Commit Graph

33 Commits

Author SHA1 Message Date
Colin Walters
d6cbb29f59 CVE-2012-3524: Hardening for being run in a setuid environment
Some programs attempt to use libglib (or even libgio) when setuid.
For a long time, GTK+ simply aborted if launched in this
configuration, but we never had a real policy for GLib.

I'm not sure whether we should advertise such support.  However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.

Better to fix a problem caused by an interaction between two
components in *both* places if possible.

This patch adds a private function g_check_setuid() which is used to
first ensure we don't run an external dbus-launch binary if
DBUS_SESSION_BUS_ADDRESS isn't set.

Second, we also ensure the local VFS is used in this case.  The
gdaemonvfs extension point will end up talking to the session bus
which is typically undesirable in a setuid context.

Implementing g_check_setuid() is interesting - whether or not we're
running in a privilege-escalated path is operating system specific.
Note that GTK+'s code to check euid versus uid worked historically on
Unix, more modern systems have filesystem capabilities and SELinux
domain transitions, neither of which are captured by the uid
comparison.

On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup.  If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use.  Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1

So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.

On some BSD variants, there is a issetugid() function.  On other Unix
variants, we fall back to what GTK+ has been doing.

Reported-By: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
2012-09-13 18:34:29 -04:00
Matthias Clasen
6bee6dbce5 Miscellaneous string fixes
Typo and punctuation fixes, and some rewording, based
on a patch by Philip Withnall, bug
https://bugzilla.gnome.org/review?bug=628193
2012-08-16 23:02:41 -04:00
Colin Walters
f7abd3ce13 Add g_spawn_check_exit_status()
Many (if not "almost all") programs that spawn other programs via
g_spawn_sync() or the like simply want to check whether or not the
child exited successfully, but doing so requires use of
platform-specific functionality and there's actually a fair amount of
boilerplate involved.

This new API will help drain a *lot* of mostly duplicated code in
GNOME, from gnome-session to gdm.  And we can see that some bits even
inside GLib were doing it wrong; for example checking the exit status
on Unix, but ignoring it on Windows.

https://bugzilla.gnome.org/show_bug.cgi?id=679691
2012-07-10 18:03:56 -04:00
Alexander Larsson
dccce38367 win32: Support autolaunching dbus daemon 2012-04-20 15:02:48 +02:00
Robert Ancell
4143842eb4 Add missing allow-none annotations for function parameters.
Found using:
find . -name '*.c' | xargs grep 'or %NULL' | grep ' \* @' | grep -v '@error' | grep -v allow-none
2012-03-31 20:34:28 +11:00
Ryan Lortie
e3c7fdd7a4 GDBus: make use of reliable async cancellation
Call g_simple_async_result_set_check_cancellable() after all
GSimpleAsyncResult creation in order to take advantage of the new
reliable cancellation feature.

The guarantee of reliable cancellation fixes a bug in dbusmenu (which
was already assuming that cancellation was reliable).  See this bug:
https://bugs.launchpad.net/ubuntu/+source/libdbusmenu/+bug/953562

https://bugzilla.gnome.org/show_bug.cgi?id=672013

Signed-off-by: David Zeuthen <davidz@redhat.com>
2012-03-15 14:01:35 -04:00
Matthias Clasen
28008138c3 Silence a compiler warning 2011-06-14 21:06:17 -04:00
Matthias Clasen
ba6e66bff1 Don't compare unsigned numbers with 0
It does not work.
2011-06-14 18:51:57 -04:00
Matthias Clasen
3dc34de0ff Avoid a deref-before-NULL-check warning 2011-06-14 10:04:06 -04:00
David Zeuthen
25c57d31c5 GDBus: Allow tcp: and nonce-tcp: addresses without any arguments
This was broken in this commit

 http://git.gnome.org/browse/glib/commit/?id=0729260141bb585943ad1c6efa8ab7ee9058b0aa

The test case for catching this is unfortunately commented out (so it
didn't catch it) due to this bug

 https://bugzilla.gnome.org/show_bug.cgi?id=631379

still being unresolved.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2011-04-13 17:49:19 -04:00
David Zeuthen
0729260141 Silence a bunch of -Wunused-but-set-variable warnings
Signed-off-by: David Zeuthen <davidz@redhat.com>
2011-04-08 15:44:25 -04:00
Christian Persch
9e0c07870a Use g_simple_async_result_{new_,}take_error
Bug #633685.
2010-11-03 14:25:35 +01:00
Johan Dahlin
30132c44c1 Add a lot of missing annotations 2010-09-24 18:24:41 -03:00
Ryan Lortie
66388120d2 Move #include <sys/wait.h> down
Until after we include the glib stuff, so that we have G_OS_UNIX
defined.

