diff options
author | netblue30 <netblue30@protonmail.com> | 2022-06-19 09:18:43 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-06-19 09:18:43 -0400 |
commit | fc912c0821b02be7a556ddf71c65db3abaa6be9c (patch) | |
tree | 03499eaf65bcfe8d2e05731f0e6648fb7f016267 /src | |
parent | Update SECURITY.md (diff) | |
download | firejail-fc912c0821b02be7a556ddf71c65db3abaa6be9c.tar.gz firejail-fc912c0821b02be7a556ddf71c65db3abaa6be9c.tar.zst firejail-fc912c0821b02be7a556ddf71c65db3abaa6be9c.zip |
removing guess_shell() function and using instead the shell configured in the password database (/etc/passwd file)
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/env.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 47 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 |
5 files changed, 12 insertions, 42 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index 963288459..548e8102d 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -119,7 +119,7 @@ void env_defaults(void) { | |||
119 | // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); | 119 | // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); |
120 | env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, | 120 | env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, |
121 | if (!cfg.shell) | 121 | if (!cfg.shell) |
122 | cfg.shell = guess_shell(); | 122 | cfg.shell = cfg.usershell; |
123 | if (cfg.shell) | 123 | if (cfg.shell) |
124 | env_store_name_val("SHELL", cfg.shell, SETENV); | 124 | env_store_name_val("SHELL", cfg.shell, SETENV); |
125 | 125 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 19cbacc01..325524379 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -154,6 +154,7 @@ typedef struct config_t { | |||
154 | // user data | 154 | // user data |
155 | char *username; | 155 | char *username; |
156 | char *homedir; | 156 | char *homedir; |
157 | char *usershell; | ||
157 | 158 | ||
158 | // filesystem | 159 | // filesystem |
159 | ProfileEntry *profile; | 160 | ProfileEntry *profile; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8bfff4e68..2a68dc806 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -245,6 +245,9 @@ static void init_cfg(int argc, char **argv) { | |||
245 | cfg.username = strdup(pw->pw_name); | 245 | cfg.username = strdup(pw->pw_name); |
246 | if (!cfg.username) | 246 | if (!cfg.username) |
247 | errExit("strdup"); | 247 | errExit("strdup"); |
248 | cfg.usershell = strdup(pw->pw_shell); | ||
249 | if (!cfg.usershell) | ||
250 | errExit("strdup"); | ||
248 | 251 | ||
249 | // check user database | 252 | // check user database |
250 | if (!firejail_user_check(cfg.username)) { | 253 | if (!firejail_user_check(cfg.username)) { |
@@ -801,7 +804,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
801 | } | 804 | } |
802 | 805 | ||
803 | if (!cfg.shell && !arg_shell_none) | 806 | if (!cfg.shell && !arg_shell_none) |
804 | cfg.shell = guess_shell(); | 807 | cfg.shell = cfg.usershell; |
805 | 808 | ||
806 | // join sandbox by pid or by name | 809 | // join sandbox by pid or by name |
807 | pid_t pid = require_pid(argv[i] + 7); | 810 | pid_t pid = require_pid(argv[i] + 7); |
@@ -830,7 +833,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
830 | pid_t pid; | 833 | pid_t pid; |
831 | if (!read_pid(argv[i] + 16, &pid)) { | 834 | if (!read_pid(argv[i] + 16, &pid)) { |
832 | if (!cfg.shell && !arg_shell_none) | 835 | if (!cfg.shell && !arg_shell_none) |
833 | cfg.shell = guess_shell(); | 836 | cfg.shell = cfg.usershell; |
834 | 837 | ||
835 | join(pid, argc, argv, i + 1); | 838 | join(pid, argc, argv, i + 1); |
836 | exit(0); | 839 | exit(0); |
@@ -851,7 +854,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
851 | } | 854 | } |
852 | 855 | ||
853 | if (!cfg.shell && !arg_shell_none) | 856 | if (!cfg.shell && !arg_shell_none) |
854 | cfg.shell = guess_shell(); | 857 | cfg.shell = cfg.usershell; |
