aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs_var.c
diff options
context:
space:
mode:
authorLibravatar Aleksey Manevich <manevich.aleksey@gmail.com>2016-08-25 01:01:06 +0300
committerLibravatar Aleksey Manevich <manevich.aleksey@gmail.com>2016-08-25 01:05:40 +0300
commit51d69322896d0f622d77dc581c35876c1c937596 (patch)
tree88bf6dd701767267ac564c008335e728a9ab727d /src/firejail/fs_var.c
parenttighten security (diff)
downloadfirejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz
firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst
firejail-51d69322896d0f622d77dc581c35876c1c937596.zip
tighten security
Diffstat (limited to 'src/firejail/fs_var.c')
-rw-r--r--src/firejail/fs_var.c23
1 files changed, 5 insertions, 18 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 1516d684f..a578d04e6 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -131,22 +131,16 @@ void fs_var_log(void) {
131 // create an empty /var/log/wtmp file 131 // create an empty /var/log/wtmp file
132 /* coverity[toctou] */ 132 /* coverity[toctou] */
133 FILE *fp = fopen("/var/log/wtmp", "w"); 133 FILE *fp = fopen("/var/log/wtmp", "w");
134 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
134 if (fp) 135 if (fp)
135 fclose(fp); 136 fclose(fp);
136 if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
137 errExit("chown");
138 if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
139 errExit("chmod");
140 fs_logger("touch /var/log/wtmp"); 137 fs_logger("touch /var/log/wtmp");
141 138
142 // create an empty /var/log/btmp file 139 // create an empty /var/log/btmp file
143 fp = fopen("/var/log/btmp", "w"); 140 fp = fopen("/var/log/btmp", "w");
141 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
144 if (fp) 142 if (fp)
145 fclose(fp); 143 fclose(fp);
146 if (chown("/var/log/btmp", 0, wtmp_group) < 0)
147 errExit("chown");
148 if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0)
149 errExit("chmod");
150 fs_logger("touch /var/log/btmp"); 144 fs_logger("touch /var/log/btmp");
151 } 145 }
152 else 146 else
@@ -169,11 +163,8 @@ void fs_var_lib(void) {
169 163
170 if (fp) { 164 if (fp) {
171 fprintf(fp, "\n"); 165 fprintf(fp, "\n");
166 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
172 fclose(fp); 167 fclose(fp);
173 if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
174 errExit("chown");
175 if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH))
176 errExit("chmod");
177 fs_logger("touch /var/lib/dhcp/dhcpd.leases"); 168 fs_logger("touch /var/lib/dhcp/dhcpd.leases");
178 } 169 }
179 } 170 }
@@ -279,10 +270,9 @@ void fs_var_lock(void) {
279 // create directory 270 // create directory
280 if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) 271 if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
281 errExit("mkdir"); 272 errExit("mkdir");
282 if (chown(lnk, 0, 0))
283 errExit("chown");
284 if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) 273 if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
285 errExit("chmod"); 274 errExit("chmod");
275 ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO);
286 } 276 }
287 if (arg_debug) 277 if (arg_debug)
288 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); 278 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
@@ -353,11 +343,8 @@ void fs_var_utmp(void) {
353 343
354 // save new utmp file 344 // save new utmp file
355 fwrite(&u_boot, sizeof(u_boot), 1, fp); 345 fwrite(&u_boot, sizeof(u_boot), 1, fp);
346 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
356 fclose(fp); 347 fclose(fp);
357 if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
358 errExit("chown");
359 if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
360 errExit("chmod");
361 348
362 // mount the new utmp file 349 // mount the new utmp file
363 if (arg_debug) 350 if (arg_debug)
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-06-03 10:14:25 +0000