tighten security

author: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-08-25 01:01:06 +0300
committer: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-08-25 01:05:40 +0300
commit: 51d69322896d0f622d77dc581c35876c1c937596 (patch)
tree: 88bf6dd701767267ac564c008335e728a9ab727d /src/firejail/restrict_users.c
parent: tighten security (diff)
download: firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz
firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst
firejail-51d69322896d0f622d77dc581c35876c1c937596.zip
1 files changed, 4 insertions, 10 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index de798037f..cb999a4a6 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -187,12 +187,9 @@ static void sanitize_passwd(void) {
                fprintf(fpout, "%s", buf);
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_PASSWD_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_PASSWD_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -319,12 +316,9 @@ static void sanitize_group(void) {
                        goto errout;
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_GROUP_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_GROUP_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
author	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-08-25 01:01:06 +0300
committer	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-08-25 01:05:40 +0300
commit	51d69322896d0f622d77dc581c35876c1c937596 (patch)
tree	88bf6dd701767267ac564c008335e728a9ab727d /src/firejail/restrict_users.c
parent	tighten security (diff)
download	firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst firejail-51d69322896d0f622d77dc581c35876c1c937596.zip

diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index de798037f..cb999a4a6 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -187,12 +187,9 @@ static void sanitize_passwd(void) {
187	fprintf(fpout, "%s", buf);	187	fprintf(fpout, "%s", buf);
188	}	188	}
189	fclose(fpin);	189	fclose(fpin);
		190	SET_PERMS_STREAM(fpout, 0, 0, 0644);
190	fclose(fpout);	191	fclose(fpout);
191	if (chown(RUN_PASSWD_FILE, 0, 0) == -1)	192
192	errExit("chown");
193	if (chmod(RUN_PASSWD_FILE, 0644) == -1)
194	errExit("chmod");
195
196	// mount-bind tne new password file	193	// mount-bind tne new password file
197	if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)	194	if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
198	errExit("mount");	195	errExit("mount");
@@ -319,12 +316,9 @@ static void sanitize_group(void) {
319	goto errout;	316	goto errout;
320	}	317	}
321	fclose(fpin);	318	fclose(fpin);
		319	SET_PERMS_STREAM(fpout, 0, 0, 0644);
322	fclose(fpout);	320	fclose(fpout);
323	if (chown(RUN_GROUP_FILE, 0, 0) == -1)	321
324	errExit("chown");
325	if (chmod(RUN_GROUP_FILE, 0644) == -1)
326	errExit("chmod");
327
328	// mount-bind tne new group file	322	// mount-bind tne new group file
329	if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)	323	if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
330	errExit("mount");	324	errExit("mount");