diff options
author | smitsohu <smitsohu@gmail.com> | 2021-02-25 01:40:13 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-02-25 02:10:48 +0100 |
commit | 8d7974a6a6b2bac2d2b680bcb4b2a76a36602538 (patch) | |
tree | 96a0d3c1f2a5e976336b8f756150e223a1d8be20 | |
parent | cleanup (diff) | |
download | firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.tar.gz firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.tar.zst firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.zip |
fix firecfg links in restrictive sandboxes
firejail symbolic link redirection currently depends
on a shell, but in restrictive sandboxes there
might be no execute permission, or private-lib might
have removed necessary libraries, or seccomp might
block required syscalls ...
Fix this by forcing --shell=none.
closes #3911
-rw-r--r-- | src/firejail/no_sandbox.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 1e8951afc..60a82821e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -167,15 +167,6 @@ void run_no_sandbox(int argc, char **argv) { | |||
167 | if (setresuid(-1, getuid(), getuid()) != 0) | 167 | if (setresuid(-1, getuid(), getuid()) != 0) |
168 | errExit("setresuid"); | 168 | errExit("setresuid"); |
169 | 169 | ||
170 | // use $SHELL to get shell used in sandbox, guess shell otherwise | ||
171 | cfg.shell = guess_shell(); | ||
172 | if (!cfg.shell) { | ||
173 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
174 | exit(1); | ||
175 | } | ||
176 | else if (arg_debug) | ||
177 | printf("Selecting %s as shell\n", cfg.shell); | ||
178 | |||
179 | // process limited subset of options | 170 | // process limited subset of options |
180 | // and find first non option arg: | 171 | // and find first non option arg: |
181 | // - first argument not starting with --, | 172 | // - first argument not starting with --, |
@@ -203,9 +194,20 @@ void run_no_sandbox(int argc, char **argv) { | |||
203 | } | 194 | } |
204 | 195 | ||
205 | if (prog_index == 0) { | 196 | if (prog_index == 0) { |
206 | assert(cfg.command_line == NULL); // runs cfg.shell | 197 | // got no command, require a shell and try to execute it |
198 | cfg.shell = guess_shell(); | ||
199 | if (!cfg.shell) { | ||
200 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | assert(cfg.command_line == NULL); | ||
207 | cfg.window_title = cfg.shell; | 205 | cfg.window_title = cfg.shell; |
208 | } else { | 206 | } else { |
207 | // this sandbox might not allow execution of a shell | ||
208 | // force --shell=none in order to not break firecfg symbolic links | ||
209 | arg_shell_none = 1; | ||
210 | |||
209 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 211 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
210 | } | 212 | } |
211 | 213 | ||