x11 xorg: blacklist non-default Xauthority file

fixes #1652
author: smitsohu <smitsohu@gmail.com> 2019-10-08 20:58:59 +0000
committer: GitHub <noreply@github.com> 2019-10-08 20:58:59 +0000
commit: b35c000fee9a4c1418a44e5a5a641bcf48f08345 (patch)
tree: 8201f3fa03e83f5dc0bda9aa9f33096c1d7eff27 /src/firejail/x11.c
parent: add x11 xorg option to HAS_X11 conditional - #2205 (diff)
download: firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.gz
firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.zst
firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0927593b0..e707ab8bd 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1238,6 +1238,20 @@ void x11_xorg(void) {
                errLogExit("invalid .Xauthority mount");
        ASSERT_PERMS(dest, getuid(), getgid(), 0600);
+        
+        // blacklist .Xauthority file if it is not masked already
+        char *envar = getenv("XAUTHORITY");
+        if (envar) {
+                char *rp = realpath(envar, NULL);
+                if (rp) {
+                        if (strcmp(rp, dest) != 0)
+                                disable_file_or_dir(rp);
+                        free(rp);
+                }
+                // update environment variable, so our new .Xauthority file is used
+                if (setenv("XAUTHORITY", dest, 1) < 0)
+                        errExit("setenv");
+        }
        free(dest);
 #endif
 }
author	smitsohu <smitsohu@gmail.com>	2019-10-08 20:58:59 +0000
committer	GitHub <noreply@github.com>	2019-10-08 20:58:59 +0000
commit	b35c000fee9a4c1418a44e5a5a641bcf48f08345 (patch)
tree	8201f3fa03e83f5dc0bda9aa9f33096c1d7eff27 /src/firejail/x11.c
parent	add x11 xorg option to HAS_X11 conditional - #2205 (diff)
download	firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.gz firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.tar.zst firejail-b35c000fee9a4c1418a44e5a5a641bcf48f08345.zip

diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0927593b0..e707ab8bd 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1238,6 +1238,20 @@ void x11_xorg(void) {
1238	errLogExit("invalid .Xauthority mount");	1238	errLogExit("invalid .Xauthority mount");
1239		1239
1240	ASSERT_PERMS(dest, getuid(), getgid(), 0600);	1240	ASSERT_PERMS(dest, getuid(), getgid(), 0600);
		1241
		1242	// blacklist .Xauthority file if it is not masked already
		1243	char *envar = getenv("XAUTHORITY");
		1244	if (envar) {
		1245	char *rp = realpath(envar, NULL);
		1246	if (rp) {
		1247	if (strcmp(rp, dest) != 0)
		1248	disable_file_or_dir(rp);
		1249	free(rp);
		1250	}
		1251	// update environment variable, so our new .Xauthority file is used
		1252	if (setenv("XAUTHORITY", dest, 1) < 0)
		1253	errExit("setenv");
		1254	}
1241	free(dest);	1255	free(dest);
1242	#endif	1256	#endif
1243	}	1257	}