul 2016 02:56:20 +0200 (CEST)
X-Greylist: delayed 908 seconds by postgrey-1.34 at ymir.das-netzwerkteam.de; Wed, 27 Jul 2016 02:56:19 CEST
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0128.outbound.protection.outlook.com [23.103.201.128])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id DFA685DA97
	for <819@bugs.x2go.org>; Wed, 27 Jul 2016 02:56:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=nistgov.onmicrosoft.com; s=selector1-nist-gov;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=IRnB0hLPRi1kLN8vRFZ/278tCDceDJQOZVYTRRPvHTE=;
 b=SNS/5OVwnn58eaPviMp4+RegD883RuQDcTeEzM8nI+zhTJl6oj6XIOktTNksEjA08Xylis0jYV33W3en5rAes8DGz3axYJZOcZvx/9yPgRGTMUu/Gz9kBUARqFZ5zmpupqAU/vgt7yv5GKyeXEBjcQiiqUMmf8S3aHYzJZWKgkQ=
Received: from DM2PR09MB0732.namprd09.prod.outlook.com (10.161.145.141) by
 DM2PR09MB0729.namprd09.prod.outlook.com (10.161.145.139) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.549.15; Wed, 27 Jul 2016 00:41:08 +0000
Received: from DM2PR09MB0732.namprd09.prod.outlook.com ([10.161.145.141]) by
 DM2PR09MB0732.namprd09.prod.outlook.com ([10.161.145.141]) with mapi id
 15.01.0544.019; Wed, 27 Jul 2016 00:41:08 +0000
From: "Chavez, Christopher A. (Assoc)" <christopher.chavez@nist.gov>
To: "819@bugs.x2go.org" <819@bugs.x2go.org>
Thread-Topic: Re: X2Go Client exposes all (network and local) drives on
 client-side folder sharing
Thread-Index: AdHnn1sP+b4/58jNS5SwtJHMosSEPg==
Date: Wed, 27 Jul 2016 00:41:07 +0000
Message-ID: <DM2PR09MB07320313A608B12BD5178133F00F0@DM2PR09MB0732.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=christopher.chavez@nist.gov; 
x-originating-ip: [132.163.48.109]
x-ms-office365-filtering-correlation-id: afe8256f-48c4-4827-e0e8-08d3b5b6b32a
x-microsoft-exchange-diagnostics: 1;DM2PR09MB0729;6:accQP69m2XemQ2zpW3wmNHuwgqGibELJMpr6qm/0UnjBGOJp8uDj1Z8wGzD3YzUfdMxxRVhn7phjJ7SsjECBZBZp4BLnlkFUuNyIBSOjEP9bOQlZO5y3k1yl3/IJOjOfS/Ui7lVV4M4GnJkq9qiwa4arjoE7BhuTf0uAsdoRRXYv9anqBmMnCyBO18CwohXmJkOyZQSO53FdhVwObTwHhZrfbOTAvdRKd8i4Fx7SGgTfLJWXk6l4k221QR1qcvn0Xp/aPRpeMRu8HSv26qSC44kgokXIyY43nF+LeXNiu0lpi1niNNHibg6EnT1elK1Lnt2Rprmy38jPVlhPD06ytw==;5:g1kF+tfTqiZlYyW35eDWDaV9ydI0kbsaMHZkSzYQlKVNxBADEpVcI9c2v9qveTvKDieSGO5XA8F9CrGGglf/lBUWl+WjFBopKOJl3lZ9BzOgi864ydZmaA5o3FXgGXDn64jOcjyBrSpU6g3LIu9Rqw==;24:lbN7mvQ/QnXjZW7YR7F5Xh/IALTb/EkM/cImNRy8lebd/tvjbu3MQPY/5omZbOYeQs0r65tVMcuWj6zIoZW4W8BA6yh8JUrfSm//yEHZVyE=;7:jfoNr3ckB7KBFYL5ET2ZHNl0OsJ+pzUED94XG+z7GVS7Vr2B3Wd1JjEXJ5ZKFa+/4ovwfkrbJ8WRtwFjJdmkfHM2nFSo8bQ2EUdDYak8T/SeJnrO0brYbEjVOEXq+MpwpNODxTRqTVWfnws8NDFMeD2LIUwvrReMwT2nL6fJt/U25MfpfcSdMp8wZiRLmsVK107CzitlYFPwYO7nDt6Jqn84uoZtoW5Avr9G1kGHKdPv7FbW55RKafiTvjEWqdSM
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0729;
x-microsoft-antispam-prvs: <DM2PR09MB07292B4BA88ABA0B69614A06F00F0@DM2PR09MB0729.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026);SRVR:DM2PR09MB0729;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0729;
x-forefront-prvs: 0016DEFF96
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(7916002)(189002)(199003)(7696003)(8936002)(3660700001)(33656002)(7846002)(3280700002)(5003600100003)(77096005)(54356999)(50986999)(2900100001)(450100001)(106356001)(9686002)(305945005)(2351001)(7736002)(2906002)(68736007)(74316002)(99286002)(8676002)(5002640100001)(81156014)(81166006)(101416001)(110136002)(92566002)(10400500002)(76576001)(11100500001)(105586002)(87936001)(2501003)(122556002)(586003)(102836003)(3846002)(66066001)(189998001)(6116002)(86362001)(107886002)(97736004)(134885004);DIR:OUT;SFP:1102;SCL:1;SRVR:DM2PR09MB0729;H:DM2PR09MB0732.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2016 00:41:07.9585
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0729
I could almost reproduce this issue using client 4.0.5.1, Windows 7 64-bit, and server 4.0.1.19 on Ubuntu 14.04.

I shared a folder from a running session, and the folder appeared as expected as a fuse.sshfs mount: _cygdrive_C_Users_%USERNAME%_SharedFolder (options: rw,nosuid,nodev,default_permissions,user=$USER)

A few minutes later the _cygdrive_ mount appeared (with same mount options).
However, only the drive corresponding to my %HOMEDRIVE% (which is not C:) has permissions 0700; the other drives (including c) had permissions 0000, so I could not traverse them. It also did not list any drives that appear in My Computer but are either inaccessible (e.g. disconnected share or insufficient permissions) or do not have media present (e.g. empty CD drive). There are also different permissions between the directories for intended shared folder mount (0700) and the ~/media/disk/_cygdrive_ mount (0555). chmod is unable to modify the permissions of the drive folders since it does not have write permissions for _cygrdrive_, but chmod also cannot add write permission to _cygdrive_ either for some reason (which might be expected fuse behavior).

Since the mount options allow_other and allow_root aren't specified, non-root users should not be able to access the files in the intended share mount or the _cygdrive_ mount (it's still possible for other users who can sudo to run sudo -u with your username to access any fuse mounts).

Also, when I go back to Share Folders in the main X2Go Client window, the folder I shared during the session is not listed (although the server is still connected to it).

Christopher A. Chavez
National Institute of Standards and Technology

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Mon Jun 24 13:59:51 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.