From f42e04d2474069b5d52eea6f19a9336867cf2ef9 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Fri, 28 Apr 2023 11:11:03 +0100 Subject: [PATCH] docs: Document that GIO should not be used in privileged processes Signed-off-by: Philip Withnall Fixes: #2289 --- docs/reference/glib/programming.xml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/reference/glib/programming.xml b/docs/reference/glib/programming.xml index 52df907e8..32f207943 100644 --- a/docs/reference/glib/programming.xml +++ b/docs/reference/glib/programming.xml @@ -43,7 +43,7 @@ support multithreaded applications. -Security +Security and setuid use When writing code that runs with elevated privileges, it is important @@ -56,8 +56,17 @@ excellent book on this topic, When it comes to GLib and its associated libraries, GLib and GObject are generally fine to use in code that runs with elevated privileges; they don't load modules (executable code in shared objects) -or run other programs 'behind your back'. GIO has to be used -carefully in privileged programs, see the GIO documentation for details. +or run other programs ‘behind your back’. GIO, however, is not designed to be +used in privileged programs, either ones which are spawned by a privileged +process, or ones which are run with a setuid bit set. + + + +setuid programs should always reset their environment to contain only +known-safe values before calling into non-trivial libraries such as GIO. This +reduces the risk of an attacker-controlled environment variable being used to +get a privileged GIO process to run arbitrary code via loading a GIO module or +similar.