-ac Insecure setting in the default VNC configuration

[itamarjp]

what do you think about ?

https://bugzilla.redhat.com/show_bug.cgi?id=1105202

[itamarjp]

In a fresh install of xrdp-0.6.1-2.fc20.x86_64, the file /etc/xrdp/sesman.ini says:

[Xvnc]
param1=-bs
param2=-ac
param3=-nolisten
param4=tcp
param5=-localhost
param6=-dpi
param7=96

Where (according to Xserver(1)):

   -ac     disables  host-based access control mechanisms.  Enables access
           by any host, and permits any host to modify the access  control
           list.   Use with extreme caution.  This option exists primarily
           for running test suites remotely.

This seems like a very bad idea. It would allow anyone with an account on the system to connect to the session of someone who is logged in via xrdp.

[itamarjp]

more info here,
https://bugzilla.redhat.com/show_bug.cgi?id=1105202

[mirabilos]

We’d prefer to do something with xauth here, so that users can contact their own X sessions locally (even from another channel, e.g. by ssh’ing in), but others can’t access them, while keeping the xrdp dæmon running as xrdp user.

Is this possible? I don’t know enough about how the actual sessions are started to comment. If so, I could probably hack it (I’ve done xauth work for an Xnest wrapper in the past).

[metalefty]

-ac option has been removed in #504.