On 08.04.2015 03:30 AM, Orion Poplawski wrote: > I'm thinking that x2go's server scripts should use perl's "-T" taint > mode to prevent searching user's paths and otherwise improve security. > Thoughts?
Good idea! I'm in favor of this and will dig into that when having spare time. However, there's more to that than just enabling taint mode, by a quick glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode That is, we actually have to make sure that the scripts still *work in taint mode* prior to just blindly enabling it. We're also using at least one setuid script, which deserves special care to make sure it continues to work. Mihai
signature.asc
Description: OpenPGP digital signature
_______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
