[X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Tue Oct 29 13:41:06 CET 2013
Package: x2goclient
Severity: important
In X2Go it is currently possible to replace every command in X2Go
Server by a command of the same name in ~/bin.
An attacker could use this to infiltrate X2Go Client with arbitrary data.
IMHO, we should make sure, X2Go Client only uses system-wide paths
when evoking commands on X2Go Servers.
This, of course, will boycott installing X2Go Server into ~<user>
space, but actually, I prefer a safe setup to such custom installation
tweaks.
Feedback?!?
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/b0e20d29/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/b0e20d29/attachment.pgp>
More information about the x2go-dev
mailing list