Some programs attempt to use libglib (or even libgio) when setuid.
For a long time, GTK+ simply aborted if launched in this
configuration, but we never had a real policy for GLib.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
This patch adds a private function g_check_setuid() which is used to
first ensure we don't run an external dbus-launch binary if
DBUS_SESSION_BUS_ADDRESS isn't set.
Second, we also ensure the local VFS is used in this case. The
gdaemonvfs extension point will end up talking to the session bus
which is typically undesirable in a setuid context.
Implementing g_check_setuid() is interesting - whether or not we're
running in a privilege-escalated path is operating system specific.
Note that GTK+'s code to check euid versus uid worked historically on
Unix, more modern systems have filesystem capabilities and SELinux
domain transitions, neither of which are captured by the uid
comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-By: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
Add _g_io_module_get_default(), which implements the
figure-out-the-best-available-module-that-is-actually-usable logic,
and use that to simplify g_proxy_resolver_get_default(),
g_settings_backend_get_default(), g_tls_backend_get_default(), and
g_vfs_get_default().
https://bugzilla.gnome.org/show_bug.cgi?id=620932
2008-01-29 Alexander Larsson <alexl@redhat.com>
* gfile.[ch]:
Add g_file_query_default_handler utility to easily look up
the GAppInfo that handles a file.
* gdesktopappinfo.[ch]:
* giomodule.c:
Set up an extension point for g_app_info_get_default_for_uri_scheme()
* gvfs.c:
Remove unused function
svn path=/trunk/; revision=6409
2007-12-19 Alexander Larsson <alexl@redhat.com>
* giomodule.c:
Make g_io_modules_load_all_in_directory not unuse
loaded modules so that users of it can do stuff
before unloading.
Init internal "module" types.
Initialize static prio and name for types so that
we don't have to load modules to get it.
* gnativevolumemonitor.h:
* gvolumemonitor.h:
Move is_supported to parent class so that
non-native monitors can avoid being initialized
too. (For instance GDaemonVolumeMonitor if we're
not using GDaemonVfs.)
* glocaldirectorymonitor.[ch]:
* glocalfilemonitor.[ch]:
* gunionvolumemonitor.c:
* gunixvolumemonitor.c:
* gvfs.c:
Find plugins using the static prio+name to
avoid unnecessarily loading the modules.
svn path=/trunk/; revision=6159
2007-12-05 Alexander Larsson <alexl@redhat.com>
* gdatainputstream.c:
Fix warnings
* gio.symbols:
* giomodule.[ch]
* glocaldirectorymonitor.c:
* glocalfilemonitor.c:
* gunionvolumemonitor.c:
* gvfs.c:
Make g_io_modules_ensure_loaded a private function and
don't pass in the dirname. This means we can do magic
directory finding in the win32 version.
Export the actual load-modules-in-directory code so that
gvfs can reuse that.
svn path=/trunk/; revision=6050
of the public files. Fixes broken function documentation prototypes.
Fixes GCancellable inaccuracies. Removes unnecessary incomplete
gtk-doc headers in private files.
svn path=/trunk/; revision=5953
2007-11-26 Alexander Larsson <alexl@redhat.com>
* Makefile.am:
* configure.in:
* gio-2.0-uninstalled.pc.in:
* gio-2.0.pc.in:
* gio-unix-2.0-uninstalled.pc.in:
* gio-unix-2.0.pc.in:
* gio/
* docs/reference/gio
Merged gio-standalone into glib.
* glib/glibintl.h:
* glib/gutils.c:
Export glib_gettext so that gio can use it
Add P_ (using same domain for now)
Add I_ as g_intern_static_string
svn path=/trunk/; revision=5941
