[X2go-dev] X2go is insecure
Heinz-M. Graesing
x2go-dev at x2go.org
Tue Mar 29 21:19:49 CEST 2011
Hi Dick,
Am 29.03.2011 15:35, schrieb Dick Kniep:
[snip]
> The problem is caused by the fact that the x2go server does not restrict the commands that can be entered thru ssh. This is bad, but what is worse, is that the X2go clients actually use this security hole to start any command it needs.
[snip]
Thank you for sharing your concerns about the usage of x2go with us. As
some people pointed out before the execution of commands via ssh is
definitely a feature. Without this capability, x2go wouldn’t work at
all. There is nothing "creepy" about executing commands on the server.
I totally understand that you want to restrict the user from running
vicious commands, but there are really a lot of "philosophies" how to do
that.
An "integrated" solution could be to offer the system a login shell with
a reduced command set.
Maybe a better solution could be to implement a connection to an already
existing project doing that job better than a new attempt (this would be
more the OS way).
As always: this is an Open Source project. This means: feel free to use
it and - if you want to help - please do so.
If you want to submit concerns or bugs it would be very helpful if you
would name than in the subject like:
Wanted: Solution to prohibit remote execution of commands
Regards,
Heinz
More information about the x2go-dev
mailing list