diff options
author | Colin Walters <walters@verbum.org> | 2012-09-27 21:29:29 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2012-09-28 12:55:38 -0400 |
commit | 1a556443757b19fee67ef4441141246dd9cfed4f (patch) | |
tree | af90dceb70598adb855c2dbf693f9e711b9ccccc | |
parent | a52319bc294d05445fd8aa8f4a7f759c34558b5d (diff) | |
download | dbus-1a556443757b19fee67ef4441141246dd9cfed4f.tar.gz |
hardening: Use __secure_getenv if available
This helps us in the case where we were executed via filesystem
capabilities or a SELinux domain transition, not necessarily a plain
old setuid binary.
https://bugs.freedesktop.org/show_bug.cgi?id=52202
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | dbus/dbus-sysdeps.c | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index df909856..4eb530ae 100644 --- a/configure.ac +++ b/configure.ac @@ -596,7 +596,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension] AC_SEARCH_LIBS(socket,[socket network]) AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)]) -AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid) +AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid secure_getenv __secure_getenv ) AC_CHECK_HEADERS([syslog.h]) if test "x$ac_cv_header_syslog_h" = "xyes"; then diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index 04fb8d76..976c7e4b 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -182,12 +182,18 @@ _dbus_setenv (const char *varname, const char* _dbus_getenv (const char *varname) { +#if defined(HAVE_SECURE_GETENV) + return secure_getenv (varname); +#elif defined(HAVE___SECURE_GETENV) + return __secure_getenv (varname); +#else /* Don't respect any environment variables if the current process is * setuid. This is the equivalent of glibc's __secure_getenv(). */ if (_dbus_check_setuid ()) return NULL; return getenv (varname); +#endif } /** |