Hi Mihai, On Mi 08 Apr 2015 06:37:38 CEST, Mihai Moldovan wrote:
On 08.04.2015 03:30 AM, Orion Poplawski wrote:I'm thinking that x2go's server scripts should use perl's "-T" taint mode to prevent searching user's paths and otherwise improve security. Thoughts?Good idea! I'm in favor of this and will dig into that when having spare time.
/me is also in favour of this.
However, there's more to that than just enabling taint mode, by a quick glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode That is, we actually have to make sure that the scripts still *work in taint mode* prior to just blindly enabling it.
Indeed.
We're also using at least one setuid script, which deserves special care to make sure it continues to work.
libx2go-server-db-sqlite3-wrapper (or x2gosqlitewrapper on the 4.0.1.x branch) is a setgid-x2gouser-binary-wrapper-around-a-Perl-script, to be more precise here.
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgp3TIy4hXvzN.pgp
Description: Digitale PGP-Signatur
_______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
