diff options
author | smitsohu <smitsohu@gmail.com> | 2019-10-08 20:58:59 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-08 20:58:59 +0000 |
commit | b35c000fee9a4c1418a44e5a5a641bcf48f08345 (patch) | |
tree | 8201f3fa03e83f5dc0bda9aa9f33096c1d7eff27 | |
parent | add x11 xorg option to HAS_X11 conditional - #2205 (diff) | |
download | firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.gz firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.zst firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.zip |
x11 xorg: blacklist non-default Xauthority file
fixes #1652
-rw-r--r-- | src/firejail/x11.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0927593b0..e707ab8bd 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1238,6 +1238,20 @@ void x11_xorg(void) { | |||
1238 | errLogExit("invalid .Xauthority mount"); | 1238 | errLogExit("invalid .Xauthority mount"); |
1239 | 1239 | ||
1240 | ASSERT_PERMS(dest, getuid(), getgid(), 0600); | 1240 | ASSERT_PERMS(dest, getuid(), getgid(), 0600); |
1241 | |||
1242 | // blacklist .Xauthority file if it is not masked already | ||
1243 | char *envar = getenv("XAUTHORITY"); | ||
1244 | if (envar) { | ||
1245 | char *rp = realpath(envar, NULL); | ||
1246 | if (rp) { | ||
1247 | if (strcmp(rp, dest) != 0) | ||
1248 | disable_file_or_dir(rp); | ||
1249 | free(rp); | ||
1250 | } | ||
1251 | // update environment variable, so our new .Xauthority file is used | ||
1252 | if (setenv("XAUTHORITY", dest, 1) < 0) | ||
1253 | errExit("setenv"); | ||
1254 | } | ||
1241 | free(dest); | 1255 | free(dest); |
1242 | #endif | 1256 | #endif |
1243 | } | 1257 | } |