[X2Go-Dev] Bug#354: Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf

Alexander Wuerstlein snalwuer at cip.informatik.uni-erlangen.de
Fri Dec 6 20:56:00 CET 2013


On 13-12-06 19:18, Stefan Baur <newsgroups.mail2 at stefanbaur.de> wrote:
> Am 06.12.2013 18:44, schrieb Nick Ingegneri:
> >Once it became apparent in our testing that exporting displays didn't
> >work as expected, the system administrator who installed it went through
> >the configuration files and documentation looking for a solution. He
> >couldn't find one, so he escalated it to me to look into. If we hadn't
> >been able to find a fix it would have ruled out X2Go from further
> >consideration, which would have been unfortunate as it is currently our
> >leading choice for this particular need.
> 
> In my opinion, Mike is a bit too customer-friendly here by turning
> your request into a wishlist item that lets every newbie shoot
> him-/herself in the foot, security-wise, by toggling a setting in
> the configuration.
> Sorry, but I've seen way too many people go "chmod 777 -R /*" as
> soon as something doesn't work as expected, and I'm fearing the same
> for an easily reachable option to allow TCP connections - because
> "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the
> filesystem.
> 
> Of course, everybody is free to shoot him-/herself in the foot,
> that's why it's Linux - but merely leaving a "this is dangerous"
> note next to the parameter is like sticking a tag "please don't use
> this unless you know what you're doing" on a loaded 12-gauge in a
> room full of toddlers.

There is one more aspect to this: If there is such a configuration
option, then sooner or later the likes of Linux Mint will enable it by
default for all their users, leaving them wide open to the whole world,
despite all the warnings. They did that with 'xhost +'[0].

So I agree that even just having such an option hidden away somewhere
would be very very bad. It needs to be hard and a lot of work to break
security or somebody will do it by default and deploy it on a wide
scale.



Ciao,

Alexander Wuerstlein.

[0] http://forums.linuxmint.com/viewtopic.php?f=90&t=106520



More information about the x2go-dev mailing list