diff options
author | Colin Walters <walters@verbum.org> | 2012-09-27 21:29:29 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2012-09-28 10:18:15 -0400 |
commit | d839f027ed2cf320ac8b762ea93ba8af74ef50c6 (patch) | |
tree | 3fc660dcc2e5739872a157ff351059281571a92d | |
parent | 23fe78ceefb6cefcd58a49c77d1154b68478c8d2 (diff) | |
download | dbus-d839f027ed2cf320ac8b762ea93ba8af74ef50c6.tar.gz |
hardening: Use __secure_getenv if available
This helps us in the case where we were executed via filesystem
capabilities or a SELinux domain transition, not necessarily a plain
old setuid binary.
https://bugs.freedesktop.org/show_bug.cgi?id=52202
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | dbus/dbus-sysdeps.c | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index b0f2ec20..4fdf82bc 100644 --- a/configure.ac +++ b/configure.ac @@ -595,7 +595,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension] AC_SEARCH_LIBS(socket,[socket network]) AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)]) -AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid) +AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid secure_getenv __secure_getenv ) AC_CHECK_HEADERS([syslog.h]) if test "x$ac_cv_header_syslog_h" = "xyes"; then diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index 04fb8d76..976c7e4b 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -182,12 +182,18 @@ _dbus_setenv (const char *varname, const char* _dbus_getenv (const char *varname) { +#if defined(HAVE_SECURE_GETENV) + return secure_getenv (varname); +#elif defined(HAVE___SECURE_GETENV) + return __secure_getenv (varname); +#else /* Don't respect any environment variables if the current process is * setuid. This is the equivalent of glibc's __secure_getenv(). */ if (_dbus_check_setuid ()) return NULL; return getenv (varname); +#endif } /** |