allow system users to run the sandbox

3 files changed, 21 insertions, 10 deletions

diff --git a/RELNOTES b/RELNOTES
index 1320f65ba..cf9d95982 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,6 +5,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
   * modif: removed compile time --disable-bind
   * modif: --net=none allowed even if networking was disabled at compile
      time or at run time
+  * modif: allow system users to run the sandbox
   * support wireless devices in --net option
   * support tap devices in --net option (tunneling support)
   * allow IP address configuration if the parent interface specified
@@ -13,7 +14,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
   * add --private-cache to support private ~/.cache
   * support full paths in private-lib
   * globbing support in private-lib
-  * support for local user directories in firecfg
+  * support for local user directories in firecfg (--bindir)
   * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
   * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
   * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index c7af14254..b0f56a19a 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) {
         if (strcmp(name, "root") == 0)
                 return 1;
 
-        // other system users will run the program as is
-        uid_t uid = getuid();
-        assert(uid_min > 0);
-        if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0)
+        // user nobody is never allowed
+        if (strcmp(name, "root") == 0)
                 return 0;
 
         // check file existence
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) {
         struct passwd *pw = getpwnam(name);
         if (!pw) {
                 fprintf(stderr, "Error: user %s not found on this system.\n", name);
-                return;
+                exit(1);
         }
 
         // check the user is not already in the database
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index c29de0705..88b4041b0 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database
 
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
-If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default. Other system users (users with an ID below UID_MIN value
-defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
+root user is allowed by default, user nobody is never allowed.
 
 If the user is not allowed to start the sandbox, Firejail will attempt to run the
 program without sandboxing it.
 
+If the file is not present in the system, all users are allowed to use the sandbox.
+
 Example:
 
         $ cat /etc/firejail/firejail.users
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li
 
 See \fBman 1 firecfg\fR for details.
 
+.SH ALTERNATIVE SOLUTION
+An alternative way of restricting user access to firejail executable is to create a special firejail user group and
+allow only users in this group to run the sandbox:
+
+        # addgroup firejail
+.br
+        # chown root:firejail /usr/bin/firejail
+.br
+        # chmod 4750 /usr/bin/firejail
+
+
 .SH FILES
 /etc/firejail/firejail.users
 
 .SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO