diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-07-29 09:37:51 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-07-29 09:37:51 -0400 |
| commit | bdcb2be80f78082650283e13fcb9a90d75e02eba (patch) | |
| tree | 16c5acb08efa77aa9bc78e55bad4b2fd93254f30 | |
| parent | fix Makefile.in (diff) | |
| download | firejail-bdcb2be80f78082650283e13fcb9a90d75e02eba.tar.gz firejail-bdcb2be80f78082650283e13fcb9a90d75e02eba.tar.zst firejail-bdcb2be80f78082650283e13fcb9a90d75e02eba.zip | |
using UID_MIN/GID_MIN values from /etc/login.def
| -rw-r--r-- | Makefile.in | 2 | ||||
| -rwxr-xr-x | configure | 6 | ||||
| -rw-r--r-- | configure.ac | 6 | ||||
| -rwxr-xr-x | mkuid.sh | 20 | ||||
| -rw-r--r-- | src/firejail/restrict_users.c | 9 |
5 files changed, 38 insertions, 5 deletions
diff --git a/Makefile.in b/Makefile.in index 3008ba703..7bb59db6e 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -66,7 +66,7 @@ distclean: clean | |||
| 66 | for dir in $(MYLIBS); do \ | 66 | for dir in $(MYLIBS); do \ |
| 67 | $(MAKE) -C $$dir distclean; \ | 67 | $(MAKE) -C $$dir distclean; \ |
| 68 | done | 68 | done |
| 69 | rm -fr Makefile autom4te.cache config.log config.status config.h | 69 | rm -fr Makefile autom4te.cache config.log config.status config.h uids.h |
| 70 | 70 | ||
| 71 | realinstall: | 71 | realinstall: |
| 72 | # firejail executable | 72 | # firejail executable |
| @@ -3673,6 +3673,9 @@ if test "$prefix" = /usr; then | |||
| 3673 | sysconfdir="/etc" | 3673 | sysconfdir="/etc" |
| 3674 | fi | 3674 | fi |
| 3675 | 3675 | ||
| 3676 | # extract UID_MIN and GID_MIN from login.def | ||
| 3677 | ./mkuid.sh | ||
| 3678 | |||
| 3676 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" | 3679 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" |
| 3677 | 3680 | ||
| 3678 | cat >confcache <<\_ACEOF | 3681 | cat >confcache <<\_ACEOF |
| @@ -4861,6 +4864,9 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
| 4861 | echo " whitelisting: $HAVE_WHITELIST" | 4864 | echo " whitelisting: $HAVE_WHITELIST" |
| 4862 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4865 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
| 4863 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4866 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
| 4867 | printf " uid_min: "; grep UID_MIN uids.h | ||
| 4868 | printf " gid_min: "; grep GID_MIN uids.h | ||
| 4864 | echo | 4869 | echo |
| 4865 | 4870 | ||
| 4866 | 4871 | ||
| 4872 | |||
diff --git a/configure.ac b/configure.ac index c22228d0f..a84396ad4 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -106,6 +106,9 @@ if test "$prefix" = /usr; then | |||
| 106 | sysconfdir="/etc" | 106 | sysconfdir="/etc" |
| 107 | fi | 107 | fi |
| 108 | 108 | ||
| 109 | # extract UID_MIN and GID_MIN from login.def | ||
| 110 | ./mkuid.sh | ||
| 111 | |||
| 109 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) | 112 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) |
| 110 | 113 | ||
| 111 | echo | 114 | echo |
| @@ -123,6 +126,9 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
| 123 | echo " whitelisting: $HAVE_WHITELIST" | 126 | echo " whitelisting: $HAVE_WHITELIST" |
| 124 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 127 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
| 125 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 128 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
| 129 | printf " uid_min: "; grep UID_MIN uids.h | ||
| 130 | printf " gid_min: "; grep GID_MIN uids.h | ||
| 126 | echo | 131 | echo |
| 127 | 132 | ||
| 128 | 133 | ||
| 134 | |||
