diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-05-15 09:01:23 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-05-15 09:01:23 -0400 |
| commit | 689c89738a9c575b0088ef288013aaf743d93eca (patch) | |
| tree | 6002cec6389b3597375a55dfd0073035d29522d4 | |
| parent | documentation (diff) | |
| download | firejail-689c89738a9c575b0088ef288013aaf743d93eca.tar.gz firejail-689c89738a9c575b0088ef288013aaf743d93eca.tar.zst firejail-689c89738a9c575b0088ef288013aaf743d93eca.zip | |
allow regular users to use --writable-var and --writable-etc
| -rw-r--r-- | src/firejail/main.c | 8 | ||||
| -rw-r--r-- | src/firejail/profile.c | 8 | ||||
| -rw-r--r-- | src/firejail/usage.c | 6 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
| -rw-r--r-- | src/man/firejail.txt | 4 |
5 files changed, 6 insertions, 26 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 59f500e3a..a540d468b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1285,10 +1285,6 @@ int main(int argc, char **argv) { | |||
| 1285 | } | 1285 | } |
| 1286 | #endif | 1286 | #endif |
| 1287 | else if (strcmp(argv[i], "--writable-etc") == 0) { | 1287 | else if (strcmp(argv[i], "--writable-etc") == 0) { |
| 1288 | if (getuid() != 0) { | ||
| 1289 | fprintf(stderr, "Error: --writable-etc is available only for root user\n"); | ||
| 1290 | exit(1); | ||
| 1291 | } | ||
| 1292 | if (cfg.etc_private_keep) { | 1288 | if (cfg.etc_private_keep) { |
| 1293 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1289 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
| 1294 | exit(1); | 1290 | exit(1); |
| @@ -1296,10 +1292,6 @@ int main(int argc, char **argv) { | |||
| 1296 | arg_writable_etc = 1; | 1292 | arg_writable_etc = 1; |
| 1297 | } | 1293 | } |
| 1298 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1294 | else if (strcmp(argv[i], "--writable-var") == 0) { |
| 1299 | if (getuid() != 0) { | ||
| 1300 | fprintf(stderr, "Error: --writable-var is available only for root user\n"); | ||
| 1301 | exit(1); | ||
| 1302 | } | ||
| 1303 | arg_writable_var = 1; | 1295 | arg_writable_var = 1; |
| 1304 | } | 1296 | } |
| 1305 | else if (strcmp(argv[i], "--private") == 0) | 1297 | else if (strcmp(argv[i], "--private") == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 095e5eecc..3bf294e00 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -573,10 +573,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 573 | 573 | ||
| 574 | // writable-etc | 574 | // writable-etc |
| 575 | if (strcmp(ptr, "writable-etc") == 0) { | 575 | if (strcmp(ptr, "writable-etc") == 0) { |
| 576 | if (getuid() != 0) { | ||
| 577 | fprintf(stderr, "Error: writable-etc is available only for root user\n"); | ||
| 578 | exit(1); | ||
| 579 | } | ||
| 580 | if (cfg.etc_private_keep) { | 576 | if (cfg.etc_private_keep) { |
| 581 | fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); | 577 | fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); |
| 582 | exit(1); | 578 | exit(1); |
| @@ -587,10 +583,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 587 | 583 | ||
| 588 | // writable-var | 584 | // writable-var |
| 589 | if (strcmp(ptr, "writable-var") == 0) { | 585 | if (strcmp(ptr, "writable-var") == 0) { |
| 590 | if (getuid() != 0) { | ||
| 591 | fprintf(stderr, "Error: writable-var is available only for root user\n"); | ||
| 592 | exit(1); | ||
| 593 | } | ||
| 594 | arg_writable_var = 1; | 586 | arg_writable_var = 1; |
| 595 | return 0; | 587 | return 0; |
| 596 | } | 588 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8c738a0fc..ef02c0d72 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -248,10 +248,8 @@ void usage(void) { | |||
| 248 | printf(" --version - print program version and exit.\n\n"); | 248 | printf(" --version - print program version and exit.\n\n"); |
| 249 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 249 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
| 250 | 250 | ||
| 251 | printf(" --writable-etc - /etc directory is mounted read-write. This option is\n"); | 251 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); |
| 252 | printf("\tavailable only when running the sandbox as root user.\n\n"); | 252 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); |
| 253 | printf(" --writable-var - /var directory is mounted read-write. This option is\n"); | ||
| 254 | printf("\tavailable only when running the sandbox as root user.\n\n"); | ||
| 255 | 253 | ||
| 256 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); | 254 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); |
| 257 | printf("\tthen it checks if Xephyr is installed.\n\n"); | 255 | printf("\tthen it checks if Xephyr is installed.\n\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8f9eedbd3..4d1de76f5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -194,12 +194,10 @@ The modifications to file_or_directory are persistent, everything else is discar | |||
| 194 | when the sandbox is closed. | 194 | when the sandbox is closed. |
| 195 | .TP | 195 | .TP |
| 196 | \fBwritable-etc | 196 | \fBwritable-etc |
| 197 | Mount /etc directory read-write. This option is available only | 197 | Mount /etc directory read-write. |
| 198 | when running the sandbox as root user. | ||
| 199 | .TP | 198 | .TP |
| 200 | \fBwritable-var | 199 | \fBwritable-var |
| 201 | Mount /var directory read-write. This option is available only | 200 | Mount /var directory read-write. |
| 202 | when running the sandbox as root user. | ||
| 203 | .SH Security filters | 201 | .SH Security filters |
| 204 | The following security filters are currently implemented: | 202 | The following security filters are currently implemented: |
| 205 | 203 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 807b3e39e..29a84f71e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1480,7 +1480,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | |||
| 1480 | 1480 | ||
| 1481 | .TP | 1481 | .TP |
| 1482 | \fB\-\-writable-etc | 1482 | \fB\-\-writable-etc |
| 1483 | Mount /etc directory read-write. This option is available only when running the sandbox as root user. | 1483 | Mount /etc directory read-write. |
| 1484 | .br | 1484 | .br |
| 1485 | 1485 | ||
| 1486 | .br | 1486 | .br |
| @@ -1490,7 +1490,7 @@ $ sudo firejail --writable-etc | |||
| 1490 | 1490 | ||
| 1491 | .TP | 1491 | .TP |
| 1492 | \fB\-\-writable-var | 1492 | \fB\-\-writable-var |
| 1493 | Mount /var directory read-write. This option is available only when running the sandbox as root user. | 1493 | Mount /var directory read-write. |
| 1494 | .br | 1494 | .br |
| 1495 | 1495 | ||
| 1496 | .br | 1496 | .br |