• Colin Walters's avatar
    CVE-2012-3524: Hardening for being run in a setuid environment · d6cbb29f
    Colin Walters authored
    Some programs attempt to use libglib (or even libgio) when setuid.
    For a long time, GTK+ simply aborted if launched in this
    configuration, but we never had a real policy for GLib.
    
    I'm not sure whether we should advertise such support.  However, given
    that there are real-world programs that do this currently, we can make
    them safer with not too much effort.
    
    Better to fix a problem caused by an interaction between two
    components in *both* places if possible.
    
    This patch adds a private function g_check_setuid() which is used to
    first ensure we don't run an external dbus-launch binary if
    DBUS_SESSION_BUS_ADDRESS isn't set.
    
    Second, we also ensure the local VFS is used in this case.  The
    gdaemonvfs extension point will end up talking to the session bus
    which is typically undesirable in a setuid context.
    
    Implementing g_check_setuid() is interesting - whether or not we're
    running in a privilege-escalated path is operating system specific.
    Note that GTK+'s code to check euid versus uid worked historically on
    Unix, more modern systems have filesystem capabilities and SELinux
    domain transitions, neither of which are captured by the uid
    comparison.
    
    On Linux/glibc, the way this works is that the kernel sets an
    AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
    startup.  If found, then glibc sets a public-but-undocumented
    __libc_enable_secure variable which we can use.  Unfortunately, while
    it *previously* worked to check this variable, a combination of newer
    binutils and RPM break it:
    http://www.openwall.com/lists/owl-dev/2012/08/14/1
    
    So for now on Linux/glibc, we fall back to the historical Unix version
    until we get glibc fixed.
    
    On some BSD variants, there is a issetugid() function.  On other Unix
    variants, we fall back to what GTK+ has been doing.
    Reported-By: 's avatarSebastian Krahmer <krahmer@suse.de>
    Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
    d6cbb29f
genviron.c 18.8 KB