Nable 80 | 10 May 11:13 2013

Re: Bug#200: Bug#200: When user-directories do not exist, saving sqlpass with x2godbadmin is not possible

I've thought a bit and finally I can write some ideas.

> Well, I don't mind fixing this to be safe with special chars ... ;) I however really doubt administrators to
set homedirs to something with spaces or special chars.
1.1. I was always taught that programs must be secure by design. At
least one should do his best trying to achieve it.
In this exact case it seems that it's not hard to make system() call
more secure: see
http://stackoverflow.com/questions/619926/should-i-escape-shell-arguments-in-perl
as example.
Tl;dr: One should use `system $cmd,  <at> args' rather than `system "$cmd  <at> args"'.
1.2. I don't have pam_mkhomedir in my setups. But for those who have
it may be better to do something like `su - $username -c /bin/true' to
create a good homedir with skeleton files instead of empty one,
although i'm not sure that it works, see
https://bugzilla.redhat.com/show_bug.cgi?id=77791 for example.
1.3. +1 to Stefan for domain setups. I even have one. Oh, this thread
brings me the idea that I should also add pam_mkhomedir to it.

> Ideas?
2. Somehow like this (sorry, i'm not ready to provide a patch at the
moment, so just pseudoperl) :
if (! -d "$dir")
    # Try pam_mkhomedir way
    open my $output, "-|", "su", ("-", "$name", "-c", "pwd"); # is
using /bin/pwd better?
    while (<$output>) { # sorry, i don't remember the way to read full
line w/o `while'
        chomp;
        if ($_ ne $dir) { # Failed? Use force.
            system "mkdir", ("-p", "$dir/.x2go"); # is using /bin/mkdir better?
            print "Here we should show some HUGE warning";
        }
        break;
    }
    close $output;
}
if (! -d $dir/.x2go) {
    mkdir ("$dir/.x2go");
}

Gmane