Merge branch 'master' of https://github.com/netblue30/firejail

7 files changed, 231 insertions, 193 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c98f80d13..49d19e33d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -728,10 +728,13 @@ void x11_xorg(void);
 // ls.c
 enum {
         SANDBOX_FS_LS = 0,
+        SANDBOX_FS_CAT,
         SANDBOX_FS_GET,
         SANDBOX_FS_PUT,
         SANDBOX_FS_MAX // this should always be the last entry
 };
+void ls(const char *path);
+void cat(const char *path);
 void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) __attribute__((noreturn));
 
 // checkcfg.c
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index aa33d838b..4d0a001b6 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -34,18 +34,12 @@
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
 
-static void print_file_or_dir(const char *path, const char *fname, int separator) {
+static void print_file_or_dir(const char *path, const char *fname) {
         assert(fname);
 
         char *name;
-        if (separator) {
-                if (asprintf(&name, "%s/%s", path, fname) == -1)
-                        errExit("asprintf");
-        }
-        else {
-                if (asprintf(&name, "%s%s", path, fname) == -1)
-                        errExit("asprintf");
-        }
+        if (asprintf(&name, "%s/%s", path, fname) == -1)
+                errExit("asprintf");
 
         struct stat s;
         if (stat(name, &s) == -1) {
@@ -178,13 +172,81 @@ static void print_directory(const char *path) {
                         errExit("scandir");
         else {
                 for (i = 0; i < n; i++) {
-                        print_file_or_dir(path, namelist[i]->d_name, 0);
+                        print_file_or_dir(path, namelist[i]->d_name);
                         free(namelist[i]);
                 }
         }
         free(namelist);
 }
 
+void ls(const char *path) {
+        EUID_ASSERT();
+        assert(path);
+
+        char *rp = realpath(path, NULL);
+        if (!rp || access(rp, R_OK) == -1) {
+                fprintf(stderr, "Error: cannot access %s\n", path);
+                exit(1);
+        }
+        if (arg_debug)
+                printf("ls %s\n", rp);
+
+        // list directory contents
+        struct stat s;
+        if (stat(rp, &s) == -1) {
+                fprintf(stderr, "Error: cannot access %s\n", rp);
+                exit(1);
+        }
+        if (S_ISDIR(s.st_mode))
+                print_directory(rp);
+        else {
+                char *split = strrchr(rp, '/');
+                if (split) {
+                        *split = '\0';
+                        char *rp2 = split + 1;
+                        if (arg_debug)
+                                printf("path %s, file %s\n", rp, rp2);
+                        print_file_or_dir(rp, rp2);
+                }
+        }
+        free(rp);
+}
+
+void cat(const char *path) {
+        EUID_ASSERT();
+        assert(path);
+
+        if (arg_debug)
+                printf("cat %s\n", path);
+        FILE *fp = fopen(path, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read %s\n", path);
+                exit(1);
+        }
+        int fd = fileno(fp);
+        if (fd == -1)
+                errExit("fileno");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                fprintf(stderr, "Error: %s is not a regular file\n", path);
+                exit(1);
+        }
+        bool tty = isatty(STDOUT_FILENO);
+
+        int c;
+        while ((c = fgetc(fp)) != EOF) {
+                // file is untrusted
+                // replace control characters when printing to a terminal
+                if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c))
+                        c = '?';
+                fputc(c, stdout);
+        }
+        fflush(stdout);
+        fclose(fp);
+}
+
 char *expand_path(const char *path) {
         char *fname = NULL;
         if (*path == '/') {
@@ -219,14 +281,14 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
         check_join_permission(pid);
 
         // expand paths
-        char *fname1 = expand_path(path1);;
+        char *fname1 = expand_path(path1);
         char *fname2 = NULL;
         if (path2 != NULL) {
                 fname2 = expand_path(path2);
         }
         if (arg_debug) {
                 printf("file1 %s\n", fname1);
-                printf("file2 %s\n", fname2);
+                printf("file2 %s\n", fname2 ? fname2 : "(null)");
         }
 
