8
8
GIO is striving to provide a modern, easy-to-use VFS API that sits
9
at the right level in the library stack. The goal is to overcome the
10
shortcomings of GnomeVFS and provide an API that is so good that
11
developers prefer it over raw POSIX calls. Among other things
12
that means using GObject. It also means not cloning the POSIX
13
API, but providing higher-level, document-centric interfaces.
9
at the right level in the library stack, as well as other generally
10
useful APIs for desktop applications (such as networking and
11
D-Bus support). The goal is to overcome the shortcomings of GnomeVFS
12
and provide an API that is so good that developers prefer it over raw
13
POSIX calls. Among other things that means using GObject. It also means
14
not cloning the POSIX API, but providing higher-level, document-centric
174
<title>Writing GIO applications</title>
177
The information in the GLib <ulink url="http://developer.gnome.org/glib/stable/glib-programming.html">documentation</ulink> about writing GLib
178
applications is generally applicable when writing GIO applications.
181
<simplesect><title>Threads</title>
184
GDBus has its own private worker thread, so applications using
185
GDBus have at least 3 threads. GIO makes heavy use of the concept
186
of a <link linkend="g-main-context-push-thread-default">thread-default
187
main context</link> to execute callbacks of asynchronous
188
methods in the same context in which the operation was started.
193
<simplesect><title>Security</title>
196
When your program needs to carry out some privileged operation (say,
197
create a new user account), there are various ways in which you can go
201
Implement a daemon that offers the privileged operation. A convenient
202
way to do this is as a D-Bus system-bus service. The daemon will probably
203
need ways to check the identity and authorization of the caller before
204
executing the operation. <ulink url="http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html">polkit</ulink> is a framework that allows this.
207
Use a small helper that is executed with elevated privileges via
208
pkexec. <ulink url="http://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html">pkexec</ulink> is a small program launcher that is part of polkit.
211
Use a small helper that is executed with elevated privileges by
215
None of these approaches is the clear winner, they all have their
216
advantages and disadvantages.
220
When writing code that runs with elevated privileges, it is important
221
to follow some basic rules of secure programming. David Wheeler has an
222
excellent book on this topic,
223
<ulink url="http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html">Secure Programming for Linux and Unix HOWTO</ulink>.
227
When using GIO in code that runs with elevated privileges, you have to
228
be careful. GIO has extension points whose implementations get loaded
229
from modules (executable code in shared objects), which could allow
230
an attacker to sneak his own code into your application by tricking it
231
into loading the code as a module. However, GIO will never load modules
232
from your home directory except when explictly asked to do so via an
233
environment variable.
237
In most cases, your helper program should be so small that you don't
238
need GIO, whose APIs are largely designed to support full-blown desktop
239
applications. If you can't resist the convenience of these APIs, here
240
are some steps you should take:
243
Clear the environment, e.g. using the <function>clearenv()</function>
245
David Wheeler has a good <ulink url="http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html">explanation</ulink> for why it is
246
important to sanitize the environment.
247
See <xref linkend="running-gio-apps"/>
248
for a list of all environment variables affecting GIO. In particular,
249
<envar>PATH</envar> (used to locate binaries), <envar>GIO_EXTRA_MODULES</envar> (used to locate loadable modules) and <envar>DBUS_{SYSTEM,SESSION}_BUS_ADDRESS</envar> (used to locate the D-Bus system and session bus) are important.
252
Don't use GVfs, by setting <envar>GIO_USE_VFS=local</envar> in the environment.
253
The reason to avoid GVfs in security-sensitive programs is that it uses
254
many libraries which have not necessarily been audited for security problems.
255
Gvfs is also heavily distributed and relies on a session bus to be present.
172
265
<title>Compiling GIO applications</title>