diff --git a/mkuid.sh b/mkuid.sh new file mode 100755 index 000000000..f03fdaf94 --- /dev/null +++ b/mkuid.sh | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | #!/bin/bash | ||
| 2 | |||
| 3 | echo "extracting UID_MIN and GID_MIN" | ||
| 4 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h | ||
| 5 | echo "#define FIREJAIL_UIDS_H" >> uids.h | ||
| 6 | |||
| 7 | if [ -f /etc/login.defs ] | ||
| 8 | then | ||
| 9 | echo "// using values extracted from /etc/login.defs" >> uids.h | ||
| 10 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
| 11 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
| 12 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
| 13 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
| 14 | else | ||
| 15 | echo "// using default values" >> uids.h | ||
| 16 | echo "#define UID_MIN 1000" >> uids.h | ||
| 17 | echo "#define GID_MIN 1000" >> uids.h | ||
| 18 | fi | ||
| 19 | |||
| 20 | echo "#endif" >> uids.h | ||
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5a41c441b..de798037f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -26,6 +26,7 @@ | |||
| 26 | #include <dirent.h> | 26 | #include <dirent.h> |
| 27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
| 28 | #include <errno.h> | 28 | #include <errno.h> |
| 29 | #include "../../uids.h" | ||
| 29 | 30 | ||
| 30 | #define MAXBUF 1024 | 31 | #define MAXBUF 1024 |
| 31 | 32 | ||
| @@ -118,7 +119,7 @@ static void sanitize_passwd(void) { | |||
| 118 | if (stat("/etc/passwd", &s) == -1) | 119 | if (stat("/etc/passwd", &s) == -1) |
| 119 | return; | 120 | return; |
| 120 | if (arg_debug) | 121 | if (arg_debug) |
| 121 | printf("Sanitizing /etc/passwd\n"); | 122 | printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); |
| 122 | if (is_link("/etc/passwd")) { | 123 | if (is_link("/etc/passwd")) { |
| 123 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | 124 | fprintf(stderr, "Error: invalid /etc/passwd\n"); |
| 124 | exit(1); | 125 | exit(1); |
| @@ -170,7 +171,7 @@ static void sanitize_passwd(void) { | |||
| 170 | int rv = sscanf(ptr, "%d:", &uid); | 171 | int rv = sscanf(ptr, "%d:", &uid); |
| 171 | if (rv == 0 || uid < 0) | 172 | if (rv == 0 || uid < 0) |
| 172 | goto errout; | 173 | goto errout; |
| 173 | if (uid < 1000) { // todo extract UID_MIN from /etc/login.def | 174 | if (uid < UID_MIN) { |
| 174 | fprintf(fpout, "%s", buf); | 175 | fprintf(fpout, "%s", buf); |
| 175 | continue; | 176 | continue; |
| 176 | } | 177 | } |
| @@ -255,7 +256,7 @@ static void sanitize_group(void) { | |||
| 255 | if (stat("/etc/group", &s) == -1) | 256 | if (stat("/etc/group", &s) == -1) |
| 256 | return; | 257 | return; |
| 257 | if (arg_debug) | 258 | if (arg_debug) |
| 258 | printf("Sanitizing /etc/group\n"); | 259 | printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); |
| 259 | if (is_link("/etc/group")) { | 260 | if (is_link("/etc/group")) { |
| 260 | fprintf(stderr, "Error: invalid /etc/group\n"); | 261 | fprintf(stderr, "Error: invalid /etc/group\n"); |
| 261 | exit(1); | 262 | exit(1); |
| @@ -306,7 +307,7 @@ static void sanitize_group(void) { | |||
| 306 | int rv = sscanf(ptr, "%d:", &gid); | 307 | int rv = sscanf(ptr, "%d:", &gid); |
| 307 | if (rv == 0 || gid < 0) | 308 | if (rv == 0 || gid < 0) |
| 308 | goto errout; | 309 | goto errout; |
| 309 | if (gid < 1000) { // todo extract GID_MIN from /etc/login.def | 310 | if (gid < GID_MIN) { |
| 310 | if (copy_line(fpout, buf, ptr)) | 311 | if (copy_line(fpout, buf, ptr)) |
| 311 | goto errout; | 312 | goto errout; |
| 312 | continue; | 313 | continue; |