For some reason <stdlib.h> pulls in <sys/wait.h> on Fedora so this
wasn't a problem, but many others have reported the issue.
2010-07-20 10:49:30 -04:00
David Hoyt
c7c573afb6 Bug 624754 – gdbusaddress.c missing sys/wait.h
https://bugzilla.gnome.org/show_bug.cgi?id=624754

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-19 13:53:17 -04:00
David Zeuthen
f30aef9a10 GDBus: Add nonce-tcp: test case
Also fix a couple of TODO items in gdbusaddress.c

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-16 13:22:45 -04:00
Ryan Lortie
5b946e0504 gio/: fully remove gioalias hacks 2010-07-07 19:53:22 -04:00
Matthias Clasen
99670eaccc Fix some errors in translated strings
gettext can't handle macros, so we have to use literal format
specifiers, unfortunately.
2010-07-07 07:37:42 -04:00
Danielle Madeley
be247379f0 Include sys/wait.h for WEXITSTATUS() 2010-07-07 12:47:54 +10:00
David Zeuthen
aab6d9ed1c GDBus: Handle autolaunching on UNIX/Freedesktop OSes
Also add a 'address' G_DBUS_DEBUG option that will print out useful
debug information such as

  GDBus-debug:Address: In g_dbus_address_get_for_bus_sync() for bus type `session'
  GDBus-debug:Address: env var DBUS_SESSION_BUS_ADDRESS is not set
  GDBus-debug:Address: env var DBUS_SYSTEM_BUS_ADDRESS is not set
  GDBus-debug:Address: env var DBUS_STARTER_BUS_TYPE is not set
  GDBus-debug:Address: Running `dbus-launch --autolaunch=05e508961149264c9b750a4c494aa6f7 --binary-syntax --close-stderr' to get bus address (possibly autolaunching)
  GDBus-debug:Address: dbus-launch output:
    0000: 75 6e 69 78  3a 61 62 73  74 72 61 63  74 3d 2f 74    unix:abstract=/t
    0010: 6d 70 2f 64  62 75 73 2d  77 42 41 6f  4b 59 49 52    mp/dbus-wBAoKYIR
    0020: 7a 75 2c 67  75 69 64 3d  30 34 30 64  31 33 66 33    zu,guid=040d13f3
    0030: 30 61 30 62  35 32 63 32  30 66 36 32  63 34 31 63    0a0b52c20f62c41c
    0040: 30 30 30 30  35 30 38 64  00 d2 38 00  00 01 00 40    0000508d..8....@
    0050: 05 00 00 00  00                                       .....
  GDBus-debug:Address: dbus-launch stderr output:
  14542: Autolaunch enabled (using X11).
  14542: --exit-with-session automatically enabled
  14542: Connected to X11 display ':0.0'
  14542: === Parent dbus-launch continues
  14542: Waiting for babysitter's intermediate parent
  14542: Reading address from bus
  14542: Reading PID from daemon
  14542: Saving x11 address
  14542: Created window 88080385
  14542: session file: /root/.dbus/session-bus/05e508961149264c9b750a4c494aa6f7-0
  14542: dbus-launch exiting
  GDBus-debug:Address: Returning address `unix:abstract=/tmp/dbus-wBAoKYIRzu,guid=040d13f30a0b52c20f62c41c0000508d' for bus type `session'

and

  GDBus-debug:Address: In g_dbus_address_get_for_bus_sync() for bus type `session'
  GDBus-debug:Address: env var DBUS_SESSION_BUS_ADDRESS is not set
  GDBus-debug:Address: env var DBUS_SYSTEM_BUS_ADDRESS is not set
  GDBus-debug:Address: env var DBUS_STARTER_BUS_TYPE is not set
  GDBus-debug:Address: Running `dbus-launch --autolaunch=05e508961149264c9b750a4c494aa6f7 --binary-syntax --close-stderr' to get bus address (possibly autolaunching)
  GDBus-debug:Address: dbus-launch output:
    0000: 75 6e 69 78  3a 61 62 73  74 72 61 63  74 3d 2f 74    unix:abstract=/t
    0010: 6d 70 2f 64  62 75 73 2d  77 42 41 6f  4b 59 49 52    mp/dbus-wBAoKYIR
    0020: 7a 75 2c 67  75 69 64 3d  30 34 30 64  31 33 66 33    zu,guid=040d13f3
    0030: 30 61 30 62  35 32 63 32  30 66 36 32  63 34 31 63    0a0b52c20f62c41c
    0040: 30 30 30 30  35 30 38 64  00 d2 38 00  00 01 00 40    0000508d..8....@
    0050: 05 00 00 00  00                                       .....
  GDBus-debug:Address: dbus-launch stderr output:
  14549: Autolaunch enabled (using X11).
  14549: --exit-with-session automatically enabled
  14549: Connected to X11 display ':0.0'
  14549: dbus-daemon is already running. Returning existing parameters.
  14549: dbus-launch exiting
  GDBus-debug:Address: Returning address `unix:abstract=/tmp/dbus-wBAoKYIRzu,guid=040d13f30a0b52c20f62c41c0000508d' for bus type `session'

Note that things work exactly like libdbus, e.g. from the
dbus-launch(1) man page:

  Whenever an autolaunch occurs, the application that had to start a
  new bus will be in its own little world; it can effectively end up
  starting a whole new session if it tries to use a lot of bus
  services. This can be suboptimal or even totally broken, depending
  on the app and what it tries to do.

