Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Hi Milan, On Mi 22 Feb 2012 07:17:32 CET Milan Knížek wrote: V Tue, 21 Feb 2012 10:47:25 +0100 Mike Gabriel mike.gabr...@das-netzwerkteam.de napsáno: Hello Mike, Hi Milan, My suggestion for the red alert sign in x2godesktopsharing is: o there is a list of users that are allowed w/o confirmation to share someone's desktop. - only use this list for view-only access o for full access desktop sharing always let the confirmation dialog pop-up o for full access add some extra artwork/information to the confirmation dialog o have another icon for full access mode then for view-only mode (there is this X2Go eye in blueish colours. This could be red!?) With this arrangement we can reuse much of the stuff already there and still make the applet more secure (as it makes the user more aware of what she/he is doing). Any further ideas? Feedback? Criticism? If not, do you want to start on any of the above aspects? I will open up a branch in Git and I will commit anything you come up with. Currently, I feel more like a reviewer and proof-reader but that might change was you send your first drafts. Is that ok with you? I will try to start with the first two points - let's agree to open a separate branch on the server once I come with some patches, okay? Absolutely. So be it. I have released x2godesktopsharing as is today, so we can build on top of that version. Update your Git working copy, please. Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpOGGWEQCc5u.pgp Description: Digitale PGP-Unterschrift ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Hi Milan, On Mo 20 Feb 2012 21:12:59 CET Milan Knížek wrote: V Mon, 20 Feb 2012 10:07:45 +0100 Mike Gabriel mike.gabr...@das-netzwerkteam.de napsáno: Hello Mike and Saša, Hi Alex, On Mo 20 Feb 2012 09:32:31 CET Oleksandr Shneyder wrote: Anyway, if in future we want to enable such feature, we should also modify x2godesktopsharing and ask user if he give to other people a full or only view access. With big, fat, red warning. That is a great idea. Let the user decide via x2godesktopsharing. Milan, are you willing to work on that (with our help)? Well, with my (lack of) programming skills this might take a while - Gut Ding braucht Weile ;-) Yeah!!! Anyway, I am willing to learn a few bits about C++ and Qt, hence I at least start reading tutorials and the x2go code and see what my chances are. My suggestion for the red alert sign in x2godesktopsharing is: o there is a list of users that are allowed w/o confirmation to share someone's desktop. - only use this list for view-only access o for full access desktop sharing always let the confirmation dialog pop-up o for full access add some extra artwork/information to the confirmation dialog o have another icon for full access mode then for view-only mode (there is this X2Go eye in blueish colours. This could be red!?) With this arrangement we can reuse much of the stuff already there and still make the applet more secure (as it makes the user more aware of what she/he is doing). Any further ideas? Feedback? Criticism? If not, do you want to start on any of the above aspects? I will open up a branch in Git and I will commit anything you come up with. Currently, I feel more like a reviewer and proof-reader but that might change was you send your first drafts. Is that ok with you? Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpl5Du3BdR1d.pgp Description: Digitale PGP-Unterschrift ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
V Tue, 21 Feb 2012 10:47:25 +0100 Mike Gabriel mike.gabr...@das-netzwerkteam.de napsáno: Hello Mike, Hi Milan, My suggestion for the red alert sign in x2godesktopsharing is: o there is a list of users that are allowed w/o confirmation to share someone's desktop. - only use this list for view-only access o for full access desktop sharing always let the confirmation dialog pop-up o for full access add some extra artwork/information to the confirmation dialog o have another icon for full access mode then for view-only mode (there is this X2Go eye in blueish colours. This could be red!?) With this arrangement we can reuse much of the stuff already there and still make the applet more secure (as it makes the user more aware of what she/he is doing). Any further ideas? Feedback? Criticism? If not, do you want to start on any of the above aspects? I will open up a branch in Git and I will commit anything you come up with. Currently, I feel more like a reviewer and proof-reader but that might change was you send your first drafts. Is that ok with you? I will try to start with the first two points - let's agree to open a separate branch on the server once I come with some patches, okay? Regards, Milan -- http://www.milan-knizek.net/ About linux and photography (Czech only) O linuxu a fotografování signature.asc Description: PGP signature ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Am 19.02.2012 21:14, schrieb