855 | 858 | ||
856 | // join sandbox by pid or by name | 859 | // join sandbox by pid or by name |
857 | pid_t pid = require_pid(argv[i] + 15); | 860 | pid_t pid = require_pid(argv[i] + 15); |
@@ -871,7 +874,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
871 | } | 874 | } |
872 | 875 | ||
873 | if (!cfg.shell && !arg_shell_none) | 876 | if (!cfg.shell && !arg_shell_none) |
874 | cfg.shell = guess_shell(); | 877 | cfg.shell = cfg.usershell; |
875 | 878 | ||
876 | // join sandbox by pid or by name | 879 | // join sandbox by pid or by name |
877 | pid_t pid = require_pid(argv[i] + 18); | 880 | pid_t pid = require_pid(argv[i] + 18); |
@@ -889,40 +892,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
889 | 892 | ||
890 | } | 893 | } |
891 | 894 | ||
892 | char *guess_shell(void) { | ||
893 | const char *shell; | ||
894 | char *retval; | ||
895 | |||
896 | shell = env_get("SHELL"); | ||
897 | if (shell) { | ||
898 | invalid_filename(shell, 0); // no globbing | ||
899 | if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && | ||
900 | strcmp(gnu_basename(shell), "firejail") != 0) | ||
901 | goto found; | ||
902 | } | ||
903 | |||
904 | // shells in order of preference | ||
905 | static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; | ||
906 | |||
907 | int i = 0; | ||
908 | while (shells[i] != NULL) { | ||
909 | // access call checks as real UID/GID, not as effective UID/GID | ||
910 | if (access(shells[i], X_OK) == 0) { | ||
911 | shell = shells[i]; | ||
912 | goto found; | ||
913 | } | ||
914 | i++; | ||
915 | } | ||
916 | |||
917 | return NULL; | ||
918 | |||
919 | found: | ||
920 | retval = strdup(shell); | ||
921 | if (!retval) | ||
922 | errExit("strdup"); | ||
923 | return retval; | ||
924 | } | ||
925 | |||
926 | // return argument index | 895 | // return argument index |
927 | static int check_arg(int argc, char **argv, const char *argument, int strict) { | 896 | static int check_arg(int argc, char **argv, const char *argument, int strict) { |
928 | int i; | 897 | int i; |
@@ -2901,7 +2870,7 @@ int main(int argc, char **argv, char **envp) { | |||
2901 | 2870 | ||
2902 | // guess shell if unspecified | 2871 | // guess shell if unspecified |
2903 | if (!arg_shell_none && !cfg.shell) { | 2872 | if (!arg_shell_none && !cfg.shell) { |
2904 | cfg.shell = guess_shell(); | 2873 | cfg.shell = cfg.usershell; |
2905 | if (!cfg.shell) { | 2874 | if (!cfg.shell) { |
2906 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); | 2875 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); |
2907 | exit(1); | 2876 | exit(1); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index c57d397ef..62b701c4d 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -190,7 +190,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
190 | 190 | ||
191 | if (prog_index == 0) { | 191 | if (prog_index == 0) { |
192 | // got no command, require a shell and try to execute it | 192 | // got no command, require a shell and try to execute it |
193 | cfg.shell = guess_shell(); | 193 | cfg.shell = cfg.usershell; |
194 | if (!cfg.shell) { | 194 | if (!cfg.shell) { |
195 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | 195 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); |
196 | exit(1); | 196 | exit(1); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index daa0a2e92..3a4d74317 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1562,7 +1562,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1562 | EUID_USER(); | 1562 | EUID_USER(); |
1563 | if (!r) { | 1563 | if (!r) { |
1564 | if (!cfg.shell && !arg_shell_none) | 1564 | if (!cfg.shell && !arg_shell_none) |
1565 | cfg.shell = guess_shell(); | 1565 | cfg.shell = cfg.usershell; |
1566 | 1566 | ||
1567 | // find first non-option arg | 1567 | // find first non-option arg |
1568 | int i; | 1568 | int i; |