giomodule: Loads GIO modules even if setuid, etc.
While opening #2167 I thought of a possible attack on setuid/setcap GLib-linked processes like pkexec
, if they instantiate GIO objects before sanitizing their environ
:
- Set
GIO_EXTRA_MODULES
orGIO_MODULE_DIR
to a path containing malicious GIO modules - Give the malicious GIO modules a constructor (as in
__attribute__((constructor))
) that is the attack's payload
_g_io_modules_ensure_loaded()
will dlopen()
the modules. Even if it doesn't instantiate the objects in the modules (for example because they're VFS modules and GIO_USE_VFS
is set to local
), it's already too late: the constructor was run.
This could be argued to be a bug in the privileged program, because it should sanitize the environment before calling into non-trivial libraries. It isn't yet clear to me whether pkexec
is successful in doing this, because it uses non-trivial code from GLib before clearing its environment, and it isn't immediately obvious which bits of that code (if any) are GIO.
However, GIO could also do better at avoiding this sort of thing (for example calling g_check_setuid()
before looking at the environment). g_vfs_get_default()
calls g_check_setuid()
, but I think there are other code paths that lead to _g_io_module_get_default()
.