diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-25 07:36:31 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-25 07:36:31 -0500 |
commit | ea96a480d7e33c5e7cf40bdb99223b49470f6f61 (patch) | |
tree | 76f5966897ee5d18c6719aafe2dccbabb5716bb4 /src | |
parent | feature testing (diff) | |
download | firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.tar.gz firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.tar.zst firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.zip |
fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/restrict_users.c | 55 |
1 files changed, 51 insertions, 4 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 733dbef41..4930dd1ea 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -59,6 +59,40 @@ static USER_LIST *ulist_find(const char *user) { | |||
59 | return NULL; | 59 | return NULL; |
60 | } | 60 | } |
61 | 61 | ||
62 | static int mkpath(const char* path) { | ||
63 | assert(path && *path); | ||
64 | |||
65 | // work on a copy of the path | ||
66 | char *file_path = strdup(path); | ||
67 | if (!file_path) | ||
68 | errExit("strdup"); | ||
69 | |||
70 | char* p; | ||
71 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | ||
72 | *p='\0'; | ||
73 | if (mkdir(file_path, 0755)==-1) { | ||
74 | if (errno != EEXIST) { | ||
75 | *p='/'; | ||
76 | free(file_path); | ||
77 | return -1; | ||
78 | } | ||
79 | } | ||
80 | else { | ||
81 | if (chmod(file_path, 0755) == -1) | ||
82 | errExit("chmod"); | ||
83 | if (chown(file_path, 0, 0) == -1) | ||
84 | errExit("chown"); | ||
85 | } | ||
86 | |||
87 | *p='/'; | ||
88 | } | ||
89 | |||
90 | free(file_path); | ||
91 | return 0; | ||
92 | } | ||
93 | |||
94 | |||
95 | |||
62 | static void sanitize_home(void) { | 96 | static void sanitize_home(void) { |
63 | assert(getuid() != 0); // this code works only for regular users | 97 | assert(getuid() != 0); // this code works only for regular users |
64 | 98 | ||
@@ -85,9 +119,13 @@ static void sanitize_home(void) { | |||
85 | errExit("mount tmpfs"); | 119 | errExit("mount tmpfs"); |
86 | 120 | ||
87 | // create user home directory | 121 | // create user home directory |
88 | if (mkdir(cfg.homedir, 0755) == -1) | 122 | if (mkdir(cfg.homedir, 0755) == -1) { |
89 | errExit("mkdir"); | 123 | if (mkpath(cfg.homedir)) |
90 | 124 | errExit("mkpath"); | |
125 | if (mkdir(cfg.homedir, 0755) == -1) | ||
126 | errExit("mkdir"); | ||
127 | } | ||
128 | |||
91 | // set mode and ownership | 129 | // set mode and ownership |
92 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | 130 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) |
93 | errExit("chown"); | 131 | errExit("chown"); |
@@ -320,7 +358,16 @@ errout: | |||
320 | void restrict_users(void) { | 358 | void restrict_users(void) { |
321 | // only in user mode | 359 | // only in user mode |
322 | if (getuid()) { | 360 | if (getuid()) { |
323 | sanitize_home(); | 361 | if (strncmp(cfg.homedir, "/home/", 6) == 0) { |
362 | // user has the home directory under /home | ||
363 | sanitize_home(); | ||
364 | } | ||
365 | else { | ||
366 | // user has the home diercotry outside /home | ||
367 | // mount tmpfs on top of /home in order to hide it | ||
368 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
369 | errExit("mount tmpfs"); | ||
370 | } | ||
324 | sanitize_passwd(); | 371 | sanitize_passwd(); |
325 | sanitize_group(); | 372 | sanitize_group(); |
326 | } | 373 | } |