  [...]

  You can always avoid autolaunch by manually setting
  DBUS_SESSION_BUS_ADDRESS. Autolaunch happens because the default
  address if none is set is "autolaunch:", so if any other address is
  set there will be no autolaunch. You can however include autolaunch
  in an explicit session bus address as a fallback, for example
  DBUS_SESSION_BUS_ADDRESS="something:,autolaunch:" - in that case if
  the first address doesn't work, processes will autolaunch. (The bus
  address variable contains a comma-separated list of addresses to
  try.)

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-06 17:03:36 -04:00
David Zeuthen
ef29644063 GDBus: Properly handle empty address strings
Changes this error

 DBUS_SESSION_BUS_ADDRESS= \
 gdbus introspect --session \
                  --dest org.freedesktop.DBus \
                  --object-path /org/freedesktop/DBus
 **
 GLib-GIO:ERROR:gdbusaddress.c:913:g_dbus_address_get_stream_sync: assertion failed: (last_error != NULL)
 Aborted (core dumped)

to

 DBUS_SESSION_BUS_ADDRESS= \
 gdbus introspect --session \
                  --dest org.freedesktop.DBus \
                  --object-path /org/freedesktop/DBus
 Error connecting: The given address is empty

which is much more preferable.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-06 17:03:36 -04:00
Javier Jardón
af3f4cbe77 gdbusaddress: Fix typo 2010-06-04 01:35:23 +02:00
David Zeuthen
366b3ffcde Bug 619142 – Build fixes
- Fix various #include issues

 - Change #error to #warning for the EXTERNAL authentication mechanism.
   It is not clear if this should work on Win32 at all.

 - Call close() before unlink() for the SHA1 keyring

 - Change #error to #warning so we don't forget to do
   permission checking of the .dbus-keyrings directory

 - Use Win32 SID for the SHA1 auth mech

 - Apparently we can't use word 'interface' as an identifier

 - Implement a _g_dbus_win32_get_user_sid() function. For now it's
   private. Don't know if it should be public somewhere. Maybe in
   a future GCredentials support for Win32? I don't know.

 - GFileDescriptorBased is not available on Win32. So avoid using
   it in GLocalFile stuff. Now, Win32 still uses GLocalFile + friends
   (which works with file descriptors) so expose a private function
   to get the fd for an OutputStream so things still work.

 - Fixup gio.symbols

 - Fixup tests/gdbus-peer.c so it builds

With this, at least things compile and the gdbus-peer.exe test case
passes. Which is a great start. I've tested this by cross-compiling on
a x86_64 Fedora 13 host using mingw32 and running the code on a 32-bit
Windows 7 box.

https://bugzilla.gnome.org/show_bug.cgi?id=619142

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-20 10:53:08 -04:00
Christian Persch
5bc9d43288 Plug mem leak in g_dbus_address_get_stream_sync
==6279== 21,615 (4,708 direct, 16,907 indirect) bytes in 169 blocks are
definitely lost in loss record 12 of 13
==6279==    at 0x4024D2E: malloc (vg_replace_malloc.c:207)
==6279==    by 0x4079A90: g_malloc (gmem.c:135)
==6279==    by 0x4079DC8: g_malloc_n (gmem.c:252)
==6279==    by 0x4097E66: g_strsplit (gstrfuncs.c:2434)
==6279==    by 0x42169A2: g_dbus_address_get_stream_sync
(gdbusaddress.c:875)

Bug #618622.
2010-05-15 00:12:17 +02:00
Matthias Clasen
5d1135618e Trivia 2010-05-10 08:07:07 -04:00
Matthias Clasen
0cf467c2ca Update copyright years to include 2010 2010-05-09 13:14:55 -04:00
Matthias Clasen
bb7106c5df Add some conceptual changes 2010-05-09 02:27:09 -04:00
Matthias Clasen
8315eb77d5 Some documentation tweaks
Add links to the D-Bus docs in some places, and various
other additions.
2010-05-09 01:44:11 -04:00
David Zeuthen
46ce134d51 GDBus: Add new symbols to gio.symbols 2010-05-06 17:31:51 -04:00
David Zeuthen
fb1b4599a0 GDBus: Fix up i18n 2010-05-06 16:34:23 -04:00
David Zeuthen
0fd6498cd8 Add "Since: 2.26" to all new GDBus API 2010-05-06 16:02:08 -04:00
David Zeuthen
c490c14f4e Set up gtk-doc for GDBus
Also move send_credentials() and receive_credentials() to
GUnixConnection. This code might change, discussion is still ongoing
in

 https://bugzilla.gnome.org/show_bug.cgi?id=617483.
2010-05-06 15:31:45 -04:00
David Zeuthen
d0a14469d0 Initial GDBus code-drop from GDBus-standalone repo
Things compile and the test-suite passes. Still need to hook up
gio.symbols and docs. There are still a bunch of TODOs left in the
sources that needs to be addressed.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-06 14:21:32 -04:00