diff options
author | netblue30 <netblue30@protonmail.com> | 2022-02-08 10:30:22 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-02-08 10:30:22 -0500 |
commit | 86a57917aa2ef664cc27865a235860412a0a381d (patch) | |
tree | 1187f5385d2cf2f4b2bee9af2bc30f906f519b20 /src/firejail | |
parent | Merge pull request #4912 from netblue30/ci_centos (diff) | |
download | firejail-86a57917aa2ef664cc27865a235860412a0a381d.tar.gz firejail-86a57917aa2ef664cc27865a235860412a0a381d.tar.zst firejail-86a57917aa2ef664cc27865a235860412a0a381d.zip |
fix --private-cwd, issue #4910
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/fs_home.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b1cb9d927..6a554dc89 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -453,17 +453,27 @@ void fs_check_private_dir(void) { | |||
453 | } | 453 | } |
454 | 454 | ||
455 | // check new private working directory (--private-cwd= option) - exit if it fails | 455 | // check new private working directory (--private-cwd= option) - exit if it fails |
456 | // for testing: | ||
457 | // $ firejail --private --private-cwd=. --noprofile ls | ||
458 | // issue #4780: exposes full home directory, not the --private one | ||
459 | // $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required | ||
460 | // $ firejail --private-cwd=/etc --noprofile ls -> OK | ||
461 | // $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks | ||
462 | // $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK | ||
463 | // $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK | ||
464 | // $ firejail --private-cwd --> OK: should go in top of the home dir | ||
465 | // profile with "private-cwd ${HOME} | ||
456 | void fs_check_private_cwd(const char *dir) { | 466 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 467 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 468 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | 469 | if (strcmp(dir, ".") == 0) |
460 | goto errout; | 470 | goto errout; |
461 | 471 | ||
462 | // Expand the working directory | 472 | // Expand the working directory |
463 | cfg.cwd = expand_macros(dir); | 473 | cfg.cwd = expand_macros(dir); |
464 | 474 | ||
465 | // realpath/is_dir not used because path may not exist outside of jail | 475 | // realpath/is_dir not used because path may not exist outside of jail |
466 | if (strstr(cfg.cwd, "..")) | 476 | if (strstr(cfg.cwd, "..") || *cfg.cwd != '/') |
467 | goto errout; | 477 | goto errout; |
468 | 478 | ||
469 | return; | 479 | return; |