[X2Go-Dev] Use perl -T (taint) with x2goserver scripts
ionic at ionic.de
Wed Apr 8 06:37:38 CEST 2015
On 08.04.2015 03:30 AM, Orion Poplawski wrote:
> I'm thinking that x2go's server scripts should use perl's "-T" taint
> mode to prevent searching user's paths and otherwise improve security.
Good idea! I'm in favor of this and will dig into that when having spare
However, there's more to that than just enabling taint mode, by a quick
glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
That is, we actually have to make sure that the scripts still *work in
taint mode* prior to just blindly enabling it.
We're also using at least one setuid script, which deserves special care
to make sure it continues to work.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 884 bytes
Desc: OpenPGP digital signature
More information about the x2go-dev