Milan Knížek: Hello list! I am a bit confused re. the discrepancy between wiki and actual behaviour of x2godesktop sharing: x the wiki [1] reads that With the desktopsharing function of X2go you can have full-access the desktop from somebody else... x when I (USER_B) connect from a remote machine with x2goclient to local desktop (USER_A logged in on tty7 of x2goserver), the USER_A's session is shown in the lists of sessions available for sharing, however the button Full Access is greyed-out and cannot be clicked. So USER_B is only allowed to view the USER_A's deskto. x having looked at x2godesktopsharing.git/sharetray.cpp, I can see that this is due to bShadow-SetEnabled ( user==getCurrentUname() ); and have verified that the following patch removes the limitation: === --- onmainwindow_part2.cpp2011-11-25 13:08:10.0 +0100 +++ onmainwindow_part2.cpp_mod2012-02-19 19:50:36.200838546 +0100 @@ -1132,7 +1132,7 @@ index.row(), D_USER ).data().toString(); bShadowView-setEnabled ( true ); -bShadow-setEnabled ( user==getCurrentUname() ); +bShadow-setEnabled ( true ); } } === Is this intentional behaviour due to the potential security issues mentioned here [2] (anyway, the remote user _can_ recompile the x2goagent to get rid of the limitation)? [1] http://www.x2go.org/wiki:components:desktop-sharing#usage [2] http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437 Regards, Milan I have disabled it, because in my opinion, security risk was just to high. At the moment, user can get full access only if connecting to his own desktop. Actually, removing such check in x2goclient should not do anything. This check is also included in x2gostartagent. Anyway, if in future we want to enable such feature, we should also modify x2godesktopsharing and ask user if he give to other people a full or only view access. With big, fat, red warning. regards -- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team email: oleksandr.shney...@obviously-nice.de web: www.obviously-nice.de -- X2go - everywhere@home signature.asc Description: OpenPGP digital signature ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Am 20.02.2012 10:07, schrieb Mike Gabriel: Hi Alex, On Mo 20 Feb 2012 09:32:31 CET Oleksandr Shneyder wrote: Am 19.02.2012 21:14, schrieb Milan Knížek: Hello list! I am a bit confused re. the discrepancy between wiki and actual behaviour of x2godesktop sharing: x the wiki [1] reads that With the desktopsharing function of X2go you can have full-access the desktop from somebody else... x when I (USER_B) connect from a remote machine with x2goclient to local desktop (USER_A logged in on tty7 of x2goserver), the USER_A's session is shown in the lists of sessions available for sharing, however the button Full Access is greyed-out and cannot be clicked. So USER_B is only allowed to view the USER_A's deskto. x having looked at x2godesktopsharing.git/sharetray.cpp, I can see that this is due to bShadow-SetEnabled ( user==getCurrentUname() ); and have verified that the following patch removes the limitation: === --- onmainwindow_part2.cpp2011-11-25 13:08:10.0 +0100 +++ onmainwindow_part2.cpp_mod2012-02-19 19:50:36.200838546 +0100 @@ -1132,7 +1132,7 @@ index.row(), D_USER ).data().toString(); bShadowView-setEnabled ( true ); -bShadow-setEnabled ( user==getCurrentUname() ); +bShadow-setEnabled ( true ); } } === Is this intentional behaviour due to the potential security issues mentioned here [2] (anyway, the remote user _can_ recompile the x2goagent to get rid of the limitation)? [1] http://www.x2go.org/wiki:components:desktop-sharing#usage [2] http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437 Regards, Milan I have disabled it, because in my opinion, security risk was just to high. At the moment, user can get full access only if connecting to his own desktop. Actually, removing such check in x2goclient should not do anything. Ok... This check is also included in x2gostartagent. No, it is not. I can connect to other users' sessions with full-access via python-x2go (pyhoca-cli). It is not good. Giving such access to foreign people is just too risky. I think 90% of all users will not understand it. For example, perpetrator can manipulate .Xauthority file. Anyway, if in future we want to enable such feature, we should also modify x2godesktopsharing and ask user if he give to other people a full or only view access. With big, fat, red warning. That is a great idea. Let the user decide via x2godesktopsharing. Milan, are you willing to work on that (with our help)? Greets, Mike ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev -- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team email: oleksandr.shney...