diff options
author | netblue30 <netblue30@yahoo.com> | 2018-08-26 13:23:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-08-26 13:23:28 -0400 |
commit | 95deecf1f3128c2fd6984c6b6f4a8f540441188b (patch) | |
tree | 3a5572c53e31adc7ab5e3de1d3862563e55f5e65 /src | |
parent | support for local user directories in firecfg (--bindir) (diff) | |
download | firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.gz firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.tar.zst firejail-95deecf1f3128c2fd6984c6b6f4a8f540441188b.zip |
allow system users to run the sandbox
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/firejail_user.c | 8 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 20 |
2 files changed, 19 insertions, 9 deletions
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index c7af14254..b0f56a19a 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) { | |||
107 | if (strcmp(name, "root") == 0) | 107 | if (strcmp(name, "root") == 0) |
108 | return 1; | 108 | return 1; |
109 | 109 | ||
110 | // other system users will run the program as is | 110 | // user nobody is never allowed |
111 | uid_t uid = getuid(); | 111 | if (strcmp(name, "root") == 0) |
112 | assert(uid_min > 0); | ||
113 | if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0) | ||
114 | return 0; | 112 | return 0; |
115 | 113 | ||
116 | // check file existence | 114 | // check file existence |
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) { | |||
155 | struct passwd *pw = getpwnam(name); | 153 | struct passwd *pw = getpwnam(name); |
156 | if (!pw) { | 154 | if (!pw) { |
157 | fprintf(stderr, "Error: user %s not found on this system.\n", name); | 155 | fprintf(stderr, "Error: user %s not found on this system.\n", name); |
158 | return; | 156 | exit(1); |
159 | } | 157 | } |
160 | 158 | ||
161 | // check the user is not already in the database | 159 | // check the user is not already in the database |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index c29de0705..88b4041b0 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database | |||
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | root user is allowed by default, user nobody is never allowed. |
8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value | ||
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | 8 | ||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | 9 | If the user is not allowed to start the sandbox, Firejail will attempt to run the |
12 | program without sandboxing it. | 10 | program without sandboxing it. |
13 | 11 | ||
12 | If the file is not present in the system, all users are allowed to use the sandbox. | ||
13 | |||
14 | Example: | 14 | Example: |
15 | 15 | ||
16 | $ cat /etc/firejail/firejail.users | 16 | $ cat /etc/firejail/firejail.users |
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li | |||
34 | 34 | ||
35 | See \fBman 1 firecfg\fR for details. | 35 | See \fBman 1 firecfg\fR for details. |
36 | 36 | ||
37 | .SH ALTERNATIVE SOLUTION | ||
38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and | ||
39 | allow only users in this group to run the sandbox: | ||
40 | |||
41 | # addgroup firejail | ||
42 | .br | ||
43 | # chown root:firejail /usr/bin/firejail | ||
44 | .br | ||
45 | # chmod 4750 /usr/bin/firejail | ||
46 | |||
47 | |||
37 | .SH FILES | 48 | .SH FILES |
38 | /etc/firejail/firejail.users | 49 | /etc/firejail/firejail.users |
39 | 50 | ||
40 | .SH LICENSE | 51 | .SH LICENSE |
41 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 52 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License |
53 | as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
42 | .PP | 54 | .PP |
43 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
44 | .SH SEE ALSO | 56 | .SH SEE ALSO |