         // sandbox root directory
@@ -234,57 +296,36 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
         if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
                 errExit("asprintf");
 
-        if (op == SANDBOX_FS_LS) {
-                EUID_ROOT();
-                // chroot
-                if (chroot(rootdir) < 0)
-                        errExit("chroot");
-                if (chdir("/") < 0)
-                        errExit("chdir");
-
-                // drop privileges
-                drop_privs(0);
-
-                // check access
-                if (access(fname1, R_OK) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
-                        exit(1);
-                }
-                /* coverity[toctou] */
-                char *rp = realpath(fname1, NULL);
-                if (!rp) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
-                        exit(1);
-                }
-                if (arg_debug)
-                        printf("realpath %s\n", rp);
-
+        if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        EUID_ROOT();
+                        // chroot
+                        if (chroot(rootdir) < 0)
+                                errExit("chroot");
+                        if (chdir("/") < 0)
+                                errExit("chdir");
 
-                // list directory contents
-                struct stat s;
-                if (stat(rp, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", rp);
-                        exit(1);
-                }
-                if (S_ISDIR(s.st_mode)) {
-                        char *dir;
-                        if (asprintf(&dir, "%s/", rp) == -1)
-                                errExit("asprintf");
+                        // drop privileges
+                        drop_privs(0);
 
-                        print_directory(dir);
-                        free(dir);
-                }
-                else {
-                        char *split = strrchr(rp, '/');
-                        if (split) {
-                                *split = '\0';
-                                char *rp2 = split + 1;
-                                if (arg_debug)
-                                        printf("path %s, file %s\n", rp, rp2);
-                                print_file_or_dir(rp, rp2, 1);
-                        }
+                        if (op == SANDBOX_FS_LS)
+                                ls(fname1);
+                        else
+                                cat(fname1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
                 }
-                free(rp);
+                // wait for the child to finish
+                int status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
+                else
+                        exit(1);
         }
 
         // get file from sandbox and store it in the current directory
@@ -303,10 +344,12 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 // create a user-owned temporary file in /run/firejail directory
                 char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
                 int fd = mkstemp(tmp_fname);
-                if (fd != -1) {
-                        SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-                        close(fd);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
+                        exit(1);
                 }
+                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                close(fd);
 
                 // copy the source file into the temporary file - we need to chroot
                 pid_t child = fork();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4c98210f5..072651c4d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -789,6 +789,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                          }
 
                         // list directory contents
+                        if (!arg_debug)
+                                 arg_quiet = 1;
                         pid_t pid = require_pid(argv[i] + 5);
                         sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
                         exit(0);
@@ -796,6 +798,35 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 else
                         exit_err_feature("file transfer");
         }
+        else if (strncmp(argv[i], "--cat=", 6) == 0) {
+                if (checkcfg(CFG_FILE_TRANSFER)) {
+                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --cat and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
+
+                        if ((i + 2) != argc) {
+                                fprintf(stderr, "Error: invalid --cat option, path expected\n");
+                                exit(1);
+                        }
+                        char *path = argv[i + 1];
+                        invalid_filename(path, 0); // no globbing
+                        if (strstr(path, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path);
+                                exit(1);
+                        }
+
+                        // write file contents to stdout
+                        if (!arg_debug)
+                                 arg_quiet = 1;
+                        pid_t pid = require_pid(argv[i] + 6);
+                        sandboxfs(SANDBOX_FS_CAT, pid, path, NULL);
+                        exit(0);
+                }
+                else
+                        exit_err_feature("file transfer");
+        }
 #endif
         else if (strncmp(argv[i], "--join=", 7) == 0) {
                 if (checkcfg(CFG_JOIN) || getuid() == 0) {
@@ -1252,6 +1283,10 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error: Firejail is dumpable\n");
+#endif
 
