diff options
author | 2021-02-12 15:59:33 +0100 | |
---|---|---|
committer | 2021-02-12 15:59:33 +0100 | |
commit | 6fd17bd2d331d35ba113430f8b522b11f9e2512b (patch) | |
tree | 704c7aa6085d0de80c639ca3ad015ec8c480a209 | |
parent | Revert "Merge pull request #3607 from kortewegdevries/wemail" (diff) | |
download | firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.gz firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.zst firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.zip |
chroot hardening
the check was introduced some time ago in fs_x11(), but
fs_chroot() does the same thing and needs it as well
-rw-r--r-- | src/firejail/chroot.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 6de4b819c..9253490ca 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -176,6 +176,18 @@ void fs_chroot(const char *rootdir) { | |||
176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { | 176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { |
177 | if (arg_debug) | 177 | if (arg_debug) |
178 | printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); | 178 | printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); |
179 | struct stat s1, s2; | ||
180 | if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2)) | ||
181 | errExit("mounting /tmp/.X11-unix"); | ||
182 | if ((s1.st_mode & S_ISVTX) != S_ISVTX) { | ||
183 | fprintf(stderr, "Error: sticky bit not set on /tmp directory\n"); | ||
184 | exit(1); | ||
185 | } | ||
186 | if (s2.st_uid != 0) { | ||
187 | fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n"); | ||
188 | exit(1); | ||
189 | } | ||
190 | |||
179 | check_subdir(parentfd, "tmp/.X11-unix", 0); | 191 | check_subdir(parentfd, "tmp/.X11-unix", 0); |
180 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 192 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
181 | if (fd == -1) | 193 | if (fd == -1) |