Hi all,
as those of you who have studied X2Go Server code probably have
noticed, X2Go uses the su command quite intensively. The problem about
su is that it invokes a subshell whenever it is called. Those
subshells are quite difficult to handle without providing space for
exploitation.
As su is (in all cases) used to drop privileges from root to a normal
user, my suggestion would be exchanging the su calls by sudo calls.
(sudo -u <user> <command>). The advantage of sudo: it does not invoke
a subshell.
Feedback? Request for comments??? Any other approach thinkable???
Thanks, Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...