         // check for force-nonewprivs in /etc/firejail/firejail.config file
         if (checkcfg(CFG_FORCE_NONEWPRIVS))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e42d35be5..81d535762 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -140,6 +140,20 @@ void set_apparmor(void) {
 }
 #endif
 
+#ifdef HAVE_SECCOMP
+void seccomp_debug(void) {
+        if (arg_debug == 0)
+                return;
+
+        EUID_USER();
+        printf("Seccomp directory:\n");
+        ls(RUN_SECCOMP_DIR);
+        printf("Active seccomp files:\n");
+        cat(RUN_SECCOMP_LIST);
+        EUID_ROOT();
+}
+#endif
+
 static void save_nogroups(void) {
         if (arg_nogroups == 0)
                 return;
@@ -197,32 +211,6 @@ static FILE *create_ready_for_join_file(void) {
         }
 }
 
-#ifdef HAVE_SECCOMP
-static void seccomp_debug(void) {
-        if (arg_debug == 0)
-                return;
-
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // dropping privs before calling system(3)
-                drop_privs(1);
-                printf("Seccomp directory:\n");
-                int rv = system("ls -l "  RUN_SECCOMP_DIR);
-                (void) rv;
-                printf("Active seccomp files:\n");
-                rv = system("cat " RUN_SECCOMP_LIST);
-                (void) rv;
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        waitpid(child, NULL, 0);
-}
-#endif
-
 static void sandbox_if_up(Bridge *br) {
         assert(br);
         if (!br->configured)
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 57c21ce78..a92d62940 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -48,6 +48,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         if (cfg.seccomp_error_action)
                 if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1)
                         errExit("asprintf");
+        new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set
 
         if (filtermask & SBOX_STDIN_FROM_FILE) {
                 int fd;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 73c9a6a8b..2390706f2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -47,6 +47,9 @@ static char *usage_str =
         "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
         "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
         "    --caps.print=name|pid - print the caps filter.\n"
+#ifdef HAVE_FILE_TRANSFER
+        "    --cat=name|pid filename - print content of file from sandbox container.\n"
+#endif
         "    --cgroup=tasks-file - place the sandbox in the specified control group.\n"
 #ifdef HAVE_CHROOT
         "    --chroot=dirname - chroot into directory.\n"
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ba54ca376..e10abad4e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -34,7 +34,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 
@@ -1129,28 +1129,17 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 
-// Porting notes:
-//
-// 1. merge #1100 from zackw:
-//     Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8
-//     with this message:
-//            xauth:  timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4
-//            Failed to create untrusted X cookie: xauth: exit 1
-//     For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was
-//     a partial merge.
-//
-// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home
-// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
-// something picked up on $PATH.
-//
-// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
-// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
-// and it fails because of the network namespace - it should try to connect to the regular
-// Unix socket! If we ignore the fail condition, the program will be started on X server without
-// the security extension loaded.
+
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
+        // get DISPLAY env
+        char *display = getenv("DISPLAY");
+        if (!display) {
+                fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
+                exit(1);
+        }
+
         // check xauth utility is present in the system
         struct stat s;
         if (stat("/usr/bin/xauth", &s) == -1) {
@@ -1160,26 +1149,27 @@ void x11_xorg(void) {
                 fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                 exit(1);
         }
-        if (s.st_uid != 0 && s.st_gid != 0) {
+        if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
                 fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
                 exit(1);
         }
-
-        // get DISPLAY env
-        char *display = getenv("DISPLAY");
-        if (!display) {
-                fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
+        if (s.st_size > 1024 * 1024) {
+                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
                 exit(1);
         }
-
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
-                errExit("mounting /tmp");
-
-        // create the temporary .Xauthority file
+        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // users are not able to trace the running xauth this way
         if (arg_debug)
-                printf("Generating a new .Xauthority file\n");
-        char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
+                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
+        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
+                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
+                exit(1);
+        }
+
+        fmessage("Generating a new .Xauthority file\n");
+        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
+        // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
         int fd = mkstemp(tmpfname);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
@@ -1189,64 +1179,17 @@ void x11_xorg(void) {
                 errExit("chown");
         close(fd);
 
