[X2Go-Dev] Use perl -T (taint) with x2goserver scripts

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Wed Apr 8 07:52:16 CEST 2015


Hi Mihai,

On  Mi 08 Apr 2015 06:37:38 CEST, Mihai Moldovan wrote:

> On 08.04.2015 03:30 AM, Orion Poplawski wrote:
>> I'm thinking that x2go's server scripts should use perl's "-T" taint
>> mode to prevent searching user's paths and otherwise improve security.
>> Thoughts?
>
> Good idea! I'm in favor of this and will dig into that when having spare
> time.

/me is also in favour of this.

> However, there's more to that than just enabling taint mode, by a quick
> glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
>
> That is, we actually have to make sure that the scripts still *work in
> taint mode* prior to just blindly enabling it.

Indeed.

> We're also using at least one setuid script, which deserves special care
> to make sure it continues to work.

libx2go-server-db-sqlite3-wrapper (or x2gosqlitewrapper on the 4.0.1.x  
branch) is a setgid-x2gouser-binary-wrapper-around-a-Perl-script, to  
be more precise here.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150408/0bcab3ea/attachment.pgp>


More information about the x2go-dev mailing list