From 7c0b9c776f6280eb5139017043877358a6ad9d7b Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Tue, 2 Feb 2021 10:25:40 +0000
Subject: [PATCH 1/3] gdbus: Improve readability by avoiding ternary operator

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 gio/gdbusaddress.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
index d26c4d25f..6d519a3f4 100644
--- a/gio/gdbusaddress.c
+++ b/gio/gdbusaddress.c
@@ -1330,7 +1330,11 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
   switch (bus_type)
     {
     case G_BUS_TYPE_SYSTEM:
-      ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS")) : NULL;
+      if (is_setuid)
+        ret = NULL;
+      else
+        ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
+
       if (ret == NULL)
         {
           ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket");
@@ -1338,7 +1342,11 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
       break;
 
     case G_BUS_TYPE_SESSION:
-      ret = !is_setuid ? g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")) : NULL;
+      if (is_setuid)
+        ret = NULL;
+      else
+        ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+
       if (ret == NULL)
         {
           ret = get_session_address_platform_specific (&local_error);

From 6436d52a0a9a099b345fa39afe64c4c6a49d4c93 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Tue, 2 Feb 2021 20:38:41 +0000
Subject: [PATCH 2/3] gdbus: Rename a variable to be less misleading

We're using "setuid" here as shorthand for any elevated privileges
that should make us distrust the caller: setuid, setgid, filesystem
capabilities, more obscure Linux things that set the AT_SECURE flag
(such as certain AppArmor transitions), and their equivalents on
other operating systems. This is fine if we do it consistently, but
I'm about to add a check for whether we are *literally* setuid,
which would be particularly confusing without a rename.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 gio/gdbusaddress.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
index 6d519a3f4..5dcbf9523 100644
--- a/gio/gdbusaddress.c
+++ b/gio/gdbusaddress.c
@@ -1286,7 +1286,7 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
                                  GCancellable  *cancellable,
                                  GError       **error)
 {
-  gboolean is_setuid = GLIB_PRIVATE_CALL (g_check_setuid) ();
+  gboolean has_elevated_privileges = GLIB_PRIVATE_CALL (g_check_setuid) ();
   gchar *ret, *s = NULL;
   const gchar *starter_bus;
   GError *local_error;
@@ -1330,7 +1330,7 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
   switch (bus_type)
     {
     case G_BUS_TYPE_SYSTEM:
-      if (is_setuid)
+      if (has_elevated_privileges)
         ret = NULL;
       else
         ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS"));
@@ -1342,7 +1342,7 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
       break;
 
     case G_BUS_TYPE_SESSION:
-      if (is_setuid)
+      if (has_elevated_privileges)
         ret = NULL;
       else
         ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));

From 7aa0580cc559148e0f4646461a42102bd98228b6 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Tue, 2 Feb 2021 20:52:03 +0000
Subject: [PATCH 3/3] gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not
 setuid

This is against my better judgement, but it's the least bad regression
fix I can think of. If we don't do this, at least gnome-keyring-daemon
(setcap) and msmtp (setgid) are known to regress.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2305
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981555
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 gio/gdbusaddress.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
index 5dcbf9523..a341023df 100644
--- a/gio/gdbusaddress.c
+++ b/gio/gdbusaddress.c
@@ -1343,9 +1343,31 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
 
     case G_BUS_TYPE_SESSION:
       if (has_elevated_privileges)
-        ret = NULL;
+        {
+#ifdef G_OS_UNIX
+          if (geteuid () == getuid ())
+            {
+              /* Ideally we shouldn't do this, because setgid and
+               * filesystem capabilities are also elevated privileges
+               * with which we should not be trusting environment variables
+               * from the caller. Unfortunately, there are programs with
+               * elevated privileges that rely on the session bus being
+               * available. We already prevent the really dangerous
+               * transports like autolaunch: and unixexec: when our
+               * privileges are elevated, so this can only make us connect
+               * to the wrong AF_UNIX or TCP socket. */
+              ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+            }
+          else
+#endif
+            {
+              ret = NULL;
+            }
+        }
       else
-        ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+        {
+          ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+        }
 
       if (ret == NULL)
         {