diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-23 09:38:21 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-23 09:38:21 -0400 |
commit | 90877c63eecf5e161c86df6b0c62006029e2677e (patch) | |
tree | 66acab3862cc1e649d69fc2b83ced1378f95e27f /src | |
parent | merges (diff) | |
download | firejail-90877c63eecf5e161c86df6b0c62006029e2677e.tar.gz firejail-90877c63eecf5e161c86df6b0c62006029e2677e.tar.zst firejail-90877c63eecf5e161c86df6b0c62006029e2677e.zip |
fix user database access
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/run_symlink.c | 17 | ||||
-rw-r--r-- | src/lib/firejail_user.c | 11 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 6 |
5 files changed, 24 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2746deea1..0df832c09 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -671,7 +671,7 @@ void fs_logger_change_owner(void); | |||
671 | void fs_logger_print_log(pid_t pid); | 671 | void fs_logger_print_log(pid_t pid); |
672 | 672 | ||
673 | // run_symlink.c | 673 | // run_symlink.c |
674 | void run_symlink(int argc, char **argv); | 674 | void run_symlink(int argc, char **argv, int run_as_is); |
675 | 675 | ||
676 | // paths.c | 676 | // paths.c |
677 | char **build_paths(void); | 677 | char **build_paths(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1a37aca2f..9a013989a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -239,12 +239,15 @@ static void init_cfg(int argc, char **argv) { | |||
239 | } | 239 | } |
240 | cfg.cwd = getcwd(NULL, 0); | 240 | cfg.cwd = getcwd(NULL, 0); |
241 | 241 | ||
242 | // chack user database | 242 | // check user database |
243 | if (!firejail_user_check(cfg.username)) { | 243 | if (!firejail_user_check(cfg.username)) { |
244 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " | 244 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " |
245 | "Please add the user in %s/firejail.users file, " | 245 | "Please add the user in %s/firejail.users file, " |
246 | "either by running \"sudo firecfg\", or by editing the file directly.\n" | 246 | "either by running \"sudo firecfg\", or by editing the file directly.\n" |
247 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); | 247 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); |
248 | |||
249 | // attempt to run the program as is | ||
250 | run_symlink(argc, argv, 1); | ||
248 | exit(1); | 251 | exit(1); |
249 | } | 252 | } |
250 | 253 | ||
@@ -914,7 +917,7 @@ int main(int argc, char **argv) { | |||
914 | 917 | ||
915 | // check argv[0] symlink wrapper if this is not a login shell | 918 | // check argv[0] symlink wrapper if this is not a login shell |
916 | if (*argv[0] != '-') | 919 | if (*argv[0] != '-') |
917 | run_symlink(argc, argv); // if symlink detected, this function will not return | 920 | run_symlink(argc, argv, 0); // if symlink detected, this function will not return |
918 | 921 | ||
919 | // check if we already have a sandbox running | 922 | // check if we already have a sandbox running |
920 | // If LXC is detected, start firejail sandbox | 923 | // If LXC is detected, start firejail sandbox |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 5d59afad4..2bb4a2ed7 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -22,7 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | void run_symlink(int argc, char **argv) { | 25 | void run_symlink(int argc, char **argv, int run_as_is) { |
26 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
27 | 27 | ||
28 | char *program = strrchr(argv[0], '/'); | 28 | char *program = strrchr(argv[0], '/'); |
@@ -33,6 +33,12 @@ void run_symlink(int argc, char **argv) { | |||
33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting | 33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting |
34 | return; | 34 | return; |
35 | 35 | ||
36 | // drop privileges | ||
37 | if (setgid(getgid()) < 0) | ||
38 | errExit("setgid/getgid"); | ||
39 | if (setuid(getuid()) < 0) | ||
40 | errExit("setuid/getuid"); | ||
41 | |||
36 | // find the real program by looking in PATH | 42 | // find the real program by looking in PATH |
37 | char *p = getenv("PATH"); | 43 | char *p = getenv("PATH"); |
38 | if (!p) { | 44 | if (!p) { |
@@ -84,20 +90,13 @@ void run_symlink(int argc, char **argv) { | |||
84 | free(selfpath); | 90 | free(selfpath); |
85 | 91 | ||
86 | // desktop integration is not supported for root user; instead, the original program is started | 92 | // desktop integration is not supported for root user; instead, the original program is started |
87 | if (getuid() == 0) { | 93 | if (getuid() == 0 || run_as_is) { |
88 | argv[0] = program; | 94 | argv[0] = program; |
89 | execv(program, argv); | 95 | execv(program, argv); |
90 | exit(1); | 96 | exit(1); |
91 | } | 97 | } |
92 | 98 | ||
93 | // start the argv[0] program in a new sandbox | 99 | // start the argv[0] program in a new sandbox |
94 | // drop privileges | ||
95 | if (setgid(getgid()) < 0) | ||
96 | errExit("setgid/getgid"); | ||
97 | if (setuid(getuid()) < 0) | ||
98 | errExit("setuid/getuid"); | ||
99 | |||
100 | // run command | ||
101 | char *a[3 + argc]; | 100 | char *a[3 + argc]; |
102 | a[0] =PATH_FIREJAIL; | 101 | a[0] =PATH_FIREJAIL; |
103 | a[1] = program; | 102 | a[1] = program; |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 7d9784392..09a4da0e7 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include "../include/common.h" | 28 | #include "../include/common.h" |
29 | #include <sys/types.h> | 29 | #include <sys/types.h> |
30 | #include <pwd.h> | 30 | #include <pwd.h> |
31 | #include "../../uids.h" | ||
31 | 32 | ||
32 | #define MAXBUF 4098 | 33 | #define MAXBUF 4098 |
33 | static inline char *get_fname(void) { | 34 | static inline char *get_fname(void) { |
@@ -41,15 +42,13 @@ static inline char *get_fname(void) { | |||
41 | int firejail_user_check(const char *name) { | 42 | int firejail_user_check(const char *name) { |
42 | assert(name); | 43 | assert(name); |
43 | 44 | ||
44 | // root allowed by default | 45 | // root is allowed to run firejail by default |
45 | if (strcmp(name, "root") == 0) | 46 | if (strcmp(name, "root") == 0) |
46 | return 1; | 47 | return 1; |
47 | 48 | ||
48 | // user nobody disabled by default | 49 | // other system users will run the program as is |
49 | if (strcmp(name, "nobody") == 0) { | 50 | if (getuid() < UID_MIN || strcmp(name, "nobody") == 0) |
50 | fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n"); | 51 | return 0; |
51 | exit(1); | ||
52 | } | ||
53 | 52 | ||
54 | // check file existence | 53 | // check file existence |
55 | char *fname = get_fname(); | 54 | char *fname = get_fname(); |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index ec91e495c..c29de0705 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -5,7 +5,11 @@ firejail.users \- Firejail user access database | |||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | If the file is not present in the system, all users are allowed to use the sandbox. |
8 | root user is allowed by default, user nobody is denied access by default. | 8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value |
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | |||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | ||
12 | program without sandboxing it. | ||
9 | 13 | ||
10 | Example: | 14 | Example: |
11 | 15 | ||