diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-02-11 16:14:55 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-02-11 18:08:09 -0300 |
commit | 1db67408123c43bf4ea2798aec4d4c0e316021e1 (patch) | |
tree | 0cf8b10a18df301997219970eefa7237227d521e | |
parent | Fix iridium.profile (diff) | |
download | firejail-1db67408123c43bf4ea2798aec4d4c0e316021e1.tar.gz firejail-1db67408123c43bf4ea2798aec4d4c0e316021e1.tar.zst firejail-1db67408123c43bf4ea2798aec4d4c0e316021e1.zip |
Disable/comment message about nogroups being ignored
Added on commit 7abce0b4c ("Fix keeping certain groups with nogroups",
2021-11-30) / PR #4732.
As reported by @rusty-snake on #4930, conflicting messages are printed
when using whitelist-run-common.inc with nogroups:
$ cat test.profile
include whitelist-run-common.inc
nogroups
$ firejail --profile=./test.profile groups
Reading profile ./test.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Parent pid 1234, child pid 1235
Warning: logind not detected, nogroups command ignored <--- is a lie
Warning: cleaning all supplementary groups
Child process initialized in 30.00 ms
rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned
Parent is shutting down, bye...
This probably happens because wrc causes /run/systemd to be hidden in
the sandbox and because check_can_drop_all_groups is called multiple
times, seemingly both before and after the whitelisting goes into
effect. So disable the message about nogroups being ignored, but keep
the message about cleaning all supplementary groups (which is unlikely
to be printed unless it really happens).
Fixes #4930.
-rw-r--r-- | src/firejail/util.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c index 79ebfa1dd..109105630 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -125,7 +125,8 @@ int check_can_drop_all_groups() { | |||
125 | * and #4603. | 125 | * and #4603. |
126 | */ | 126 | */ |
127 | if (access("/run/systemd/seats/", F_OK) != 0) { | 127 | if (access("/run/systemd/seats/", F_OK) != 0) { |
128 | fwarning("logind not detected, nogroups command ignored\n"); | 128 | // TODO: wrc causes this to be printed even with (e)logind (see #4930) |
129 | //fwarning("logind not detected, nogroups command ignored\n"); | ||
129 | can_drop_all_groups = 0; | 130 | can_drop_all_groups = 0; |
130 | goto out; | 131 | goto out; |
131 | } | 132 | } |