hardening: Use __secure_getenv() in *addition* to _dbus_check_setuid()

This is a further security measure for the case of Linux/glibc
when we're linked into a binary that's using filesystem capabilities
or SELinux domain transitions (i.e. not plain old setuid).

In this case, _dbus_getenv () will return NULL because it will
use __secure_getenv(), which handles those via AT_SECURE.

https://bugs.freedesktop.org/show_bug.cgi?id=52202

2 files changed, 12 insertions, 0 deletions

diff --git a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c
index 3b9ce315..2516bc34 100644
--- a/dbus/dbus-keyring.c
+++ b/dbus/dbus-keyring.c
@@ -718,6 +718,12 @@ _dbus_keyring_new_for_credentials (DBusCredentials  *credentials,
   
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
+  if (_dbus_getenv ("HOME") == NULL)
+    {
+      dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+                            "Unable to create DBus keyring with no $HOME");
+      return FALSE;
+    }
   if (_dbus_check_setuid ())
     {
       dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index b4ecc96e..6fa5bcb6 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -3434,6 +3434,12 @@ _dbus_get_autolaunch_address (const char *scope,
   DBusString uuid;
   dbus_bool_t retval;
 
+  if (_dbus_getenv ("PATH") == NULL)
+    {
+      dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+                            "Unable to autolaunch when PATH is unset");
+      return FALSE;
+    }
   if (_dbus_check_setuid ())
     {
       dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,