allow system users to run the sandbox

author: netblue30 <netblue30@yahoo.com> 2018-08-26 13:23:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-08-26 13:23:28 -0400
commit: 95deecf1f3128c2fd6984c6b6f4a8f540441188b (patch)
tree: 3a5572c53e31adc7ab5e3de1d3862563e55f5e65 /src/man/firejail-users.txt
parent: support for local user directories in firecfg (--bindir) (diff)
download: firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.gz
firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.zst
firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.zip
1 files changed, 16 insertions, 4 deletions
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index c29de0705..88b4041b0 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
-If the file is not present in the system, all users are allowed to use the sandbox.
+root user is allowed by default, user nobody is never allowed.
-root user is allowed by default. Other system users (users with an ID below UID_MIN value
-defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
 If the user is not allowed to start the sandbox, Firejail will attempt to run the
 program without sandboxing it.
+If the file is not present in the system, all users are allowed to use the sandbox.
 Example:
        $ cat /etc/firejail/firejail.users
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li
 See \fBman 1 firecfg\fR for details.
+.SH ALTERNATIVE SOLUTION
+An alternative way of restricting user access to firejail executable is to create a special firejail user group and
+allow only users in this group to run the sandbox:
+        # addgroup firejail
+.br
+        # chown root:firejail /usr/bin/firejail
+.br
+        # chmod 4750 /usr/bin/firejail
 .SH FILES
 /etc/firejail/firejail.users
 .SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
author	netblue30 <netblue30@yahoo.com>	2018-08-26 13:23:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-08-26 13:23:28 -0400
commit	95deecf1f3128c2fd6984c6b6f4a8f540441188b (patch)
tree	3a5572c53e31adc7ab5e3de1d3862563e55f5e65 /src/man/firejail-users.txt
parent	support for local user directories in firecfg (--bindir) (diff)
download	firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.gz firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.zst firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.zip

diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index c29de0705..88b4041b0 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database
4		4
5	.SH DESCRIPTION	5	.SH DESCRIPTION
6	/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.	6	/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
7	If the file is not present in the system, all users are allowed to use the sandbox.	7	root user is allowed by default, user nobody is never allowed.
8	root user is allowed by default. Other system users (users with an ID below UID_MIN value
9	defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
10		8
11	If the user is not allowed to start the sandbox, Firejail will attempt to run the	9	If the user is not allowed to start the sandbox, Firejail will attempt to run the
12	program without sandboxing it.	10	program without sandboxing it.
13		11
		12	If the file is not present in the system, all users are allowed to use the sandbox.
		13
14	Example:	14	Example:
15		15
16	$ cat /etc/firejail/firejail.users	16	$ cat /etc/firejail/firejail.users
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li
34		34
35	See \fBman 1 firecfg\fR for details.	35	See \fBman 1 firecfg\fR for details.
36		36
		37	.SH ALTERNATIVE SOLUTION
		38	An alternative way of restricting user access to firejail executable is to create a special firejail user group and
		39	allow only users in this group to run the sandbox:
		40
		41	# addgroup firejail
		42	.br
		43	# chown root:firejail /usr/bin/firejail
		44	.br
		45	# chmod 4750 /usr/bin/firejail
		46
		47
37	.SH FILES	48	.SH FILES
38	/etc/firejail/firejail.users	49	/etc/firejail/firejail.users
39		50
40	.SH LICENSE	51	.SH LICENSE
41	Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.	52	Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
		53	as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
42	.PP	54	.PP
43	Homepage: https://firejail.wordpress.com	55	Homepage: https://firejail.wordpress.com
44	.SH SEE ALSO	56	.SH SEE ALSO