diff options
author | smitsohu <smitsohu@gmail.com> | 2020-12-21 18:10:49 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-12-21 18:39:50 +0100 |
commit | 45c28b808df9529aca32fdd755ac14e8101af3c1 (patch) | |
tree | 631db451c28a36cce75135759861acb80798234a | |
parent | add mac multicast address check to profile_check_line (diff) | |
download | firejail-45c28b808df9529aca32fdd755ac14e8101af3c1.tar.gz firejail-45c28b808df9529aca32fdd755ac14e8101af3c1.tar.zst firejail-45c28b808df9529aca32fdd755ac14e8101af3c1.zip |
fix forwarding of login option to restricted shell
If firejail is the login shell, the SHELL environment variable
is set to the path of the firejail executable. This leads to execution of a
'firejail -l' command, but firejail inside the sandbox does
not know what to do with the -l option and just starts bash without
forwarding this option.
Fix this by not checking $SHELL when guessing which shell should be used.
run_no_sandbox(), which relies on reading the environment, runs before
setting the login_shell variable, and is not affected.
-rw-r--r-- | src/firejail/main.c | 12 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 1 |
2 files changed, 8 insertions, 5 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b8ed29ece..78aec5e25 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -864,11 +864,13 @@ char *guess_shell(void) { | |||
864 | char *shell = NULL; | 864 | char *shell = NULL; |
865 | struct stat s; | 865 | struct stat s; |
866 | 866 | ||
867 | shell = getenv("SHELL"); | 867 | if (!login_shell) { // if firejail is the login shell, SHELL is set to path of firejail executable |
868 | if (shell) { | 868 | shell = getenv("SHELL"); |
869 | invalid_filename(shell, 0); // no globbing | 869 | if (shell) { |
870 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0) | 870 | invalid_filename(shell, 0); // no globbing |
871 | return shell; | 871 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0) |
872 | return shell; | ||
873 | } | ||
872 | } | 874 | } |
873 | 875 | ||
874 | // shells in order of preference | 876 | // shells in order of preference |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 01df77ee6..6d01d443a 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -177,6 +177,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
177 | } | 177 | } |
178 | 178 | ||
179 | // use $SHELL to get shell used in sandbox, guess shell otherwise | 179 | // use $SHELL to get shell used in sandbox, guess shell otherwise |
180 | assert(login_shell == 0); | ||
180 | cfg.shell = guess_shell(); | 181 | cfg.shell = guess_shell(); |
181 | if (!cfg.shell) { | 182 | if (!cfg.shell) { |
182 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | 183 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); |