[X2Go-Dev] x2godesktopsharing: Full Access not available for other users?

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Mon Feb 20 10:22:15 CET 2012 

Am 20.02.2012 10:07, schrieb Mike Gabriel:
> Hi Alex,
> 
> On Mo 20 Feb 2012 09:32:31 CET Oleksandr Shneyder wrote:
> 
>> Am 19.02.2012 21:14, schrieb Milan Knížek:
>>> Hello list!
>>>
>>> I am a bit confused re. the discrepancy between wiki and actual
>>> behaviour of x2godesktop sharing:
>>>
>>> x the wiki [1] reads that
>>>     With the desktopsharing function of X2go you can have full-access
>>>     the desktop from somebody else...
>>>
>>> x when I (USER_B) connect from a remote machine with x2goclient to
>>> "local desktop" (USER_A logged in on tty7 of x2goserver), the
>>> USER_A's session is shown in the lists of sessions available for
>>> sharing, however the button "Full Access" is greyed-out and cannot be
>>> clicked. So USER_B is only allowed to view the USER_A's deskto.
>>>
>>> x having looked at x2godesktopsharing.git/sharetray.cpp, I can see that
>>> this is due to "bShadow->SetEnabled ( user==getCurrentUname() );" and
>>> have verified that the following patch removes the limitation:
>>>
>>> ===
>>> --- onmainwindow_part2.cpp<---->2011-11-25 13:08:10.000000000 +0100
>>> +++ onmainwindow_part2.cpp_mod<>2012-02-19 19:50:36.200838546 +0100
>>> @@ -1132,7 +1132,7 @@
>>>                           index.row(),
>>>                           D_USER ).data().toString();
>>>          bShadowView->setEnabled ( true );
>>> -        bShadow->setEnabled ( user==getCurrentUname() );
>>> +        bShadow->setEnabled ( true );
>>>      }
>>>  }
>>>
>>> ===
>>>
>>> Is this intentional behaviour due to the potential security issues
>>> mentioned here [2] (anyway, the remote user _can_ recompile the
>>> x2goagent to get rid of the limitation)?
>>>
>>>
>>> [1] http://www.x2go.org/wiki:components:desktop-sharing#usage
>>> [2]
>>> http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437
>>>
>>> Regards,
>>> Milan
>>>
>>>
>>
>> I have disabled it, because in my opinion, security risk was just to
>> high. At the moment, user can get full access only if connecting to his
>> own desktop. Actually, removing such check in x2goclient should not do
>> anything.
> 
> Ok...
> 
>> This check is also included in x2gostartagent.
> 
> No, it is not. I can connect to other users' sessions with full-access
> via python-x2go (pyhoca-cli).

It is not good. Giving such access to foreign people is just too risky.
I think 90% of all users will not understand it. For example,
perpetrator can manipulate .Xauthority file.

>> Anyway, if in
>> future we want to enable such feature, we should also modify
>> x2godesktopsharing and ask user if he give to other people a full or
>> "only view" access. With big, fat, red warning.
> 
> That is a great idea. Let the user decide via x2godesktopsharing. Milan,
> are you willing to work on that (with our help)?
> 
> Greets,
> Mike
> 
> 
> 
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev


-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120220/1958cc50/attachment.pgp>

More information about the x2go-dev mailing list