[X2Go-Dev] Use perl -T (taint) with x2goserver scripts
mike.gabriel at das-netzwerkteam.de
Wed Apr 8 07:52:16 CEST 2015
On Mi 08 Apr 2015 06:37:38 CEST, Mihai Moldovan wrote:
> On 08.04.2015 03:30 AM, Orion Poplawski wrote:
>> I'm thinking that x2go's server scripts should use perl's "-T" taint
>> mode to prevent searching user's paths and otherwise improve security.
> Good idea! I'm in favor of this and will dig into that when having spare
/me is also in favour of this.
> However, there's more to that than just enabling taint mode, by a quick
> glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
> That is, we actually have to make sure that the scripts still *work in
> taint mode* prior to just blindly enabling it.
> We're also using at least one setuid script, which deserves special care
> to make sure it continues to work.
libx2go-server-db-sqlite3-wrapper (or x2gosqlitewrapper on the 4.0.1.x
branch) is a setgid-x2gouser-binary-wrapper-around-a-Perl-script, to
be more precise here.
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: Digitale PGP-Signatur
More information about the x2go-dev