fix private-tmp/pam-tmpdir interaction - #2685

author: smitsohu <smitsohu@gmail.com> 2019-07-27 16:24:28 +0200
committer: smitsohu <smitsohu@gmail.com> 2019-07-27 16:24:28 +0200
commit: edfccb3f673541557d90aca13d7e2cbde2b0aeb8 (patch)
tree: 9268f97420f1efa5ea46d326d3c8cbdc67143359 /src/firejail/fs_whitelist.c
parent: update version table (diff)
download: firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.tar.gz
firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.tar.zst
firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 666f02e4d..122c100f8 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -735,6 +735,22 @@ void fs_whitelist(void) {
                                errExit("mounting tmpfs on /tmp");
                        fs_logger("tmpfs /tmp");
+                        // pam-tmpdir - issue #2685
+                        char *env = getenv("TMP");
+                        if (env) {
+                                char *pamtmpdir;
+                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir) == 0) {
+                                        // create empty user-owned /tmp/user/$uid directory
+                                        mkdir_attr("/tmp/user", 0755, 0, 0);
+                                        fs_logger("mkdir /tmp/user");
+                                        mkdir_attr(pamtmpdir, 0700, getuid(), getgid());
+                                        fs_logger2("mkdir", pamtmpdir);
+                                }
+                                free(pamtmpdir);
+                        }
                        // autowhitelist home directory if it is masked by the tmpfs
                        if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
                                whitelist_home(WLDIR_TMP);
author	smitsohu <smitsohu@gmail.com>	2019-07-27 16:24:28 +0200
committer	smitsohu <smitsohu@gmail.com>	2019-07-27 16:24:28 +0200
commit	edfccb3f673541557d90aca13d7e2cbde2b0aeb8 (patch)
tree	9268f97420f1efa5ea46d326d3c8cbdc67143359 /src/firejail/fs_whitelist.c
parent	update version table (diff)
download	firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.tar.gz firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.tar.zst firejail-edfccb3f673541557d90aca13d7e2cbde2b0aeb8.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 666f02e4d..122c100f8 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -735,6 +735,22 @@ void fs_whitelist(void) {
735	errExit("mounting tmpfs on /tmp");	735	errExit("mounting tmpfs on /tmp");
736	fs_logger("tmpfs /tmp");	736	fs_logger("tmpfs /tmp");
737		737
		738	// pam-tmpdir - issue #2685
		739	char *env = getenv("TMP");
		740	if (env) {
		741	char *pamtmpdir;
		742	if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
		743	errExit("asprintf");
		744	if (strcmp(env, pamtmpdir) == 0) {
		745	// create empty user-owned /tmp/user/$uid directory
		746	mkdir_attr("/tmp/user", 0755, 0, 0);
		747	fs_logger("mkdir /tmp/user");
		748	mkdir_attr(pamtmpdir, 0700, getuid(), getgid());
		749	fs_logger2("mkdir", pamtmpdir);
		750	}
		751	free(pamtmpdir);
		752	}
		753
738	// autowhitelist home directory if it is masked by the tmpfs	754	// autowhitelist home directory if it is masked by the tmpfs
739	if (strncmp(cfg.homedir, "/tmp/", 5) == 0)	755	if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
740	whitelist_home(WLDIR_TMP);	756	whitelist_home(WLDIR_TMP);