[X2Go-Dev] Use perl -T (taint) with x2goserver scripts
Mihai Moldovan
ionic at ionic.de
Wed Apr 8 06:37:38 CEST 2015
On 08.04.2015 03:30 AM, Orion Poplawski wrote:
> I'm thinking that x2go's server scripts should use perl's "-T" taint
> mode to prevent searching user's paths and otherwise improve security.
> Thoughts?
Good idea! I'm in favor of this and will dig into that when having spare
time.
However, there's more to that than just enabling taint mode, by a quick
glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
That is, we actually have to make sure that the scripts still *work in
taint mode* prior to just blindly enabling it.
We're also using at least one setuid script, which deserves special care
to make sure it continues to work.
Mihai
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150408/8a220f2d/attachment.pgp>
More information about the x2go-dev
mailing list