[pkg-x2go-devel] Bug#714775: nx-libs-lite: NX/X2go apparently directly connects (parts of?) the remove with the local X

Tue Jul 2 18:21:59 UTC 2013

Source: nx-libs-lite
Version: 3.5.0.20-2
Severity: important

Hi.

A recent discussion[0] at turned (to my very big suprise) out, that
NX/X2Go doesn't work like VNC/RDP (i.e. that it more or less sends the
pixbuffers which are locally drawin), but rather that there is some direct
injection of the remote's X clients X protocol into the local X server.

At upstream it was compared with running "ssh -X" respectively
plain X forwarding (after some xauth)...

As we all know, plain X forwarding has many serious security implications,
which basically means that no sane person will/should ever use it unless
the remote host is fully trusted.

To my understanding, this is typically not the case with VNC/RDP/NX... people
often use it to connect to systems out of their control.
Moroever, I guess many people expect NX to work conceptually more like
VNC/RDP, i.e. just drawing images (in a very sophisticated way), which is
probably more secure[1] than directly going into the X server.

a) I started a discussion upstream, whether one could make this somehow
better/more secure (my poor man's understanding would be that using a nested
X server (like Xephyr) for the communication with the remote NX could perhaps
help - but that's just guessing)... but it will at least take a lot of time
until anything comes out there (if at all).

b) To tell people about what really happens, I think the Debian package
should include a warning in the package description, that NX/X2go technology
is much more like plain X forwarding, with all its security implications.

In the case of the nx-libs-lite source package, this should IMHO go to at
least:
nxproxy, libxcomp3

Thanks,
Chris.

[0] http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=258
[1] Obviously secure for the local server - I don't talk about the network
communication between remote and local server which is pretty bad for VNC/RDP,
unless tunneled.