[X2Go-Dev] Bug#334: Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Tue Oct 29 14:43:08 CET 2013
clone #334 -1
reassign #334 python-x2go
thanks
Hi all,
On Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote:
> Package: x2goclient
> Severity: important
>
> In X2Go it is currently possible to replace every command in X2Go
> Server by a command of the same name in ~/bin.
>
> An attacker could use this to infiltrate X2Go Client with arbitrary data.
>
> IMHO, we should make sure, X2Go Client only uses system-wide paths
> when evoking commands on X2Go Servers.
>
> This, of course, will boycott installing X2Go Server into ~<user>
> space, but actually, I prefer a safe setup to such custom
> installation tweaks.
>
> Feedback?!?
>
> Mike
This issue also applies to Python X2Go.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/11886437/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/11886437/attachment.pgp>
More information about the x2go-dev
mailing list