[glib/wip/gdbus-even-when-setcap: 3/3] gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid

From: Simon McVittie <smcv src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib/wip/gdbus-even-when-setcap: 3/3] gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid
Date: Tue, 2 Feb 2021 20:53:57 +0000 (UTC)


commit 7aa0580cc559148e0f4646461a42102bd98228b6
Author: Simon McVittie <smcv collabora com>
Date:   Tue Feb 2 20:52:03 2021 +0000

    gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid
    
    This is against my better judgement, but it's the least bad regression
    fix I can think of. If we don't do this, at least gnome-keyring-daemon
    (setcap) and msmtp (setgid) are known to regress.
    
    Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2305
    Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420
    Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981555
    Signed-off-by: Simon McVittie <smcv collabora com>

 gio/gdbusaddress.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)
---
diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
index 5dcbf9523..a341023df 100644
--- a/gio/gdbusaddress.c
+++ b/gio/gdbusaddress.c
@@ -1343,9 +1343,31 @@ g_dbus_address_get_for_bus_sync (GBusType       bus_type,
 
     case G_BUS_TYPE_SESSION:
       if (has_elevated_privileges)
-        ret = NULL;
+        {
+#ifdef G_OS_UNIX
+          if (geteuid () == getuid ())
+            {
+              /* Ideally we shouldn't do this, because setgid and
+               * filesystem capabilities are also elevated privileges
+               * with which we should not be trusting environment variables
+               * from the caller. Unfortunately, there are programs with
+               * elevated privileges that rely on the session bus being
+               * available. We already prevent the really dangerous
+               * transports like autolaunch: and unixexec: when our
+               * privileges are elevated, so this can only make us connect
+               * to the wrong AF_UNIX or TCP socket. */
+              ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+            }
+          else
+#endif
+            {
+              ret = NULL;
+            }
+        }
       else
-        ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+        {
+          ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
+        }
 
       if (ret == NULL)
         {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]