[X2Go-Dev] Use perl -T (taint) with x2goserver scripts

Orion Poplawski orion at cora.nwra.com
Wed Apr 8 16:43:57 CEST 2015

On 04/07/2015 10:37 PM, Mihai Moldovan wrote:
> On 08.04.2015 03:30 AM, Orion Poplawski wrote:
>> I'm thinking that x2go's server scripts should use perl's "-T" taint
>> mode to prevent searching user's paths and otherwise improve security.
>> Thoughts?
> Good idea! I'm in favor of this and will dig into that when having spare
> time.
> However, there's more to that than just enabling taint mode, by a quick
> glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
> That is, we actually have to make sure that the scripts still *work in
> taint mode* prior to just blindly enabling it.

Oh, it absolutely breaks things as they stand now.  The first thing I noticed
is that PATH will need to be explicitly set for anything that execs another
script.  But I'm glad to see support for the idea.

> We're also using at least one setuid script, which deserves special care
> to make sure it continues to work.

Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the x2go-dev mailing list