copy_file cleanup

author: netblue30 <netblue30@yahoo.com> 2017-01-10 14:19:45 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-01-10 14:19:45 -0500
commit: a119058e87f8b6a25ca5a59e25837410caa118f7 (patch)
tree: 024324a691d5014f4d2b04901eeec0368d53af1c /src
parent: security fix (diff)
download: firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.tar.gz
firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.tar.zst
firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.zip
6 files changed, 18 insertions, 18 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e2fc09533..0c643af4a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1129,7 +1129,7 @@ void fs_chroot(const char *rootdir) {
                        fprintf(stderr, "Error: invalid %s file\n", fname);
                        exit(1);
                }
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
                        fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
        }
        
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e4b19d5cc..8a52314ed 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -47,7 +47,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644);
+                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
                        fs_logger("clone /etc/skel/.zshrc");
                }
                else {
@@ -71,7 +71,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644);
+                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
                        fs_logger("clone /etc/skel/.cshrc");
                }
                else {
@@ -94,7 +94,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644);
+                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
                        fs_logger("clone /etc/skel/.bashrc");
                }
                free(fname);
@@ -123,7 +123,7 @@ static int store_xauthority(void) {
                        return 0;
                }
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600);
+                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
                fs_logger2("clone", dest);
                return 1; // file copied
        }
@@ -163,7 +163,7 @@ static int store_asoundrc(void) {
                        free(rp);
                }
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644);
+                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
                fs_logger2("clone", dest);
                return 1; // file copied
        }
@@ -184,7 +184,7 @@ static void copy_xauthority(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
        fs_logger2("clone", dest);
        
        // delete the temporary file
@@ -204,7 +204,7 @@ static void copy_asoundrc(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
        fs_logger2("clone", dest);
        // delete the temporary file
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 77eb35f97..1af56751a 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                        drop_privs(0);
                        
                        // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                _exit(1);
 #ifdef HAVE_GCOV
                        __gcov_flush();
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                        drop_privs(0);
                        
                        // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                _exit(1);
 #ifdef HAVE_GCOV
                        __gcov_flush();
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                        drop_privs(0);
                        
                        // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                _exit(1);
 #ifdef HAVE_GCOV
                        __gcov_flush();
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                        drop_privs(0);
                        
                        // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                _exit(1);
 #ifdef HAVE_GCOV
                        __gcov_flush();
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index d2db7d3dd..e17f39caa 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) {
                fs_logger2("tmpfs", RUN_MNT_DIR);
                
                //copy defaultl seccomp files
-                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
-                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
                if (arg_allow_debuggers)
-                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                else
-                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                        
                // as root, create an empty RUN_SECCOMP_PROTOCOL file
                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f0f95a80e..4ec84ec61 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -114,7 +114,7 @@ void pulseaudio_init(void) {
        char *pulsecfg = NULL;
        if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
                errExit("copy_file");
        FILE *fp = fopen(pulsecfg, "a+");
        if (!fp)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2d3563093..763e6b58b 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -229,7 +229,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                drop_privs(0);
                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode);
+                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
                if (rv)
                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
 #ifdef HAVE_GCOV
author	netblue30 <netblue30@yahoo.com>	2017-01-10 14:19:45 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-01-10 14:19:45 -0500
commit	a119058e87f8b6a25ca5a59e25837410caa118f7 (patch)
tree	024324a691d5014f4d2b04901eeec0368d53af1c /src
parent	security fix (diff)
download	firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.tar.gz firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.tar.zst firejail-a119058e87f8b6a25ca5a59e25837410caa118f7.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e2fc09533..0c643af4a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1129,7 +1129,7 @@ void fs_chroot(const char *rootdir) {
1129	fprintf(stderr, "Error: invalid %s file\n", fname);	1129	fprintf(stderr, "Error: invalid %s file\n", fname);
1130	exit(1);	1130	exit(1);
1131	}	1131	}
1132	if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)	1132	if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
1133	fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");	1133	fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
1134	}	1134	}
1135		1135


diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index e4b19d5cc..8a52314ed 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -47,7 +47,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
47	exit(1);	47	exit(1);
48	}	48	}
49	if (stat("/etc/skel/.zshrc", &s) == 0) {	49	if (stat("/etc/skel/.zshrc", &s) == 0) {
50	copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644);	50	copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
51	fs_logger("clone /etc/skel/.zshrc");	51	fs_logger("clone /etc/skel/.zshrc");
52	}	52	}
53	else {	53	else {
@@ -71,7 +71,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
71	exit(1);	71	exit(1);
72	}	72	}
73	if (stat("/etc/skel/.cshrc", &s) == 0) {	73	if (stat("/etc/skel/.cshrc", &s) == 0) {
74	copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644);	74	copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
75	fs_logger("clone /etc/skel/.cshrc");	75	fs_logger("clone /etc/skel/.cshrc");
76	}	76	}
77	else {	77	else {
@@ -94,7 +94,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
94	exit(1);	94	exit(1);
95	}	95	}
96	if (stat("/etc/skel/.bashrc", &s) == 0) {	96	if (stat("/etc/skel/.bashrc", &s) == 0) {
97	copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644);	97	copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
98	fs_logger("clone /etc/skel/.bashrc");	98	fs_logger("clone /etc/skel/.bashrc");
99	}	99	}
100	free(fname);	100	free(fname);
@@ -123,7 +123,7 @@ static int store_xauthority(void) {
123	return 0;	123	return 0;
124	}	124	}
125		125
126	copy_file_as_user(src, dest, getuid(), getgid(), 0600);	126	copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
127	fs_logger2("clone", dest);	127	fs_logger2("clone", dest);
128	return 1; // file copied	128	return 1; // file copied
129	}	129	}
@@ -163,7 +163,7 @@ static int store_asoundrc(void) {
163	free(rp);	163	free(rp);
164	}	164	}
165		165
166	copy_file_as_user(src, dest, getuid(), getgid(), 0644);	166	copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
167	fs_logger2("clone", dest);	167	fs_logger2("clone", dest);
168	return 1; // file copied	168	return 1; // file copied
169	}	169	}
@@ -184,7 +184,7 @@ static void copy_xauthority(void) {
184	exit(1);	184	exit(1);
185	}	185	}
186		186
187	copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR \| S_IWUSR);	187	copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR \| S_IWUSR); // regular user
188	fs_logger2("clone", dest);	188	fs_logger2("clone", dest);
189		189
190	// delete the temporary file	190	// delete the temporary file
@@ -204,7 +204,7 @@ static void copy_asoundrc(void) {
204	exit(1);	204	exit(1);
205	}	205	}
206		206
207	copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR \| S_IWUSR);	207	copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR \| S_IWUSR); // regular user
208	fs_logger2("clone", dest);	208	fs_logger2("clone", dest);
209		209
210	// delete the temporary file	210	// delete the temporary file


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 77eb35f97..1af56751a 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
336	drop_privs(0);	336	drop_privs(0);
337		337
338	// copy the file	338	// copy the file
339	if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))	339	if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
340	_exit(1);	340	_exit(1);
341	#ifdef HAVE_GCOV	341	#ifdef HAVE_GCOV
342	__gcov_flush();	342	__gcov_flush();
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
362	drop_privs(0);	362	drop_privs(0);
363		363
364	// copy the file	364	// copy the file
365	if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))	365	if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
366	_exit(1);	366	_exit(1);
367	#ifdef HAVE_GCOV	367	#ifdef HAVE_GCOV
368	__gcov_flush();	368	__gcov_flush();
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
411	drop_privs(0);	411	drop_privs(0);
412		412
413	// copy the file	413	// copy the file
414	if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))	414	if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
415	_exit(1);	415	_exit(1);
416	#ifdef HAVE_GCOV	416	#ifdef HAVE_GCOV
417	__gcov_flush();	417	__gcov_flush();
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
443	drop_privs(0);	443	drop_privs(0);
444		444
445	// copy the file	445	// copy the file
446	if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))	446	if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
447	_exit(1);	447	_exit(1);
448	#ifdef HAVE_GCOV	448	#ifdef HAVE_GCOV
449	__gcov_flush();	449	__gcov_flush();


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index d2db7d3dd..e17f39caa 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) {
76	fs_logger2("tmpfs", RUN_MNT_DIR);	76	fs_logger2("tmpfs", RUN_MNT_DIR);
77		77
78	//copy defaultl seccomp files	78	//copy defaultl seccomp files
79	copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);	79	copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
80	copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);	80	copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
81	if (arg_allow_debuggers)	81	if (arg_allow_debuggers)
82	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);	82	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
83	else	83	else
84	copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);	84	copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
85		85
86	// as root, create an empty RUN_SECCOMP_PROTOCOL file	86	// as root, create an empty RUN_SECCOMP_PROTOCOL file
87	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);	87	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);


diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index f0f95a80e..4ec84ec61 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c
@@ -114,7 +114,7 @@ void pulseaudio_init(void) {
114	char *pulsecfg = NULL;	114	char *pulsecfg = NULL;
115	if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)	115	if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
116	errExit("asprintf");	116	errExit("asprintf");
117	if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))	117	if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
118	errExit("copy_file");	118	errExit("copy_file");
119	FILE *fp = fopen(pulsecfg, "a+");	119	FILE *fp = fopen(pulsecfg, "a+");
120	if (!fp)	120	if (!fp)


diff --git a/src/firejail/util.c b/src/firejail/util.c index 2d3563093..763e6b58b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -229,7 +229,7 @@ void copy_file_as_user(const char srcname, const char destname, uid_t uid, gid
229	drop_privs(0);	229	drop_privs(0);
230		230
231	// copy, set permissions and ownership	231	// copy, set permissions and ownership
232	int rv = copy_file(srcname, destname, uid, gid, mode);	232	int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
233	if (rv)	233	if (rv)
234	fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");	234	fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
235	#ifdef HAVE_GCOV	235	#ifdef HAVE_GCOV