Hi Mihai,
On Mi 08 Apr 2015 06:37:38 CEST, Mihai Moldovan wrote:
On 08.04.2015 03:30 AM, Orion Poplawski wrote:
I'm thinking that x2go's server scripts should use perl's "-T" taint mode to prevent searching user's paths and otherwise improve security. Thoughts?
Good idea! I'm in favor of this and will dig into that when having spare time.
/me is also in favour of this.
However, there's more to that than just enabling taint mode, by a quick glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
That is, we actually have to make sure that the scripts still *work in taint mode* prior to just blindly enabling it.
Indeed.
We're also using at least one setuid script, which deserves special care to make sure it continues to work.
libx2go-server-db-sqlite3-wrapper (or x2gosqlitewrapper on the 4.0.1.x
branch) is a setgid-x2gouser-binary-wrapper-around-a-Perl-script, to
be more precise here.
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...