[X2go-dev] x2go security Issues
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Thu Jan 20 23:46:45 CET 2011
Hi Moritz,
On Do 20 Jan 2011 10:24:12 CET Moritz Struebe wrote:
> I am testing PyHoca. One of the problems a came around is, that the
> client checks whether I am in the x2go group - which I'm not. I also
> noticed that some other security-checks are done in the client. I
> believe this is dangerous, because administrators might think that
> these are real security checks, while they can easily be
> circumvented. I believe these check must be done server-side. That
> way they can also easily be adjusted by administrators.
I only added this check because missing group membership results in
endless spamming of the auth.log file during the login process while
the server load goes up tremendously. Of course, the client software
presumes that the system is set up with default values. I agree that
there actually should be a server script that pre-checks if a user (or
a command) is welcome to the server.
The Qt x2goclient doesn't check this, which raises performance and log
spamming problems once a user logs in that is not allowed to log in.
What other security checks do you refer to?
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110120/425cb492/attachment.pgp>
More information about the x2go-dev
mailing list