diff options
| author |  Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
|---|---|---|
| committer | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
| commit | 88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2 (patch) | |
| tree | ff4ab558330f8c566ddf7e9909a57e71913a232a /src/fcopy | |
| parent | Fix private-bit filter for firefox on Arch (diff) | |
| parent | add nogroups (diff) | |
| download | firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.gz firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.zst firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.zip | |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'src/fcopy')
| -rw-r--r-- | src/fcopy/main.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index da5ade428..e7b4ffa8a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
| @@ -22,6 +22,7 @@ | |||
| 22 | #include <fcntl.h> | 22 | #include <fcntl.h> |
| 23 | #include <ftw.h> | 23 | #include <ftw.h> |
| 24 | #include <errno.h> | 24 | #include <errno.h> |
| 25 | #include <pwd.h> | ||
| 25 | 26 | ||
| 26 | int arg_quiet = 0; | 27 | int arg_quiet = 0; |
| 27 | static int arg_follow_link = 0; | 28 | static int arg_follow_link = 0; |
| @@ -199,10 +200,22 @@ static char *check(const char *src) { | |||
| 199 | if (!rsrc || stat(rsrc, &s) == -1) | 200 | if (!rsrc || stat(rsrc, &s) == -1) |
| 200 | goto errexit; | 201 | goto errexit; |
| 201 | 202 | ||
| 202 | // check uid | 203 | // on systems with systemd-resolved installed /etc/resolve.conf is a symlink to |
| 204 | // /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user | ||
| 203 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock | 205 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock |
| 204 | if (s.st_uid != getuid()/* || s.st_gid != getgid()*/) | 206 | uid_t user = getuid(); |
| 205 | goto errexit; | 207 | if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) { |
| 208 | // check user systemd-resolve | ||
| 209 | struct passwd *p = getpwnam("systemd-resolve"); | ||
| 210 | if (!p) | ||
| 211 | goto errexit; | ||
| 212 | if (s.st_uid != user && s.st_uid != p->pw_uid) | ||
| 213 | goto errexit; | ||
| 214 | } | ||
| 215 | else { | ||
| 216 | if (s.st_uid != user) | ||
| 217 | goto errexit; | ||
| 218 | } | ||
| 206 | 219 | ||
| 207 | // dir, link, regular file | 220 | // dir, link, regular file |
| 208 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | 221 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) |