diff options
author | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-25 01:01:06 +0300 |
---|---|---|
committer | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-25 01:05:40 +0300 |
commit | 51d69322896d0f622d77dc581c35876c1c937596 (patch) | |
tree | 88bf6dd701767267ac564c008335e728a9ab727d /src/firejail/fs_var.c | |
parent | tighten security (diff) | |
download | firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst firejail-51d69322896d0f622d77dc581c35876c1c937596.zip |
tighten security
Diffstat (limited to 'src/firejail/fs_var.c')
-rw-r--r-- | src/firejail/fs_var.c | 23 |
1 files changed, 5 insertions, 18 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 1516d684f..a578d04e6 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -131,22 +131,16 @@ void fs_var_log(void) { | |||
131 | // create an empty /var/log/wtmp file | 131 | // create an empty /var/log/wtmp file |
132 | /* coverity[toctou] */ | 132 | /* coverity[toctou] */ |
133 | FILE *fp = fopen("/var/log/wtmp", "w"); | 133 | FILE *fp = fopen("/var/log/wtmp", "w"); |
134 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
134 | if (fp) | 135 | if (fp) |
135 | fclose(fp); | 136 | fclose(fp); |
136 | if (chown("/var/log/wtmp", 0, wtmp_group) < 0) | ||
137 | errExit("chown"); | ||
138 | if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
139 | errExit("chmod"); | ||
140 | fs_logger("touch /var/log/wtmp"); | 137 | fs_logger("touch /var/log/wtmp"); |
141 | 138 | ||
142 | // create an empty /var/log/btmp file | 139 | // create an empty /var/log/btmp file |
143 | fp = fopen("/var/log/btmp", "w"); | 140 | fp = fopen("/var/log/btmp", "w"); |
141 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | ||
144 | if (fp) | 142 | if (fp) |
145 | fclose(fp); | 143 | fclose(fp); |
146 | if (chown("/var/log/btmp", 0, wtmp_group) < 0) | ||
147 | errExit("chown"); | ||
148 | if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) | ||
149 | errExit("chmod"); | ||
150 | fs_logger("touch /var/log/btmp"); | 144 | fs_logger("touch /var/log/btmp"); |
151 | } | 145 | } |
152 | else | 146 | else |
@@ -169,11 +163,8 @@ void fs_var_lib(void) { | |||
169 | 163 | ||
170 | if (fp) { | 164 | if (fp) { |
171 | fprintf(fp, "\n"); | 165 | fprintf(fp, "\n"); |
166 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); | ||
172 | fclose(fp); | 167 | fclose(fp); |
173 | if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1) | ||
174 | errExit("chown"); | ||
175 | if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) | ||
176 | errExit("chmod"); | ||
177 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); | 168 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); |
178 | } | 169 | } |
179 | } | 170 | } |
@@ -279,10 +270,9 @@ void fs_var_lock(void) { | |||
279 | // create directory | 270 | // create directory |
280 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 271 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) |
281 | errExit("mkdir"); | 272 | errExit("mkdir"); |
282 | if (chown(lnk, 0, 0)) | ||
283 | errExit("chown"); | ||
284 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 273 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) |
285 | errExit("chmod"); | 274 | errExit("chmod"); |
275 | ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); | ||
286 | } | 276 | } |
287 | if (arg_debug) | 277 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 278 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
@@ -353,11 +343,8 @@ void fs_var_utmp(void) { | |||
353 | 343 | ||
354 | // save new utmp file | 344 | // save new utmp file |
355 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 345 | fwrite(&u_boot, sizeof(u_boot), 1, fp); |
346 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
356 | fclose(fp); | 347 | fclose(fp); |
357 | if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0) | ||
358 | errExit("chown"); | ||
359 | if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
360 | errExit("chmod"); | ||
361 | 348 | ||
362 | // mount the new utmp file | 349 | // mount the new utmp file |
363 | if (arg_debug) | 350 | if (arg_debug) |