diff options
author | smitsohu <smitsohu@gmail.com> | 2018-09-02 14:21:54 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-09-02 14:21:54 +0200 |
commit | 1fe78bd9798725c7f1e49634de0f0935c443c1f8 (patch) | |
tree | 2b758e841f879260d6f1b9e8885cd6841dac5ac3 | |
parent | chroot problem: default profile not configured by default (diff) | |
download | firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.gz firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.zst firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.zip |
additional restrictions for write-permissions on chroot
-rw-r--r-- | src/firejail/fs.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 09c26fc92..fa3b3da0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1160,7 +1160,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1160 | if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) | 1160 | if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) |
1161 | errExit("asprintf"); | 1161 | errExit("asprintf"); |
1162 | if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { | 1162 | if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { |
1163 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); | 1163 | fprintf(stderr, "Error: invalid chroot directory: no directories in ~/.firejail are allowed\n"); |
1164 | exit(1); | 1164 | exit(1); |
1165 | } | 1165 | } |
1166 | free(overlay); | 1166 | free(overlay); |
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1171 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); | 1171 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); |
1172 | exit(1); | 1172 | exit(1); |
1173 | } | 1173 | } |
1174 | // rootdir has to be owned by root and is not allowed to be world-writable; | 1174 | // rootdir has to be owned by root and is not allowed to be generally writable, |
1175 | // this also excludes /tmp, /var/tmp and such | 1175 | // this also excludes /tmp, /var/tmp and such |
1176 | if (fstat(parentfd, &s) == -1) | 1176 | if (fstat(parentfd, &s) == -1) |
1177 | errExit("fstat"); | 1177 | errExit("fstat"); |
@@ -1179,8 +1179,8 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1179 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); | 1179 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); |
1180 | exit(1); | 1180 | exit(1); |
1181 | } | 1181 | } |
1182 | if ((S_IWOTH & s.st_mode) != 0) { | 1182 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1183 | fprintf(stderr, "Error: chroot directory should not be world-writable\n"); | 1183 | fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n"); |
1184 | exit(1); | 1184 | exit(1); |
1185 | } | 1185 | } |
1186 | 1186 | ||
@@ -1252,8 +1252,8 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1252 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); | 1252 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); |
1253 | exit(1); | 1253 | exit(1); |
1254 | } | 1254 | } |
1255 | if ((S_IWOTH & s.st_mode) != 0) { | 1255 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1256 | fprintf(stderr, "Error: chroot /etc should not be world-writable\n"); | 1256 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); |
1257 | exit(1); | 1257 | exit(1); |
1258 | } | 1258 | } |
1259 | close(fd); | 1259 | close(fd); |
@@ -1346,8 +1346,8 @@ void fs_chroot(const char *rootdir) { | |||
1346 | fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); | 1346 | fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); |
1347 | exit(1); | 1347 | exit(1); |
1348 | } | 1348 | } |
1349 | if ((S_IWOTH & s.st_mode) != 0) { | 1349 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1350 | fprintf(stderr, "Error: chroot /run should not be world-writable\n"); | 1350 | fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n"); |
1351 | exit(1); | 1351 | exit(1); |
1352 | } | 1352 | } |
1353 | } | 1353 | } |