[X2Go-Dev] Use perl -T (taint) with x2goserver scripts
Orion Poplawski
orion at cora.nwra.com
Wed Apr 8 16:43:57 CEST 2015
On 04/07/2015 10:37 PM, Mihai Moldovan wrote:
> On 08.04.2015 03:30 AM, Orion Poplawski wrote:
>> I'm thinking that x2go's server scripts should use perl's "-T" taint
>> mode to prevent searching user's paths and otherwise improve security.
>> Thoughts?
>
> Good idea! I'm in favor of this and will dig into that when having spare
> time.
>
> However, there's more to that than just enabling taint mode, by a quick
> glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode
>
> That is, we actually have to make sure that the scripts still *work in
> taint mode* prior to just blindly enabling it.
Oh, it absolutely breaks things as they stand now. The first thing I noticed
is that PATH will need to be explicitly set for anything that execs another
script. But I'm glad to see support for the idea.
> We're also using at least one setuid script, which deserves special care
> to make sure it continues to work.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the x2go-dev
mailing list