[X2Go-Dev] Use perl -T (taint) with x2goserver scripts

Mihai Moldovan ionic at ionic.de
Wed Apr 8 06:37:38 CEST 2015

On 08.04.2015 03:30 AM, Orion Poplawski wrote:
> I'm thinking that x2go's server scripts should use perl's "-T" taint
> mode to prevent searching user's paths and otherwise improve security.
> Thoughts?

Good idea! I'm in favor of this and will dig into that when having spare

However, there's more to that than just enabling taint mode, by a quick
glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode

That is, we actually have to make sure that the scripts still *work in
taint mode* prior to just blindly enabling it.

We're also using at least one setuid script, which deserves special care
to make sure it continues to work.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150408/8a220f2d/attachment.pgp>

More information about the x2go-dev mailing list