Merge branch 'wip/gdbus-even-when-setcap' into 'master'

Resolve GDBus regressions in setcap/setgid programs Closes #2305 See merge request GNOME/glib!1920
2024-12-27 16:06:16 +01:00 · 2021-02-03 11:28:20 +00:00 · 2021-02-03 11:28:20 +00:00 · 018ae0982c
commit 018ae0982c
parent ab46205db1 7aa0580cc5
1 changed files with 33 additions and 3 deletions
--- a/gio/gdbusaddress.c
+++ b/gio/gdbusaddress.c
@ -1286,7 +1286,7 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
                                 GCancellable  *cancellable,
                                 GError       **error)
 {
-  gboolean is_setuid = GLIB_PRIVATE_CALL (g_check_setuid) ();
+  gboolean has_elevated_privileges = GLIB_PRIVATE_CALL (g_check_setuid) ();
  gchar *ret, *s = NULL;
  const gchar *starter_bus;
  GError *local_error;
@ -1330,7 +1330,11 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
  switch (bus_type)
    {
    case G_BUS_TYPE_SYSTEM:
-      ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS")) : NULL;
+      if (has_elevated_privileges)
+        ret = NULL;
+      else
+        ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
+
      if (ret == NULL)
        {
          ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket");
@ -1338,7 +1342,33 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
      break;

    case G_BUS_TYPE_SESSION:
-      ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")) : NULL;
+      if (has_elevated_privileges)
+        {
+#ifdef G_OS_UNIX
+          if (geteuid () == getuid ())
+            {
+              /* Ideally we shouldn't do this, because setgid and
+               * filesystem capabilities are also elevated privileges
+               * with which we should not be trusting environment variables
+               * from the caller. Unfortunately, there are programs with
+               * elevated privileges that rely on the session bus being
+               * available. We already prevent the really dangerous
+               * transports like autolaunch: and unixexec: when our
+               * privileges are elevated, so this can only make us connect
+               * to the wrong AF_UNIX or TCP socket. */
+              ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+            }
+          else
+#endif
+            {
+              ret = NULL;
+            }
+        }
+      else
+        {
+          ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+        }
+
      if (ret == NULL)
        {
          ret = get_session_address_platform_specific (&local_error);