@obviously-nice.de web: www.obviously-nice.de -- X2go - everywhere@home signature.asc Description: OpenPGP digital signature ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Hi Alex, On Mo 20 Feb 2012 10:22:15 CET Oleksandr Shneyder wrote: No, it is not. I can connect to other users' sessions with full-access via python-x2go (pyhoca-cli). It is not good. Giving such access to foreign people is just too risky. I think 90% of all users will not understand it. For example, perpetrator can manipulate .Xauthority file. So we need the big red sign and the confirmation dialog in x2godesktopsharing ASAP, I guess? From an administrator's point of view the full-access desktop sharing is a real want as it can be used instead of x11vnc or similar stuff... Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpe06qTBxf3x.pgp Description: Digitale PGP-Unterschrift ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Am 20.02.2012 10:28, schrieb Mike Gabriel: Hi Alex, On Mo 20 Feb 2012 10:22:15 CET Oleksandr Shneyder wrote: No, it is not. I can connect to other users' sessions with full-access via python-x2go (pyhoca-cli). It is not good. Giving such access to foreign people is just too risky. I think 90% of all users will not understand it. For example, perpetrator can manipulate .Xauthority file. So we need the big red sign and the confirmation dialog in x2godesktopsharing ASAP, I guess? From an administrator's point of view the full-access desktop sharing is a real want as it can be used instead of x11vnc or similar stuff... Mike yes -- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team email: oleksandr.shney...@obviously-nice.de web: www.obviously-nice.de -- X2go - everywhere@home signature.asc Description: OpenPGP digital signature ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
[X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Hello list! I am a bit confused re. the discrepancy between wiki and actual behaviour of x2godesktop sharing: x the wiki [1] reads that With the desktopsharing function of X2go you can have full-access the desktop from somebody else... x when I (USER_B) connect from a remote machine with x2goclient to local desktop (USER_A logged in on tty7 of x2goserver), the USER_A's session is shown in the lists of sessions available for sharing, however the button Full Access is greyed-out and cannot be clicked. So USER_B is only allowed to view the USER_A's deskto. x having looked at x2godesktopsharing.git/sharetray.cpp, I can see that this is due to bShadow-SetEnabled ( user==getCurrentUname() ); and have verified that the following patch removes the limitation: === --- onmainwindow_part2.cpp2011-11-25 13:08:10.0 +0100 +++ onmainwindow_part2.cpp_mod2012-02-19 19:50:36.200838546 +0100 @@ -1132,7 +1132,7 @@ index.row(), D_USER ).data().toString(); bShadowView-setEnabled ( true ); -bShadow-setEnabled ( user==getCurrentUname() ); +bShadow-setEnabled ( true ); } } === Is this intentional behaviour due to the potential security issues mentioned here [2] (anyway, the remote user _can_ recompile the x2goagent to get rid of the limitation)? [1] http://www.x2go.org/wiki:components:desktop-sharing#usage [2] http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437 Regards, Milan -- http://www.milan-knizek.net/ About linux and photography (Czech only) O linuxu a fotografování ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Re: [X2Go-Dev] x2godesktopsharing: Full Access not available for other users?
Oops, made few mistakes in package names, corrected below. Sorry, Milan V Sun, 19 Feb 2012 21:14:30 +0100 Milan Knížek knizek.co...@gmail.com napsáno: Hello list! I am a bit confused re. the discrepancy between wiki and actual behaviour of x2godesktop sharing: x the wiki [1] reads that With the desktopsharing function of X2go you can have full-access the desktop from somebody else... x when I (USER_B) connect from a remote machine with x2goclient to local desktop (USER_A logged in on tty7 of x2goserver), the USER_A's session is shown in the lists of sessions available for sharing, however the button Full Access is greyed-out and cannot be clicked. So USER_B is only allowed to view the USER_A's deskto. x having looked at x2godesktopsharing.git/sharetray.cpp, I can see x2goclient.git/onmainwindow_part2.cpp that this is due to bShadow-SetEnabled ( user==getCurrentUname() ); and have verified that the following patch removes the limitation: === --- onmainwindow_part2.cpp2011-11-25 13:08:10.0 +0100 +++ onmainwindow_part2.cpp_mod2012-02-19 19:50:36.200838546 +0100 @@ -1132,7 +1132,7 @@ index.row(), D_USER ).data().toString(); bShadowView-setEnabled ( true ); -bShadow-setEnabled ( user==getCurrentUname() ); +bShadow-setEnabled ( true ); } } === Is this intentional behaviour due to the potential security issues mentioned here [2] (anyway, the remote user _can_ recompile the x2goagent to get rid of the limitation)? ^ x2goclient [1] http://www.x2go.org/wiki:components:desktop-sharing#usage [2] http://comments.gmane.org/gmane.linux.terminal-server.x2go.devel/2437 Regards, Milan -- http://www.milan-knizek.net/ About linux and photography (Czech only) O linuxu a fotografování ___ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev