security fix

author: netblue30 <netblue30@yahoo.com> 2017-01-04 11:59:46 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-01-04 11:59:46 -0500
commit: 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 (patch)
tree: aa5f77b330912256340de9b673de0122b392579a
parent: install the content of contrib section /usr/lib/firejail directory (diff)
download: firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.tar.gz
firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.tar.zst
firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.zip
3 files changed, 30 insertions, 0 deletions
diff --git a/RELNOTES b/RELNOTES
index 645d158b7..08444bc0a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low
  * security: split most of networking code in a separate executable
  * security: split seccomp filter code configuration in a separate executable
  * security: split file copying in private option in a separate executable
+  * security: root exploit found by Sebastian Krahmer
  * feature: disable gnupg and systemd directories under /run/user
  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
  * feature: AppImage type 2 support
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0872bf0d0..f5e545bf3 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -167,6 +167,13 @@ static void copy_xauthority(void) {
        char *dest;
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
+        }
        // copy, set permissions and ownership
        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
@@ -185,6 +192,13 @@ static void copy_asoundrc(void) {
        char *dest;
        if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
                errExit("asprintf");
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
+        }
        // copy, set permissions and ownership
        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f890dd534..b3a22bad9 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -133,7 +133,15 @@ void pulseaudio_init(void) {
                                {;} // do nothing
                }
        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
+                        exit(1);
+                }
+        }
        free(dir1);
+        
        if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(dir1, &s) == -1) {
@@ -144,6 +152,13 @@ void pulseaudio_init(void) {
                                {;} // do nothing
                }
        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
+                        exit(1);
+                }
+        }
        free(dir1);
author	netblue30 <netblue30@yahoo.com>	2017-01-04 11:59:46 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-01-04 11:59:46 -0500
commit	60d4b478f65c60bcc825bb56f85fd6c4fd48b250 (patch)
tree	aa5f77b330912256340de9b673de0122b392579a
parent	install the content of contrib section /usr/lib/firejail directory (diff)
download	firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.tar.gz firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.tar.zst firejail-60d4b478f65c60bcc825bb56f85fd6c4fd48b250.zip