diff options
author | netblue30 <netblue30@protonmail.com> | 2023-11-24 17:06:48 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-24 17:06:48 -0500 |
commit | 5e23f74906e4971238275eebc235de49a574ffbd (patch) | |
tree | b8d5b082db39f7a69a494dc29528a7063df92be9 /src | |
parent | Merge pull request #6070 from kmk3/sort-py-csort (diff) | |
parent | Lookup xauth in PATH. (diff) | |
download | firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.gz firejail-5e23f74906e4971238275eebc235de49a574ffbd.tar.zst firejail-5e23f74906e4971238275eebc235de49a574ffbd.zip |
Merge pull request #6087 from chestnykh/issue-6006
Lookup xauth in PATH.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib2.c | 6 | ||||
-rw-r--r-- | src/firejail/x11.c | 30 |
2 files changed, 23 insertions, 13 deletions
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e..b43c36c1a 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) { | |||
166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user | 166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
167 | 167 | ||
168 | // bring in xauth libraries | 168 | // bring in xauth libraries |
169 | |||
170 | char *xauth_bin = find_in_path("xauth"); | ||
169 | if (arg_x11_xorg) | 171 | if (arg_x11_xorg) |
170 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user | 172 | fslib_mount_libs(xauth_bin, 1); // parse as user |
173 | |||
174 | free(xauth_bin); | ||
171 | 175 | ||
172 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 176 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
173 | } | 177 | } |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5..3721a2c2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) { | |||
1164 | } | 1164 | } |
1165 | #endif | 1165 | #endif |
1166 | 1166 | ||
1167 | |||
1168 | void x11_xorg(void) { | 1167 | void x11_xorg(void) { |
1169 | #ifdef HAVE_X11 | 1168 | #ifdef HAVE_X11 |
1170 | 1169 | ||
@@ -1175,31 +1174,38 @@ void x11_xorg(void) { | |||
1175 | exit(1); | 1174 | exit(1); |
1176 | } | 1175 | } |
1177 | 1176 | ||
1177 | char *xauth_bin = find_in_path("xauth"); | ||
1178 | |||
1178 | // check xauth utility is present in the system | 1179 | // check xauth utility is present in the system |
1179 | struct stat s; | 1180 | if (!xauth_bin) { |
1180 | if (stat("/usr/bin/xauth", &s) == -1) { | 1181 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); |
1181 | fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); | ||
1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); | 1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); | 1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); |
1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); | 1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); |
1185 | exit(1); | 1185 | exit(1); |
1186 | } | 1186 | } |
1187 | |||
1188 | struct stat s; | ||
1189 | if (stat(xauth_bin, &s) == -1) { | ||
1190 | fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); | ||
1191 | exit(1); | ||
1192 | } | ||
1187 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { | 1193 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { |
1188 | fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); | 1194 | fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); |
1189 | exit(1); | 1195 | exit(1); |
1190 | } | 1196 | } |
1191 | if (s.st_size > 1024 * 1024) { | 1197 | if (s.st_size > 1024 * 1024) { |
1192 | fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); | 1198 | fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); |
1193 | exit(1); | 1199 | exit(1); |
1194 | } | 1200 | } |
1195 | // copy /usr/bin/xauth in the sandbox and set mode to 0711 | 1201 | // copy xauth in the sandbox and set mode to 0711 |
1196 | // users are not able to trace the running xauth this way | 1202 | // users are not able to trace the running xauth this way |
1197 | if (arg_debug) | 1203 | if (arg_debug) |
1198 | printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); | 1204 | printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); |
1199 | if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { | 1205 | |
1200 | fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); | 1206 | copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711); |
1201 | exit(1); | 1207 | |
1202 | } | 1208 | free(xauth_bin); |
1203 | 1209 | ||
1204 | fmessage("Generating a new .Xauthority file\n"); | 1210 | fmessage("Generating a new .Xauthority file\n"); |
1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); | 1211 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); |