giomodule: Loads GIO modules even if setuid, etc.
While opening #2167 I thought of a possible attack on setuid/setcap GLib-linked processes like
pkexec, if they instantiate GIO objects before sanitizing their
GIO_MODULE_DIRto a path containing malicious GIO modules
- Give the malicious GIO modules a constructor (as in
__attribute__((constructor))) that is the attack's payload
dlopen() the modules. Even if it doesn't instantiate the objects in the modules (for example because they're VFS modules and
GIO_USE_VFS is set to
local), it's already too late: the constructor was run.
This could be argued to be a bug in the privileged program, because it should sanitize the environment before calling into non-trivial libraries. It isn't yet clear to me whether
pkexec is successful in doing this, because it uses non-trivial code from GLib before clearing its environment, and it isn't immediately obvious which bits of that code (if any) are GIO.
However, GIO could also do better at avoiding this sort of thing (for example calling
g_check_setuid() before looking at the environment).
g_check_setuid(), but I think there are other code paths that lead to