Merge pull request #6087 from chestnykh/issue-6006

Lookup xauth in PATH.
author: netblue30 <netblue30@protonmail.com> 2023-11-24 17:06:48 -0500
committer: GitHub <noreply@github.com> 2023-11-24 17:06:48 -0500
commit: 5e23f74906e4971238275eebc235de49a574ffbd (patch)
tree: b8d5b082db39f7a69a494dc29528a7063df92be9
parent: Merge pull request #6070 from kmk3/sort-py-csort (diff)
parent: Lookup xauth in PATH. (diff)
download: firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.gz
firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.zst
firejail-5e23f74906e4971238275eebc235de49a574ffbd.zip
2 files changed, 23 insertions, 13 deletions
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 583888e0e..b43c36c1a 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
                fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
        // bring in xauth libraries
+        char *xauth_bin = find_in_path("xauth");
        if (arg_x11_xorg)
-                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+                fslib_mount_libs(xauth_bin, 1); // parse as user
+        free(xauth_bin);
        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2eaa9bde5..3721a2c2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 void x11_xorg(void) {
 #ifdef HAVE_X11
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
                exit(1);
        }
+        char *xauth_bin = find_in_path("xauth");
        // check xauth utility is present in the system
-        struct stat s;
+        if (!xauth_bin) {
-        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
-                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                exit(1);
        }
+        struct stat s;
+        if (stat(xauth_bin, &s) == -1) {
+                fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
+                exit(1);
+        }
        if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
                exit(1);
        }
        if (s.st_size > 1024 * 1024) {
-                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
+                fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
                exit(1);
        }
-        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // copy xauth in the sandbox and set mode to 0711
        // users are not able to trace the running xauth this way
        if (arg_debug)
-                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
+                printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
-        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
-                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
+        copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
-                exit(1);
-        }
+        free(xauth_bin);
        fmessage("Generating a new .Xauthority file\n");
        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
author	netblue30 <netblue30@protonmail.com>	2023-11-24 17:06:48 -0500
committer	GitHub <noreply@github.com>	2023-11-24 17:06:48 -0500
commit	5e23f74906e4971238275eebc235de49a574ffbd (patch)
tree	b8d5b082db39f7a69a494dc29528a7063df92be9
parent	Merge pull request #6070 from kmk3/sort-py-csort (diff)
parent	Lookup xauth in PATH. (diff)
download	firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.gz firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.zst firejail-5e23f74906e4971238275eebc235de49a574ffbd.zip

diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e..b43c36c1a 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
166	fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user	166	fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
167		167
168	// bring in xauth libraries	168	// bring in xauth libraries
		169
		170	char *xauth_bin = find_in_path("xauth");
169	if (arg_x11_xorg)	171	if (arg_x11_xorg)
170	fslib_mount_libs("/usr/bin/xauth", 1); // parse as user	172	fslib_mount_libs(xauth_bin, 1); // parse as user
		173
		174	free(xauth_bin);
171		175
172	fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());	176	fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
173	}	177	}


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5..3721a2c2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
1164	}	1164	}
1165	#endif	1165	#endif
1166		1166
1167
1168	void x11_xorg(void) {	1167	void x11_xorg(void) {
1169	#ifdef HAVE_X11	1168	#ifdef HAVE_X11
1170		1169
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
1175	exit(1);	1174	exit(1);
1176	}	1175	}
1177		1176
		1177	char *xauth_bin = find_in_path("xauth");
		1178
1178	// check xauth utility is present in the system	1179	// check xauth utility is present in the system
1179	struct stat s;	1180	if (!xauth_bin) {
1180	if (stat("/usr/bin/xauth", &s) == -1) {	1181	fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
1181	fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
1182	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n");	1182	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
1183	fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n");	1183	fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n");
1184	fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n");	1184	fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n");
1185	exit(1);	1185	exit(1);
1186	}	1186	}
		1187
		1188	struct stat s;
		1189	if (stat(xauth_bin, &s) == -1) {
		1190	fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
		1191	exit(1);
		1192	}
1187	if ((s.st_uid != 0 && s.st_gid != 0) \|\| (s.st_mode & S_IWOTH)) {	1193	if ((s.st_uid != 0 && s.st_gid != 0) \|\| (s.st_mode & S_IWOTH)) {
1188	fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");	1194	fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
1189	exit(1);	1195	exit(1);
1190	}	1196	}
1191	if (s.st_size > 1024 * 1024) {	1197	if (s.st_size > 1024 * 1024) {
1192	fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");	1198	fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
1193	exit(1);	1199	exit(1);
1194	}	1200	}
1195	// copy /usr/bin/xauth in the sandbox and set mode to 0711	1201	// copy xauth in the sandbox and set mode to 0711
1196	// users are not able to trace the running xauth this way	1202	// users are not able to trace the running xauth this way
1197	if (arg_debug)	1203	if (arg_debug)
1198	printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);	1204	printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
1199	if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {	1205
1200	fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");	1206	copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
1201	exit(1);	1207
1202	}	1208	free(xauth_bin);
1203		1209
1204	fmessage("Generating a new .Xauthority file\n");	1210	fmessage("Generating a new .Xauthority file\n");
1205	mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());	1211	mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());