Am 07.12.2013 21:47, schrieb Mike Gabriel:
[copying the last paragraph of your mail to the top, b/c this is the most important statement of it]
And Nick, I also think that you should seriously consider looking at the security aspects of your current IT setup. It seems quite hackable and you should really be sure that all of your staff members are really good friends (which normally is not the case for everyone at $WORK).
This, this, and exactly this.
[by Alexander Wuerstlein]
So I agree that even just having such an option hidden away somewhere would be very very bad. It needs to be hard and a lot of work to break security or somebody will do it by default and deploy it on a wide scale.
[from Mike]
From a security point of view: is there really a severe difference in having to edit x2gostartagent or vs. x2goserver.conf as root to enable TCP listening for x2goagent?
Yes, there is. Putting it in the config file is convenient for the security-ignorant folks. Disabling security features should never be convenient.
If people want to deploy X2Go and need TCP enabled they will do that anyway. You do not have to rebuild some binary to make that happen even, you just have to create a custom copy of x2gostartagent in /usr/local/bin.
And exactly that means extra work. Most security-ignorant folks are security-ignorant because they are lazy, they just don't want to bother with it. A config file remains in place during package upgrades. With x2gostartagent, they'll have to make sure that their copy in /usr/local/bin gets pulled (And we should make it hard for them, by specifying /usr/bin/x2gostartagent instead of x2gostartagent without a path), or they have to change/patch /usr/bin/x2gostartagent with every new package version.
This means work. This means paying attention. Things that such folks don't like. In fact, if we could, we should make disabling security on X2Go a harder and more complex task than re-writing all those insecure scripts the user might have. Sadly, we can't.
@Nick: The above may very well be your workaround...
And indeed it is, for a short-lived migration path.
In my opinion, Mike is a bit too customer-friendly here by turning your request into a wishlist item that lets every newbie shoot him-/herself in the foot, security-wise, by toggling a setting in the configuration.
My current focus is to spread X2Go, get more people interested in X2Go and get more people interested in developing / financing X2Go. If I here of a use case that involves hundreds of users, then I am open to supporting that use case one way or another. I don't think making TCP-listening configurable is a security problem. Once you enable that option, you should be aware of what you are doing. For sure.
I'm saying it again, you're being too customer-friendly. In this particular case, the issue can be fixed by locally patching x2gostartagent. With more obscure stuff, you should tell them to contract you or Alex for a forked x2go package and have them pay for the B**ls**t they want. That way, we don't pollute our main codebase with it, plus you get some extra cash.
Man, where are my pills, I don't want to go into full Theo de Raadt mode ...
The Linux Mint argument does not really count to me, either. As a package maintainer of a linux distribution, I can do anything patchy to the upstream code I like. People with the Linux Mint attitude may very easily patch x2gostartagent and ship a TCP-listening X2Go Server by default in their package archive.
See above, it is extra work for them, an extra file outside the config tree that they have to monitor for changes, etc. While we can't stop them, we can at least make it hard for them to follow through with such a plan.
Wouldn't it make more sense, having that option configurable from the start then and providing the switch-off in an obvious place (i.e. a conffile)?
No. Just no.
My point is: if you want to enable TCP listening of x2goagent, you have to switch one line in x2gostartagent. What I propose is a config parameter for x2goserver.conf that avoids people from nastily hacking x2gostartagent.
Again, those who know what they are doing are already able to make the change, and should realize the consequences (having to look for changes in x2gostartagent with every new release).
Those who do not know what they are doing should not be given access to the setting.
There's a reason why you need licenses for firearms, cars, airplanes, etc. - and this is the software equivalent. If one has proven enough coding proficiency to have located the code part in x2gostartagent, one is worthy of being allowed to change it on one's own. If you have to ask here, you should either listen to the more experienced folks telling you not to change it, or pay one of the core developers for a fork, that's my opinion (and not being a core developer myself, flames like "you're a greedy a**h**e that thinks of X2Go users as cash cows ready for milking" directed at me are outright silly, so - shove them, folks).
-Stefan