Commit daf3d5c2 authored by Philip Withnall's avatar Philip Withnall Committed by Colin Walters

data: Set GIO_USE_VFS=local in the environment

There is no need for polkit to ever use GVFS to load files from
non-local sources, so it's best to avoid loading GVFS code, and to just
rely on the local implementation in GIO instead. This reduces the attack
surface of polkit.

Implemented for the daemon, pkaction, pkcheck, pkexec and pkttyagent,
because none of them need remote file access.

https://bugs.freedesktop.org/show_bug.cgi?id=95487
parent 004bd37d
......@@ -22,6 +22,7 @@
#include "config.h"
#include <signal.h>
#include <stdlib.h>
#include <glib-unix.h>
......@@ -169,6 +170,9 @@ main (int argc,
sigint_id = 0;
registration_id = NULL;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
g_type_init ();
opt_context = g_option_context_new ("polkit system daemon");
......
......@@ -24,6 +24,7 @@
#endif
#include <stdio.h>
#include <stdlib.h>
#include <glib/gi18n.h>
#include <polkit/polkit.h>
......@@ -121,6 +122,9 @@ main (int argc, char *argv[])
actions = NULL;
ret = 1;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
g_type_init ();
opt_show_version = FALSE;
......
......@@ -24,6 +24,7 @@
#endif
#include <stdio.h>
#include <stdlib.h>
#include <glib/gi18n.h>
#include <polkit/polkit.h>
#define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
......@@ -362,6 +363,9 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
g_type_init ();
details = polkit_details_new ();
......
......@@ -503,6 +503,9 @@ main (int argc, char *argv[])
opt_user = NULL;
local_agent_handle = NULL;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
/* check for correct invocation */
if (geteuid () != 0)
{
......
......@@ -24,6 +24,7 @@
#endif
#include <stdio.h>
#include <stdlib.h>
#include <glib/gi18n.h>
#include <polkit/polkit.h>
#define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
......@@ -74,6 +75,9 @@ main (int argc, char *argv[])
guint ret = 126;
GVariantBuilder builder;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
g_type_init ();
error = NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment