diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-27 17:38:51 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-27 17:38:51 -0400 |
commit | c56e49cf0c91cb87ca25f3bb8a0228d4045dd075 (patch) | |
tree | 1c411b77c7ed084762458afe8caa4ec40f364a32 | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-c56e49cf0c91cb87ca25f3bb8a0228d4045dd075.tar.gz firejail-c56e49cf0c91cb87ca25f3bb8a0228d4045dd075.tar.zst firejail-c56e49cf0c91cb87ca25f3bb8a0228d4045dd075.zip |
symlink whitelist fix
-rw-r--r-- | src/firejail/fs_whitelist.c | 11 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
2 files changed, 8 insertions, 5 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 926e5415c..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -391,14 +391,17 @@ void fs_whitelist(void) { | |||
391 | 391 | ||
392 | entry->home_dir = 1; | 392 | entry->home_dir = 1; |
393 | home_dir = 1; | 393 | home_dir = 1; |
394 | if (arg_debug) | 394 | if (arg_debug || arg_debug_whitelists) |
395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | 395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", |
396 | __LINE__, fname, cfg.homedir); | 396 | __LINE__, fname, cfg.homedir); |
397 | 397 | ||
398 | // both path and absolute path are under /home | 398 | // both path and absolute path are under /home |
399 | // if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 399 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
400 | // goto errexit; | 400 | // check if the file is owned by the user |
401 | // } | 401 | struct stat s; |
402 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | ||
403 | goto errexit; | ||
404 | } | ||
402 | } | 405 | } |
403 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 406 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
404 | entry->tmp_dir = 1; | 407 | entry->tmp_dir = 1; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c9e24380c..d8bd34f10 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1523,7 +1523,7 @@ firejail version 0.9.27 | |||
1523 | \fB\-\-whitelist=dirname_or_filename | 1523 | \fB\-\-whitelist=dirname_or_filename |
1524 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1524 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1525 | With the exception of user home, both the link and the real file should be in | 1525 | With the exception of user home, both the link and the real file should be in |
1526 | the same top directory. | 1526 | the same top directory. For /home, both the link and the real file should be owned by the user. |
1527 | .br | 1527 | .br |
1528 | 1528 | ||
1529 | .br | 1529 | .br |