mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2024-09-20 01:06:15 +02:00
d6cbb29f59
Some programs attempt to use libglib (or even libgio) when setuid. For a long time, GTK+ simply aborted if launched in this configuration, but we never had a real policy for GLib. I'm not sure whether we should advertise such support. However, given that there are real-world programs that do this currently, we can make them safer with not too much effort. Better to fix a problem caused by an interaction between two components in *both* places if possible. This patch adds a private function g_check_setuid() which is used to first ensure we don't run an external dbus-launch binary if DBUS_SESSION_BUS_ADDRESS isn't set. Second, we also ensure the local VFS is used in this case. The gdaemonvfs extension point will end up talking to the session bus which is typically undesirable in a setuid context. Implementing g_check_setuid() is interesting - whether or not we're running in a privilege-escalated path is operating system specific. Note that GTK+'s code to check euid versus uid worked historically on Unix, more modern systems have filesystem capabilities and SELinux domain transitions, neither of which are captured by the uid comparison. On Linux/glibc, the way this works is that the kernel sets an AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on startup. If found, then glibc sets a public-but-undocumented __libc_enable_secure variable which we can use. Unfortunately, while it *previously* worked to check this variable, a combination of newer binutils and RPM break it: http://www.openwall.com/lists/owl-dev/2012/08/14/1 So for now on Linux/glibc, we fall back to the historical Unix version until we get glibc fixed. On some BSD variants, there is a issetugid() function. On other Unix variants, we fall back to what GTK+ has been doing. Reported-By: Sebastian Krahmer <krahmer@suse.de> Signed-off-by: Colin Walters <walters@verbum.org>
221 lines
5.0 KiB
C
221 lines
5.0 KiB
C
/* GIO - GLib Input, Output and Streaming Library
|
|
*
|
|
* Copyright (C) 2006-2007 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General
|
|
* Public License along with this library; if not, write to the
|
|
* Free Software Foundation, Inc., 59 Temple Place, Suite 330,
|
|
* Boston, MA 02111-1307, USA.
|
|
*
|
|
* Author: Alexander Larsson <alexl@redhat.com>
|
|
*/
|
|
|
|
#include "config.h"
|
|
#include <string.h>
|
|
#include "gvfs.h"
|
|
#include "glib-private.h"
|
|
#include "glocalvfs.h"
|
|
#include "gresourcefile.h"
|
|
#include "giomodule-priv.h"
|
|
#include "glibintl.h"
|
|
|
|
|
|
/**
|
|
* SECTION:gvfs
|
|
* @short_description: Virtual File System
|
|
* @include: gio/gio.h
|
|
*
|
|
* Entry point for using GIO functionality.
|
|
*
|
|
*/
|
|
|
|
G_DEFINE_TYPE (GVfs, g_vfs, G_TYPE_OBJECT);
|
|
|
|
static void
|
|
g_vfs_class_init (GVfsClass *klass)
|
|
{
|
|
}
|
|
|
|
static void
|
|
g_vfs_init (GVfs *vfs)
|
|
{
|
|
}
|
|
|
|
/**
|
|
* g_vfs_is_active:
|
|
* @vfs: a #GVfs.
|
|
*
|
|
* Checks if the VFS is active.
|
|
*
|
|
* Returns: %TRUE if construction of the @vfs was successful
|
|
* and it is now active.
|
|
*/
|
|
gboolean
|
|
g_vfs_is_active (GVfs *vfs)
|
|
{
|
|
GVfsClass *class;
|
|
|
|
g_return_val_if_fail (G_IS_VFS (vfs), FALSE);
|
|
|
|
class = G_VFS_GET_CLASS (vfs);
|
|
|
|
return (* class->is_active) (vfs);
|
|
}
|
|
|
|
|
|
/**
|
|
* g_vfs_get_file_for_path:
|
|
* @vfs: a #GVfs.
|
|
* @path: a string containing a VFS path.
|
|
*
|
|
* Gets a #GFile for @path.
|
|
*
|
|
* Returns: (transfer full): a #GFile.
|
|
* Free the returned object with g_object_unref().
|
|
*/
|
|
GFile *
|
|
g_vfs_get_file_for_path (GVfs *vfs,
|
|
const char *path)
|
|
{
|
|
GVfsClass *class;
|
|
|
|
g_return_val_if_fail (G_IS_VFS (vfs), NULL);
|
|
g_return_val_if_fail (path != NULL, NULL);
|
|
|
|
class = G_VFS_GET_CLASS (vfs);
|
|
|
|
return (* class->get_file_for_path) (vfs, path);
|
|
}
|
|
|
|
/**
|
|
* g_vfs_get_file_for_uri:
|
|
* @vfs: a#GVfs.
|
|
* @uri: a string containing a URI
|
|
*
|
|
* Gets a #GFile for @uri.
|
|
*
|
|
* This operation never fails, but the returned object
|
|
* might not support any I/O operation if the URI
|
|
* is malformed or if the URI scheme is not supported.
|
|
*
|
|
* Returns: (transfer full): a #GFile.
|
|
* Free the returned object with g_object_unref().
|
|
*/
|
|
GFile *
|
|
g_vfs_get_file_for_uri (GVfs *vfs,
|
|
const char *uri)
|
|
{
|
|
GVfsClass *class;
|
|
|
|
g_return_val_if_fail (G_IS_VFS (vfs), NULL);
|
|
g_return_val_if_fail (uri != NULL, NULL);
|
|
|
|
class = G_VFS_GET_CLASS (vfs);
|
|
|
|
/* This is an unfortunate placement, but we really
|
|
* need to check this before chaining to the vfs,
|
|
* because we want to support resource uris for
|
|
* all vfs:es, even those that predate resources.
|
|
*/
|
|
if (g_str_has_prefix (uri, "resource:"))
|
|
return _g_resource_file_new (uri);
|
|
|
|
return (* class->get_file_for_uri) (vfs, uri);
|
|
}
|
|
|
|
/**
|
|
* g_vfs_get_supported_uri_schemes:
|
|
* @vfs: a #GVfs.
|
|
*
|
|
* Gets a list of URI schemes supported by @vfs.
|
|
*
|
|
* Returns: (transfer none): a %NULL-terminated array of strings.
|
|
* The returned array belongs to GIO and must
|
|
* not be freed or modified.
|
|
*/
|
|
const gchar * const *
|
|
g_vfs_get_supported_uri_schemes (GVfs *vfs)
|
|
{
|
|
GVfsClass *class;
|
|
|
|
g_return_val_if_fail (G_IS_VFS (vfs), NULL);
|
|
|
|
class = G_VFS_GET_CLASS (vfs);
|
|
|
|
return (* class->get_supported_uri_schemes) (vfs);
|
|
}
|
|
|
|
/**
|
|
* g_vfs_parse_name:
|
|
* @vfs: a #GVfs.
|
|
* @parse_name: a string to be parsed by the VFS module.
|
|
*
|
|
* This operation never fails, but the returned object might
|
|
* not support any I/O operations if the @parse_name cannot
|
|
* be parsed by the #GVfs module.
|
|
*
|
|
* Returns: (transfer full): a #GFile for the given @parse_name.
|
|
* Free the returned object with g_object_unref().
|
|
*/
|
|
GFile *
|
|
g_vfs_parse_name (GVfs *vfs,
|
|
const char *parse_name)
|
|
{
|
|
GVfsClass *class;
|
|
|
|
g_return_val_if_fail (G_IS_VFS (vfs), NULL);
|
|
g_return_val_if_fail (parse_name != NULL, NULL);
|
|
|
|
class = G_VFS_GET_CLASS (vfs);
|
|
|
|
if (g_str_has_prefix (parse_name, "resource:"))
|
|
return _g_resource_file_new (parse_name);
|
|
|
|
return (* class->parse_name) (vfs, parse_name);
|
|
}
|
|
|
|
/**
|
|
* g_vfs_get_default:
|
|
*
|
|
* Gets the default #GVfs for the system.
|
|
*
|
|
* Returns: (transfer none): a #GVfs.
|
|
*/
|
|
GVfs *
|
|
g_vfs_get_default (void)
|
|
{
|
|
if (GLIB_PRIVATE_CALL (g_check_setuid) ())
|
|
return g_vfs_get_local ();
|
|
return _g_io_module_get_default (G_VFS_EXTENSION_POINT_NAME,
|
|
"GIO_USE_VFS",
|
|
(GIOModuleVerifyFunc)g_vfs_is_active);
|
|
}
|
|
|
|
/**
|
|
* g_vfs_get_local:
|
|
*
|
|
* Gets the local #GVfs for the system.
|
|
*
|
|
* Returns: (transfer none): a #GVfs.
|
|
*/
|
|
GVfs *
|
|
g_vfs_get_local (void)
|
|
{
|
|
static gsize vfs = 0;
|
|
|
|
if (g_once_init_enter (&vfs))
|
|
g_once_init_leave (&vfs, (gsize)_g_local_vfs_new ());
|
|
|
|
return G_VFS (vfs);
|
|
}
|