[X2Go-Dev] Bug#287: Bug#287: x2goserver allows to connect to ALL X server sessions by default

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Sat Aug 17 20:42:55 CEST 2013


title #287 Linux Mint desktops configured too insecurely for multi-user mode
tag #287 confirmed
tag #287 wontfix
close #287
thanks

Hi all,

On Sa 17 Aug 2013 17:35:24 CEST Stefan Baur wrote:

> Actually, this is not an x2go issue, this is a linux mint issue : by
> default, there is a "xhost +" command launched at session startup for all
> users.
>
> If you type "xhost - ", then you should see the normal behavior again :
> userB will get a "no desktop found" message if he try to connect to the x2go
> host.
>
> So, the workaround is to remove the "xhost +" command in the Control Panel >
> Startup Applications for each user,
>
> or completely remove the /etc/xdg/autostart/mint-xhost-plus.desktop
> (but this could come back if the package ubuntu-system-adjustments is
> updated)
>
> or change this file to:
>
> [Desktop Entry]
> Encoding=UTF-8
> Version=1.0
> Name=Xhost +
> Exec=xhost +
> Terminal=false
> Type=Application
> StartupNotify=false
> Terminal=false
> X-MATE-Autostart-enabled=false
> Hidden=true

We (David and I) just figured out the same... (what a race  
condition...). Thanks! What a security leakage if people start using  
Linux Mint in multi-user operation mode (like with X2Go or locally or  
with LTSP).

With xhost + for every user you can launch applications on other  
people's desktops and also read out their clipboards' contents.

/me rarely has to puke at other people's work, but this time... Well, yes.

> note to x2go packages maintainers:
> Maybe this should be an option to check/disable when the x2goserver package
> is installed?

No! We won't work around such grave issues in distributions or in  
other packages. This needs to be immediately fixed in Linux Mint  
upstream.

> Or maybe a warning should be issued if "xhost" is set to + when a user
> connect?

Nope! In default setups no other distro evokes xhost + on session  
startup. This is just insane!!! So we ignore this issue in X2Go  
upstream completely.

Stay away from Linux Mint with X2Go (or actually at all) till this has  
been fixed in Mint.

light+love,
Mike

PS: quote me freely if needed...


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130817/9519a5ff/attachment.pgp>


More information about the x2go-dev mailing list