diff options
author | 2020-10-16 18:51:37 +0200 | |
---|---|---|
committer | 2020-10-23 11:01:12 +0200 | |
commit | 1ebdf894c675925109031b3fbb859478a2ece566 (patch) | |
tree | 6e656ad5d5e4047bcdc078aefbf926e084309589 /src/firejail/profile.c | |
parent | 0.9.64 testing (diff) | |
download | firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.gz firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.zst firejail-1ebdf894c675925109031b3fbb859478a2ece566.zip |
Allow --tmpfs inside $HOME for unprivileged users
--tmpfs was added in 0.9.14 and restricted to root only in 0.9.38
due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify
/etc/sudoers). This commit reintroduce it for normal users, if the
realpath of it is inside users-home.
Diffstat (limited to 'src/firejail/profile.c')
-rw-r--r-- | src/firejail/profile.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5d83e6a73..8ed187b20 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1563,10 +1563,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1563 | else if (strncmp(ptr, "noexec ", 7) == 0) | 1563 | else if (strncmp(ptr, "noexec ", 7) == 0) |
1564 | ptr += 7; | 1564 | ptr += 7; |
1565 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 1565 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
1566 | if (getuid() != 0) { | ||
1567 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
1568 | exit(1); | ||
1569 | } | ||
1570 | ptr += 6; | 1566 | ptr += 6; |
1571 | } | 1567 | } |
1572 | else { | 1568 | else { |