aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2017-09-16 10:51:41 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2017-09-16 10:51:41 -0400
commit7b5d105a39232a8456b4e6d83d875925d7c7ab5b (patch)
treeacbb6be4a926c4fc30bd70f5fab6d0a396b83ce0
parent--build (diff)
downloadfirejail-7b5d105a39232a8456b4e6d83d875925d7c7ab5b.tar.gz
firejail-7b5d105a39232a8456b4e6d83d875925d7c7ab5b.tar.zst
firejail-7b5d105a39232a8456b4e6d83d875925d7c7ab5b.zip
fixed systemd-resolved integration - bug #1531
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--src/fcopy/main.c21
2 files changed, 18 insertions, 4 deletions
diff --git a/.gitignore b/.gitignore
index 554d1985b..0882eeecf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,7 @@ src/fnet/fnet
25src/fseccomp/fseccomp 25src/fseccomp/fseccomp
26src/fcopy/fcopy 26src/fcopy/fcopy
27src/fldd/fldd 27src/fldd/fldd
28src/fbuilder/fbuilder
28uids.h 29uids.h
29seccomp 30seccomp
30seccomp.debug 31seccomp.debug
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index da5ade428..9f525f2a8 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -22,6 +22,7 @@
22#include <fcntl.h> 22#include <fcntl.h>
23#include <ftw.h> 23#include <ftw.h>
24#include <errno.h> 24#include <errno.h>
25#include <pwd.h>
25 26
26int arg_quiet = 0; 27int arg_quiet = 0;
27static int arg_follow_link = 0; 28static int arg_follow_link = 0;
@@ -199,17 +200,29 @@ static char *check(const char *src) {
199 if (!rsrc || stat(rsrc, &s) == -1) 200 if (!rsrc || stat(rsrc, &s) == -1)
200 goto errexit; 201 goto errexit;
201 202
202 // check uid 203 // on systems with systemd-resolved installed /etc/resolve.conf is a symlink to
204 // /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user
203 // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock 205 // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock
204 if (s.st_uid != getuid()/* || s.st_gid != getgid()*/) 206 uid_t user = getuid();
205 goto errexit; 207 if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) {
208 // check user systemd-resolve
209 struct passwd *p = getpwnam("systemd-resolve");
210 if (!p)
211 goto errexit;
212 if (s.st_uid != user && s.st_uid != p->pw_uid)
213 goto errexit;
214 }
215 else {
216 if (s.st_uid != user /* || s.st_gid != getgid()*/)
217 goto errexit;
218 }
206 219
207 // dir, link, regular file 220 // dir, link, regular file
208 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) 221 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
209 return rsrc; // normal exit from the function 222 return rsrc; // normal exit from the function
210 223
211errexit: 224errexit:
212 fprintf(stderr, "Error fcopy: invalid file %s\n", src); 225 fprintf(stderr, "Edddddrror fcopy: invalid file %s\n", src);
213 exit(1); 226 exit(1);
214} 227}
215 228
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 09:06:59 +0000