X2Go - everywhere@home

User Tools

Site Tools

Trace:
wiki:security:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:security:start [2011/04/27 16:59]
morty [SQLite] 		wiki:security:start [2014/01/08 10:20] (current)
sunweaver [SQLite]
Line 1: Line 1:
 +~~NOTOC~~
 +====== Thoughts on Security ======
 +===== Session Database Backends =====
 +==== PostgreSQL ====
  
-====== Database Access ====== 
-===== Postgres ===== 
-<note>No known exploits</note> 
-Security on database Level 
  
-===== SQLite ===== +  * In X2Go Server versions prior to 4.0.1.12 (or 4.0.0.10 for the Baikal LTS release branch), there used to be [[http://www.cvedetails.com/cve/CVE-2013-7261|root exploit]] that got reported and fixed around X-mas 2013.
-<note>No known exploits</note> +
-  - Change to x2go-user using suid-perlThis is needed as there is common database. +
-  Prepared statements should make things safe.+
  
  
-====== x2goprint ======+==== SQLite ==== 
 + 
 +  * In X2Go Server versions prior to 4.0.1.12 (or 4.0.0.10 for the Baikal LTS release branch), there used to be a [[http://www.cvedetails.com/cve/CVE-2013-7261|root exploit]] that got reported and fixed around X-mas 2013. 
 + 
 +   
 + 
 +====== X2Go client-side Printing ======
 <note important>Might be exploited if someone becomes x2goprint-user</note> <note important>Might be exploited if someone becomes x2goprint-user</note>
  
-  - The Cups-server connects the x2go-Server as x2goprint-user using ssh-key auth. +  - X2goServer == CUPS Server, latest implementation (as of 20110909):  
-  - x2goprint-user executes sudo to chenge the ownership of the pdf-file. +      - cups-x2go CUPS backend runs as root 
-    * This script can currently be exploited. +      - as root the backend launches x2goprint (without sudo!!!) 
-    * If someone becomes x2goprint he might become root.+      - x2goprint script changes owner ship of PDF file and pushes it into SSHFS share towards the X2go client. 
 +        * using X2go printing locally (X2go server == CUPS server) then security (sudo) is not an issue any more(?) 
 +          * Nope still is (not a big one, though): Using CUPS the user can easily be faked, allowing to fill someone else's quota or print at their home printer. 
 +  - X2goServer != CUPS Server: 
 +    - The Cups-server connects the x2go-Server as x2goprint-user using ssh-key auth. 
 +    - x2goprint-user executes sudo to change the ownership of the PDF file and pushes it into SSHFS share towards the X2go client
 +      * This script can currently be exploited. 
 +      * If someone becomes x2goprint he might become root.
  
 +===== Possible solution 1 =====
 +  * Start a local cups-server for every user
 +  * Server listens on a File-socket owned by the user
 +  * Add a PDF-Printer to that server (as the cups-user runs as that user, there **should** be no issues with file permissions)
 +  * Import printers from global server
 +  * + Secure solution, as no other user is involved
 +  * - Every user needs an extra instance (The extra memory usage should not be too much)
 +
 +===== Possible solution 2 =====
 +  * Write a simple C-Program 'x2goprinter' that is run as the user who wants to print unsing the s-Bit
 +  * The Program writes stdin to argv[1] in the printing-directory
 +  * It also checks whether the user is x2goprint or root
 +  * + Can be easily adopted
 +  * - x2goprint must be installed by the client
 +  * - s-bit -> Needs security checks
 ====== Pulseaudio ====== ====== Pulseaudio ======
-<note>No known exploits / Needs review</note>+<note>No known exploits / Privacy issues</note>
  
   * Currently Pulse-Audio authentication using a cookie-file is used.   * Currently Pulse-Audio authentication using a cookie-file is used.
   * No option of encryption, but can be tunneled via SSH.   * No option of encryption, but can be tunneled via SSH.
 +  * When using the TCE the client has only one user. Therefore the following user may get sounds from the previous, suspended user, if not tunneling pulseaudio.
 +
 +===== Solution for privacy =====
 +  * Start pulse-audio server on the server
 +  * use sink-tunnel to tunnel to the clinet
 +  * Disconnect sink on suspend
 +  * Send sound to null-dev
 +  * This also solves issues if the client get disconnected unexpectedly.
  
-====== x2goagent ====== +Morty: I looked into this recently (End of 2011). Unfortunately, due to the buffering done on the serverthis might start to "swing" (playback getting faster and slower again and again). 
-<note>Needs review</note> +
-  * Is it possible to hijack an x2go-session? If yeshow? What can we do about it? +
  
 +====== X2Go Agent ======
  
 +  * [[http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=147d22c44167b9b2d4afbdaf17262555a7af713b|This issue has been fixed]]: x2goagent/nxagent opens a port 6050+ and binds to all network interfaces. This should be tweaked so that x2goagent/nxagent binds to localhost only. Refer to: http://article.gmane.org/gmane.linux.terminal-server.x2go.user/430
 +  * Now, only for XDMCP session the listening port 6050+ is opened (otherwise XDMCP queries do fail)
 +  * If people need x2goagent listening on TCP, it can also be re-enabled in ''/etc/x2go/x2goagent.options''.
 +  
wiki/security/start.1303923598.txt.gz · Last modified: 2013/03/08 13:31 (external edit)

Page Tools

Imprint & Legal Disclaimer - Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki