diff options
author | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
---|---|---|
committer | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
commit | 88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2 (patch) | |
tree | ff4ab558330f8c566ddf7e9909a57e71913a232a /src/fcopy | |
parent | Fix private-bit filter for firefox on Arch (diff) | |
parent | add nogroups (diff) | |
download | firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.gz firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.zst firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'src/fcopy')
-rw-r--r-- | src/fcopy/main.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index da5ade428..e7b4ffa8a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <fcntl.h> | 22 | #include <fcntl.h> |
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <pwd.h> | ||
25 | 26 | ||
26 | int arg_quiet = 0; | 27 | int arg_quiet = 0; |
27 | static int arg_follow_link = 0; | 28 | static int arg_follow_link = 0; |
@@ -199,10 +200,22 @@ static char *check(const char *src) { | |||
199 | if (!rsrc || stat(rsrc, &s) == -1) | 200 | if (!rsrc || stat(rsrc, &s) == -1) |
200 | goto errexit; | 201 | goto errexit; |
201 | 202 | ||
202 | // check uid | 203 | // on systems with systemd-resolved installed /etc/resolve.conf is a symlink to |
204 | // /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user | ||
203 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock | 205 | // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock |
204 | if (s.st_uid != getuid()/* || s.st_gid != getgid()*/) | 206 | uid_t user = getuid(); |
205 | goto errexit; | 207 | if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) { |
208 | // check user systemd-resolve | ||
209 | struct passwd *p = getpwnam("systemd-resolve"); | ||
210 | if (!p) | ||
211 | goto errexit; | ||
212 | if (s.st_uid != user && s.st_uid != p->pw_uid) | ||
213 | goto errexit; | ||
214 | } | ||
215 | else { | ||
216 | if (s.st_uid != user) | ||
217 | goto errexit; | ||
218 | } | ||
206 | 219 | ||
207 | // dir, link, regular file | 220 | // dir, link, regular file |
208 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | 221 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) |