Commit b52da3d2 authored by Philip Withnall's avatar Philip Withnall
Browse files

gdbusaddress: Ignore D-Bus addresses from the environment when setuid



As with the previous commit, it’s unsafe to trust the environment when
running as setuid, as it comes from an untrusted caller. In particular,
with D-Bus, the caller could set up a fake ‘system’ bus which fed
incorrect data to this process.
Signed-off-by: Philip Withnall's avatarPhilip Withnall <pwithnall@endlessos.org>

Helps: #2168
parent 5bdda2a6
......@@ -30,6 +30,7 @@
#include "gdbusaddress.h"
#include "gdbuserror.h"
#include "gioenumtypes.h"
#include "glib-private.h"
#include "gnetworkaddress.h"
#include "gsocketclient.h"
#include "giostream.h"
......@@ -1279,6 +1280,7 @@ g_dbus_address_get_for_bus_sync (GBusType bus_type,
GCancellable *cancellable,
GError **error)
{
gboolean is_setuid = GLIB_PRIVATE_CALL (g_check_setuid) ();
gchar *ret, *s = NULL;
const gchar *starter_bus;
GError *local_error;
......@@ -1317,10 +1319,12 @@ g_dbus_address_get_for_bus_sync (GBusType bus_type,
_g_dbus_debug_print_unlock ();
}
/* Don’t load the addresses from the environment if running as setuid, as they
* come from an unprivileged caller. */
switch (bus_type)
{
case G_BUS_TYPE_SYSTEM:
ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS")) : NULL;
if (ret == NULL)
{
ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket");
......@@ -1328,7 +1332,7 @@ g_dbus_address_get_for_bus_sync (GBusType bus_type,
break;
case G_BUS_TYPE_SESSION:
ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")) : NULL;
if (ret == NULL)
{
ret = get_session_address_platform_specific (&local_error);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment