On 04/07/2015 10:37 PM, Mihai Moldovan wrote: > On 08.04.2015 03:30 AM, Orion Poplawski wrote: >> I'm thinking that x2go's server scripts should use perl's "-T" taint >> mode to prevent searching user's paths and otherwise improve security. >> Thoughts? > > Good idea! I'm in favor of this and will dig into that when having spare > time. > > However, there's more to that than just enabling taint mode, by a quick > glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode > > That is, we actually have to make sure that the scripts still *work in > taint mode* prior to just blindly enabling it.
Oh, it absolutely breaks things as they stand now. The first thing I noticed is that PATH will need to be explicitly set for anything that execs another script. But I'm glad to see support for the idea. > We're also using at least one setuid script, which deserves special care > to make sure it continues to work. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com _______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org http://lists.x2go.org/listinfo/x2go-dev
