diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-04-06 19:47:39 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-04-06 19:47:39 -0400 |
| commit | d2cc6774b3316a2cebc3ab19e2eed756ea217e03 (patch) | |
| tree | 77fe98f771c89d3b91bf9cf2ac36b41f717d1192 | |
| parent | grsecurity fixes (diff) | |
| download | firejail-d2cc6774b3316a2cebc3ab19e2eed756ea217e03.tar.gz firejail-d2cc6774b3316a2cebc3ab19e2eed756ea217e03.tar.zst firejail-d2cc6774b3316a2cebc3ab19e2eed756ea217e03.zip | |
ssh/scp/sftp fixes
| -rw-r--r-- | etc/login.users | 2 | ||||
| -rw-r--r-- | src/firejail/main.c | 16 | ||||
| -rw-r--r-- | src/firejail/restricted_shell.c | 15 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
| -rw-r--r-- | src/man/firejail-login.txt | 2 |
5 files changed, 34 insertions, 8 deletions
diff --git a/etc/login.users b/etc/login.users index 5d5969091..bc6ac4b09 100644 --- a/etc/login.users +++ b/etc/login.users | |||
| @@ -7,7 +7,7 @@ | |||
| 7 | # | 7 | # |
| 8 | # For example: | 8 | # For example: |
| 9 | # | 9 | # |
| 10 | # netblue:--debug --net=none | 10 | # netblue:--net=none --protocol=unix |
| 11 | # | 11 | # |
| 12 | # The extra arguments are inserted into program command line if firejail | 12 | # The extra arguments are inserted into program command line if firejail |
| 13 | # was started as a login shell. | 13 | # was started as a login shell. |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 166ca1b89..9df4653cd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -787,8 +787,10 @@ int main(int argc, char **argv) { | |||
| 787 | char *comm = pid_proc_comm(ppid); | 787 | char *comm = pid_proc_comm(ppid); |
| 788 | EUID_USER(); | 788 | EUID_USER(); |
| 789 | if (comm) { | 789 | if (comm) { |
| 790 | if (strcmp(comm, "sshd") == 0) | 790 | if (strcmp(comm, "sshd") == 0) { |
| 791 | arg_quiet = 1; | ||
| 791 | parent_sshd = 1; | 792 | parent_sshd = 1; |
| 793 | } | ||
| 792 | free(comm); | 794 | free(comm); |
| 793 | } | 795 | } |
| 794 | } | 796 | } |
| @@ -817,9 +819,11 @@ int main(int argc, char **argv) { | |||
| 817 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 819 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
| 818 | 820 | ||
| 819 | if (strcmp(argv[i], "--debug") == 0) { | 821 | if (strcmp(argv[i], "--debug") == 0) { |
| 820 | arg_debug = 1; | 822 | if (!arg_quiet) { |
| 821 | if (option_force) | 823 | arg_debug = 1; |
| 822 | printf("Entering sandbox-in-sandbox mode\n"); | 824 | if (option_force) |
| 825 | printf("Entering sandbox-in-sandbox mode\n"); | ||
| 826 | } | ||
| 823 | } | 827 | } |
| 824 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 828 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
| 825 | arg_debug_check_filename = 1; | 829 | arg_debug_check_filename = 1; |
| @@ -827,8 +831,10 @@ int main(int argc, char **argv) { | |||
| 827 | arg_debug_blacklists = 1; | 831 | arg_debug_blacklists = 1; |
| 828 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 832 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
| 829 | arg_debug_whitelists = 1; | 833 | arg_debug_whitelists = 1; |
| 830 | else if (strcmp(argv[i], "--quiet") == 0) | 834 | else if (strcmp(argv[i], "--quiet") == 0) { |
| 831 | arg_quiet = 1; | 835 | arg_quiet = 1; |
| 836 | arg_debug = 0; | ||
| 837 | } | ||
| 832 | else if (strcmp(argv[i], "--force") == 0) | 838 | else if (strcmp(argv[i], "--force") == 0) |
| 833 | ; | 839 | ; |
| 834 | 840 | ||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index da4e9d332..ee6e94957 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
| @@ -61,7 +61,20 @@ int restricted_shell(const char *user) { | |||
| 61 | ptr = strchr(args, '\n'); | 61 | ptr = strchr(args, '\n'); |
| 62 | if (ptr) | 62 | if (ptr) |
| 63 | *ptr = '\0'; | 63 | *ptr = '\0'; |
| 64 | 64 | ||
| 65 | // if nothing follows, continue | ||
| 66 | char *ptr2 = args; | ||
| 67 | int found = 0; | ||
| 68 | while (*ptr2 != '\0') { | ||
| 69 | if (*ptr2 != ' ' && *ptr2 != '\t') { | ||
| 70 | found = 1; | ||
| 71 | break; | ||
| 72 | } | ||
| 73 | } | ||
| 74 | if (!found) | ||
| 75 | continue; | ||
| 76 | |||
| 77 | // process user | ||
| 65 | if (strcmp(user, usr) == 0) { | 78 | if (strcmp(user, usr) == 0) { |
| 66 | restricted_user = strdup(user); | 79 | restricted_user = strdup(user); |
| 67 | // extract program arguments | 80 | // extract program arguments |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ccddeb888..d148c1f40 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -131,9 +131,16 @@ static void chk_chroot(void) { | |||
| 131 | } | 131 | } |
| 132 | 132 | ||
| 133 | static int monitor_application(pid_t app_pid) { | 133 | static int monitor_application(pid_t app_pid) { |
| 134 | |||
| 135 | |||
| 134 | int status; | 136 | int status; |
| 135 | while (app_pid) { | 137 | while (app_pid) { |
| 136 | usleep(20000); | 138 | usleep(20000); |
| 139 | char *msg; | ||
| 140 | if (asprintf(&msg, "monitoring pid %d\n", app_pid) == -1) | ||
| 141 | errExit("asprintf"); | ||
| 142 | logmsg(msg); | ||
| 143 | free(msg); | ||
| 137 | 144 | ||
| 138 | pid_t rv; | 145 | pid_t rv; |
| 139 | do { | 146 | do { |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 2825ca4cf..6cd9ce3cb 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
| @@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo | |||
| 11 | 11 | ||
| 12 | Example: | 12 | Example: |
| 13 | 13 | ||
| 14 | netblue:--debug --net=none | 14 | netblue:--net=none --protocol=unix |
| 15 | 15 | ||
| 16 | .SH RESTRICTED SHELL | 16 | .SH RESTRICTED SHELL |
| 17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |