The information in the GLib documentation about writing GLib applications is generally applicable when writing GIO applications.
GDBus has its own private worker thread, so applications using
GDBus have at least 3 threads. GIO makes heavy use of the concept
of a
When your program needs to carry out some privileged operation (say, create a new user account), there are various ways in which you can go about this:
Implement a daemon that offers the privileged operation. A convenient way to do this is as a D-Bus system-bus service. The daemon will probably need ways to check the identity and authorization of the caller before executing the operation. polkit is a framework that allows this.
Use a small helper that is executed with elevated privileges via pkexec. pkexec is a small program launcher that is part of polkit.
Use a small helper that is executed with elevated privileges by being suid root.
None of these approaches is the clear winner, they all have their advantages and disadvantages.
When writing code that runs with elevated privileges, it is important to follow some basic rules of secure programming. David Wheeler has an excellent book on this topic, Secure Programming for Linux and Unix HOWTO.
When using GIO in code that runs with elevated privileges, you have to be careful. GIO has extension points whose implementations get loaded from modules (executable code in shared objects), which could allow an attacker to sneak his own code into your application by tricking it into loading the code as a module. However, GIO will never load modules from your home directory except when explictly asked to do so via an environment variable.
In most cases, your helper program should be so small that you don't need GIO, whose APIs are largely designed to support full-blown desktop applications. If you can't resist the convenience of these APIs, here are some steps you should take:
Clear the environment, e.g. using the
function.
David Wheeler has a good explanation for why it is
important to sanitize the environment.
See Running GIO applications
for a list of all environment variables affecting GIO. In particular,
clearenv()
PATH
(used to locate binaries), GIO_EXTRA_MODULES
(used to locate loadable modules) and DBUS_{SYSTEM,SESSION}_BUS_ADDRESS
(used to locate the D-Bus system and session bus) are important.
Don't use GVfs, by setting GIO_USE_VFS=local
in the environment.
The reason to avoid GVfs in security-sensitive programs is that it uses
many libraries which have not necessarily been audited for security problems.
Gvfs is also heavily distributed and relies on a session bus to be present.