diff options
author | netblue30 <netblue30@yahoo.com> | 2018-08-26 13:23:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-08-26 13:23:28 -0400 |
commit | 95deecf1f3128c2fd6984c6b6f4a8f540441188b (patch) | |
tree | 3a5572c53e31adc7ab5e3de1d3862563e55f5e65 /src/man | |
parent | support for local user directories in firecfg (--bindir) (diff) | |
download | firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.gz firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.zst firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.zip |
allow system users to run the sandbox
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-users.txt | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index c29de0705..88b4041b0 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database | |||
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | root user is allowed by default, user nobody is never allowed. |
8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value | ||
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | 8 | ||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | 9 | If the user is not allowed to start the sandbox, Firejail will attempt to run the |
12 | program without sandboxing it. | 10 | program without sandboxing it. |
13 | 11 | ||
12 | If the file is not present in the system, all users are allowed to use the sandbox. | ||
13 | |||
14 | Example: | 14 | Example: |
15 | 15 | ||
16 | $ cat /etc/firejail/firejail.users | 16 | $ cat /etc/firejail/firejail.users |
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li | |||
34 | 34 | ||
35 | See \fBman 1 firecfg\fR for details. | 35 | See \fBman 1 firecfg\fR for details. |
36 | 36 | ||
37 | .SH ALTERNATIVE SOLUTION | ||
38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and | ||
39 | allow only users in this group to run the sandbox: | ||
40 | |||
41 | # addgroup firejail | ||
42 | .br | ||
43 | # chown root:firejail /usr/bin/firejail | ||
44 | .br | ||
45 | # chmod 4750 /usr/bin/firejail | ||
46 | |||
47 | |||
37 | .SH FILES | 48 | .SH FILES |
38 | /etc/firejail/firejail.users | 49 | /etc/firejail/firejail.users |
39 | 50 | ||
40 | .SH LICENSE | 51 | .SH LICENSE |
41 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 52 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License |
53 | as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
42 | .PP | 54 | .PP |
43 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
44 | .SH SEE ALSO | 56 | .SH SEE ALSO |