additional restrictions for write-permissions on chroot

author: smitsohu <smitsohu@gmail.com> 2018-09-02 14:21:54 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-09-02 14:21:54 +0200
commit: 1fe78bd9798725c7f1e49634de0f0935c443c1f8 (patch)
tree: 2b758e841f879260d6f1b9e8885cd6841dac5ac3
parent: chroot problem: default profile not configured by default (diff)
download: firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.gz
firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.zst
firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.zip
1 files changed, 8 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 09c26fc92..fa3b3da0a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1160,7 +1160,7 @@ void fs_check_chroot_dir(const char *rootdir) {
        if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (strncmp(rootdir, overlay, strlen(overlay)) == 0) {
-                fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);
+                fprintf(stderr, "Error: invalid chroot directory: no directories in ~/.firejail are allowed\n");
                exit(1);
        }
        free(overlay);
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) {
                fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);
                exit(1);
        }
-        // rootdir has to be owned by root and is not allowed to be world-writable;
+        // rootdir has to be owned by root and is not allowed to be generally writable,
        // this also excludes /tmp, /var/tmp and such
        if (fstat(parentfd, &s) == -1)
                errExit("fstat");
@@ -1179,8 +1179,8 @@ void fs_check_chroot_dir(const char *rootdir) {
                fprintf(stderr, "Error: chroot directory should be owned by root\n");
                exit(1);
        }
-        if ((S_IWOTH & s.st_mode) != 0) {
+        if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
-                fprintf(stderr, "Error: chroot directory should not be world-writable\n");
+                fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n");
                exit(1);
        }
@@ -1252,8 +1252,8 @@ void fs_check_chroot_dir(const char *rootdir) {
                fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n");
                exit(1);
        }
-        if ((S_IWOTH & s.st_mode) != 0) {
+        if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
-                fprintf(stderr, "Error: chroot /etc should not be world-writable\n");
+                fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n");
                exit(1);
        }
        close(fd);
@@ -1346,8 +1346,8 @@ void fs_chroot(const char *rootdir) {
                        fprintf(stderr, "Error: chroot /run should be a directory owned by root\n");
                        exit(1);
                }
-                if ((S_IWOTH & s.st_mode) != 0) {
+                if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
-                        fprintf(stderr, "Error: chroot /run should not be world-writable\n");
+                        fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n");
                        exit(1);
                }
        }
author	smitsohu <smitsohu@gmail.com>	2018-09-02 14:21:54 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-09-02 14:21:54 +0200
commit	1fe78bd9798725c7f1e49634de0f0935c443c1f8 (patch)
tree	2b758e841f879260d6f1b9e8885cd6841dac5ac3
parent	chroot problem: default profile not configured by default (diff)
download	firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.gz firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.tar.zst firejail-1fe78bd9798725c7f1e49634de0f0935c443c1f8.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 09c26fc92..fa3b3da0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1160,7 +1160,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1160	if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)	1160	if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
1161	errExit("asprintf");	1161	errExit("asprintf");
1162	if (strncmp(rootdir, overlay, strlen(overlay)) == 0) {	1162	if (strncmp(rootdir, overlay, strlen(overlay)) == 0) {
1163	fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);	1163	fprintf(stderr, "Error: invalid chroot directory: no directories in ~/.firejail are allowed\n");
1164	exit(1);	1164	exit(1);
1165	}	1165	}
1166	free(overlay);	1166	free(overlay);
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1171	fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);	1171	fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir);
1172	exit(1);	1172	exit(1);
1173	}	1173	}
1174	// rootdir has to be owned by root and is not allowed to be world-writable;	1174	// rootdir has to be owned by root and is not allowed to be generally writable,
1175	// this also excludes /tmp, /var/tmp and such	1175	// this also excludes /tmp, /var/tmp and such
1176	if (fstat(parentfd, &s) == -1)	1176	if (fstat(parentfd, &s) == -1)
1177	errExit("fstat");	1177	errExit("fstat");
@@ -1179,8 +1179,8 @@ void fs_check_chroot_dir(const char *rootdir) {
1179	fprintf(stderr, "Error: chroot directory should be owned by root\n");	1179	fprintf(stderr, "Error: chroot directory should be owned by root\n");
1180	exit(1);	1180	exit(1);
1181	}	1181	}
1182	if ((S_IWOTH & s.st_mode) != 0) {	1182	if (((S_IWGRP\|S_IWOTH) & s.st_mode) != 0) {
1183	fprintf(stderr, "Error: chroot directory should not be world-writable\n");	1183	fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n");
1184	exit(1);	1184	exit(1);
1185	}	1185	}
1186		1186
@@ -1252,8 +1252,8 @@ void fs_check_chroot_dir(const char *rootdir) {
1252	fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n");	1252	fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n");
1253	exit(1);	1253	exit(1);
1254	}	1254	}
1255	if ((S_IWOTH & s.st_mode) != 0) {	1255	if (((S_IWGRP\|S_IWOTH) & s.st_mode) != 0) {
1256	fprintf(stderr, "Error: chroot /etc should not be world-writable\n");	1256	fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n");
1257	exit(1);	1257	exit(1);
1258	}	1258	}
1259	close(fd);	1259	close(fd);
@@ -1346,8 +1346,8 @@ void fs_chroot(const char *rootdir) {
1346	fprintf(stderr, "Error: chroot /run should be a directory owned by root\n");	1346	fprintf(stderr, "Error: chroot /run should be a directory owned by root\n");
1347	exit(1);	1347	exit(1);
1348	}	1348	}
1349	if ((S_IWOTH & s.st_mode) != 0) {	1349	if (((S_IWGRP\|S_IWOTH) & s.st_mode) != 0) {
1350	fprintf(stderr, "Error: chroot /run should not be world-writable\n");	1350	fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n");
1351	exit(1);	1351	exit(1);
1352	}	1352	}
1353	}	1353	}