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                drop_privs(1);
-                clearenv();
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                if (arg_debug) {
-                        execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
-                }
-                else {
-                        execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
-                }
-
-                _exit(127);
-        }
-
-        // wait for the xauth process to finish
-        int status;
-        if (waitpid(child, &status, 0) != child)
-                errExit("waitpid");
-        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
-                /* success */
-        }
-        else if (WIFEXITED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n",
-                        WEXITSTATUS(status));
-                exit(1);
-        }
-        else if (WIFSIGNALED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n",
-                        strsignal(WTERMSIG(status)));
-                exit(1);
-        }
-        else {
-                fprintf(stderr, "Failed to create untrusted X cookie: "
-                        "xauth: un-decodable exit status %04x\n", status);
-                exit(1);
-        }
-
-        // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
-        // automatically when the sandbox is closed (rename doesn't work)
+        // run xauth
         if (arg_debug)
-                printf("Copying the new .Xauthority file\n");
-        copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600);
-        
-        /* coverity[toctou] */
-        unlink(tmpfname);
-        umount("/tmp");
-
-        // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
-        fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 8, RUN_XAUTH_FILE, "-v", "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
+        else
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
+        // remove xauth copy
+        unlink(RUN_XAUTH_FILE);
 
-        // Ensure there is already a file in the usual location, so that bind-mount below will work.
+        // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
@@ -1257,13 +1200,12 @@ void x11_xorg(void) {
                         exit(1);
                 }
         }
-
-        // get a file descriptor for .Xauthority
-        fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
+        // get a file descriptor for ~/.Xauthority
+        int dst = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (dst == -1)
                 errExit("safe_fd");
         // check if the actual mount destination is a user owned regular file
-        if (fstat(fd, &s) == -1)
+        if (fstat(dst, &s) == -1)
                 errExit("fstat");
         if (!S_ISREG(s.st_mode) || s.st_uid != getuid()) {
                 if (S_ISLNK(s.st_mode))
@@ -1274,31 +1216,49 @@ void x11_xorg(void) {
         }
         // preserve a read-only mount
         struct statvfs vfs;
-        if (fstatvfs(fd, &vfs) == -1)
+        if (fstatvfs(dst, &vfs) == -1)
                 errExit("fstatvfs");
         if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0);
+                fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_READONLY, 0);
+
+        // always mounting the new Xauthority file noexec,nodev,nosuid
+        fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0);
+
+        // get a file descriptor for the new Xauthority file
+        int src = safe_fd(tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src == -1)
+                errExit("safe_fd");
+        if (fstat(src, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                errno = EPERM;
+                errExit("mounting Xauthority file");
+        }
 
         // mount via the link in /proc/self/fd
         if (arg_debug)
-                printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                printf("Mounting %s on %s\n", tmpfname, dest);
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+                errExit("asprintf");
+        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
                 errExit("asprintf");
-        if (mount(RUN_XAUTHORITY_SEC_FILE, proc, "none", MS_BIND, "mode=0600") == -1) {
+        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
-        free(proc);
-        close(fd);
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid .Xauthority mount");
+        free(proc_src);
+        free(proc_dst);
+        close(src);
+        close(dst);
 
         ASSERT_PERMS(dest, getuid(), getgid(), 0600);
 
-        // blacklist .Xauthority file if it is not masked already
+        // blacklist user .Xauthority file if it is not masked already
         char *envar = getenv("XAUTHORITY");
         if (envar) {
                 char *rp = realpath(envar, NULL);
@@ -1312,6 +1272,11 @@ void x11_xorg(void) {
         if (setenv("XAUTHORITY", dest, 1) < 0)
                 errExit("setenv");
         free(dest);
+
+        // mask RUN_XAUTHORITY_SEC_DIR
+        if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
 #endif
 }