[X2Go-Dev] x2godesktopsharing: Full Access not available for other users?

Mon Feb 20 10:07:45 CET 2012

Hi Alex,

On Mo 20 Feb 2012 09:32:31 CET Oleksandr Shneyder wrote:

> Am 19.02.2012 21:14, schrieb Milan Knížek:
>> Hello list!
>>
>> I am a bit confused re. the discrepancy between wiki and actual
>> behaviour of x2godesktop sharing:
>>
>> x the wiki [1] reads that
>>     With the desktopsharing function of X2go you can have full-access
>>     the desktop from somebody else...
>>
>> x when I (USER_B) connect from a remote machine with x2goclient to
>> "local desktop" (USER_A logged in on tty7 of x2goserver), the
>> USER_A's session is shown in the lists of sessions available for
>> sharing, however the button "Full Access" is greyed-out and cannot be
>> clicked. So USER_B is only allowed to view the USER_A's deskto.
>>
>> x having looked at x2godesktopsharing.git/sharetray.cpp, I can see that
>> this is due to "bShadow->SetEnabled ( user==getCurrentUname() );" and
>> have verified that the following patch removes the limitation:
>>
>> ===
>> --- onmainwindow_part2.cpp<---->2011-11-25 13:08:10.000000000 +0100
>> +++ onmainwindow_part2.cpp_mod<>2012-02-19 19:50:36.200838546 +0100
>> @@ -1132,7 +1132,7 @@
>>                           index.row(),
>>                           D_USER ).data().toString();
>>          bShadowView->setEnabled ( true );
>> -        bShadow->setEnabled ( user==getCurrentUname() );
>> +        bShadow->setEnabled ( true );
>>      }
>>  }
>>
>> ===
>>
>> Is this intentional behaviour due to the potential security issues
>> mentioned here [2] (anyway, the remote user _can_ recompile the
>> x2goagent to get rid of the limitation)?
>>
>>
>> [1] http://www.x2go.org/wiki:components:desktop-sharing#usage
>> [2]
>> http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437
>>
>> Regards,
>> Milan
>>
>>
>
> I have disabled it, because in my opinion, security risk was just to
> high. At the moment, user can get full access only if connecting to his
> own desktop. Actually, removing such check in x2goclient should not do
> anything.

Ok...

> This check is also included in x2gostartagent.

No, it is not. I can connect to other users' sessions with full-access  
via python-x2go (pyhoca-cli).

> Anyway, if in
> future we want to enable such feature, we should also modify
> x2godesktopsharing and ask user if he give to other people a full or
> "only view" access. With big, fat, red warning.

That is a great idea. Let the user decide via x2godesktopsharing.  
Milan, are you willing to work on that (with our help)?

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120220/bfb8acde/attachment.pgp>