[X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)

29 Oct 2013

      Package: x2goclient
Severity: important
In X2Go it is currently possible to replace every command in X2Go

Server by a command of the same name in ~/bin.
An attacker could use this to infiltrate X2Go Client with arbitrary data.
IMHO, we should make sure, X2Go Client only uses system-wide paths

when evoking commands on X2Go Servers.
This, of course, will boycott installing X2Go Server into ~<user>

space, but actually, I prefer a safe setup to such custom installation

tweaks.
Feedback?!?
Mike
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)

Mike