On Mon, 01 Feb 2021 at 19:19:41 -0500, Charles Malaheenee wrote:
> But I'm asking myself - is it only gnome-keyring affected or this
> "security hardening" could break other GNOME/MATE parts?
The security hardening change affects programs that are linked to GLib,
and are either setuid or have elevated filesystem capabilities
(setcap(8)), which is rare. I suspect the only ones are likely to be
gnome-keyring and pkexec.
pkexec already does not trust environment variables, so the change is
not a regression for it.
gnome-keyring *does* trust (some) environment variables, so the change
*is* a regression (at least for dbus-x11 users) - but it arguably
*shouldn't* be trusting environment variables, because having elevated
privileges is not consistent with that.
The next thing I need to do is look into whether the regression should
be fixed by making libglib2.0-0 less careful, or by making gnome-keyring
behave differently.
smcv
