diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-02-25 01:40:13 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-02-25 02:10:48 +0100 |
| commit | 8d7974a6a6b2bac2d2b680bcb4b2a76a36602538 (patch) | |
| tree | 96a0d3c1f2a5e976336b8f756150e223a1d8be20 /src | |
| parent | cleanup (diff) | |
| download | firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.tar.gz firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.tar.zst firejail-8d7974a6a6b2bac2d2b680bcb4b2a76a36602538.zip | |
fix firecfg links in restrictive sandboxes
firejail symbolic link redirection currently depends
on a shell, but in restrictive sandboxes there
might be no execute permission, or private-lib might
have removed necessary libraries, or seccomp might
block required syscalls ...
Fix this by forcing --shell=none.
closes #3911
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/no_sandbox.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 1e8951afc..60a82821e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
| @@ -167,15 +167,6 @@ void run_no_sandbox(int argc, char **argv) { | |||
| 167 | if (setresuid(-1, getuid(), getuid()) != 0) | 167 | if (setresuid(-1, getuid(), getuid()) != 0) |
| 168 | errExit("setresuid"); | 168 | errExit("setresuid"); |
| 169 | 169 | ||
| 170 | // use $SHELL to get shell used in sandbox, guess shell otherwise | ||
| 171 | cfg.shell = guess_shell(); | ||
| 172 | if (!cfg.shell) { | ||
| 173 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
| 174 | exit(1); | ||
| 175 | } | ||
| 176 | else if (arg_debug) | ||
| 177 | printf("Selecting %s as shell\n", cfg.shell); | ||
| 178 | |||
| 179 | // process limited subset of options | 170 | // process limited subset of options |
| 180 | // and find first non option arg: | 171 | // and find first non option arg: |
| 181 | // - first argument not starting with --, | 172 | // - first argument not starting with --, |
| @@ -203,9 +194,20 @@ void run_no_sandbox(int argc, char **argv) { | |||
| 203 | } | 194 | } |
| 204 | 195 | ||
| 205 | if (prog_index == 0) { | 196 | if (prog_index == 0) { |
| 206 | assert(cfg.command_line == NULL); // runs cfg.shell | 197 | // got no command, require a shell and try to execute it |
| 198 | cfg.shell = guess_shell(); | ||
| 199 | if (!cfg.shell) { | ||
| 200 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
| 201 | exit(1); | ||
| 202 | } | ||
| 203 | |||
| 204 | assert(cfg.command_line == NULL); | ||
| 207 | cfg.window_title = cfg.shell; | 205 | cfg.window_title = cfg.shell; |
| 208 | } else { | 206 | } else { |
| 207 | // this sandbox might not allow execution of a shell | ||
| 208 | // force --shell=none in order to not break firecfg symbolic links | ||
| 209 | arg_shell_none = 1; | ||
| 210 | |||
| 209 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 211 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
| 210 | } | 212 | } |
| 211 | 213 | ||