nogroups fix

author: netblue30 <netblue30@yahoo.com> 2017-03-20 10:50:45 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-03-20 10:50:45 -0400
commit: 79be851919599f8da43b0b7405687b1f8ed8e80e (patch)
tree: 005b836922c1d2fc54d565657c99af788cd2b9da /src
parent: profile merges (diff)
download: firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.tar.gz
firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.tar.zst
firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.zip
2 files changed, 30 insertions, 28 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aead29957..db9a9c8cb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2472,32 +2472,34 @@ int main(int argc, char **argv) {
                sprintf(ptr, "%d %d 1\n", gid, gid);
                ptr += strlen(ptr);
                
-                //  add tty group
+                if (!arg_nogroups) {
-                gid_t g = get_group_id("tty");
+                        //  add tty group
-                if (g) {
+                        gid_t g = get_group_id("tty");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add audio group
+                        
-                g = get_group_id("audio");
+                        //  add audio group
-                if (g) {
+                        g = get_group_id("audio");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add video group
+                        
-                g = get_group_id("video");
+                        //  add video group
-                if (g) {
+                        g = get_group_id("video");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add games group
+                        
-                g = get_group_id("games");
+                        //  add games group
-                if (g) {
+                        g = get_group_id("games");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                }
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                        }
+                 }
                
                EUID_ROOT();
                update_map(gidmap, map_path);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 774e2908f..f759e7333 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -167,7 +167,7 @@ static void sanitize_passwd(void) {
                int rv = sscanf(ptr, "%d:", &uid);
                if (rv == 0 || uid < 0)
                        goto errout;
-                if (uid < UID_MIN) {
+                if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534
                        fprintf(fpout, "%s", buf);
                        continue;
                }
@@ -299,7 +299,7 @@ static void sanitize_group(void) {
                int rv = sscanf(ptr, "%d:", &gid);
                if (rv == 0 || gid < 0)
                        goto errout;
-                if (gid < GID_MIN) {
+                if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup
                        if (copy_line(fpout, buf, ptr))
                                goto errout;
                        continue;
author	netblue30 <netblue30@yahoo.com>	2017-03-20 10:50:45 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-03-20 10:50:45 -0400
commit	79be851919599f8da43b0b7405687b1f8ed8e80e (patch)
tree	005b836922c1d2fc54d565657c99af788cd2b9da /src
parent	profile merges (diff)
download	firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.tar.gz firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.tar.zst firejail-79be851919599f8da43b0b7405687b1f8ed8e80e.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index aead29957..db9a9c8cb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2472,32 +2472,34 @@ int main(int argc, char **argv) {
2472	sprintf(ptr, "%d %d 1\n", gid, gid);	2472	sprintf(ptr, "%d %d 1\n", gid, gid);
2473	ptr += strlen(ptr);	2473	ptr += strlen(ptr);
2474		2474
2475	// add tty group	2475	if (!arg_nogroups) {
2476	gid_t g = get_group_id("tty");	2476	// add tty group
2477	if (g) {	2477	gid_t g = get_group_id("tty");
2478	sprintf(ptr, "%d %d 1\n", g, g);	2478	if (g) {
2479	ptr += strlen(ptr);	2479	sprintf(ptr, "%d %d 1\n", g, g);
2480	}	2480	ptr += strlen(ptr);
2481		2481	}
2482	// add audio group	2482
2483	g = get_group_id("audio");	2483	// add audio group
2484	if (g) {	2484	g = get_group_id("audio");
2485	sprintf(ptr, "%d %d 1\n", g, g);	2485	if (g) {
2486	ptr += strlen(ptr);	2486	sprintf(ptr, "%d %d 1\n", g, g);
2487	}	2487	ptr += strlen(ptr);
2488		2488	}
2489	// add video group	2489
2490	g = get_group_id("video");	2490	// add video group
2491	if (g) {	2491	g = get_group_id("video");
2492	sprintf(ptr, "%d %d 1\n", g, g);	2492	if (g) {
2493	ptr += strlen(ptr);	2493	sprintf(ptr, "%d %d 1\n", g, g);
2494	}	2494	ptr += strlen(ptr);
2495		2495	}
2496	// add games group	2496
2497	g = get_group_id("games");	2497	// add games group
2498	if (g) {	2498	g = get_group_id("games");
2499	sprintf(ptr, "%d %d 1\n", g, g);	2499	if (g) {
2500	}	2500	sprintf(ptr, "%d %d 1\n", g, g);
		2501	}
		2502	}
2501		2503
2502	EUID_ROOT();	2504	EUID_ROOT();
2503	update_map(gidmap, map_path);	2505	update_map(gidmap, map_path);


diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 774e2908f..f759e7333 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -167,7 +167,7 @@ static void sanitize_passwd(void) {
167	int rv = sscanf(ptr, "%d:", &uid);	167	int rv = sscanf(ptr, "%d:", &uid);
168	if (rv == 0 \|\| uid < 0)	168	if (rv == 0 \|\| uid < 0)
169	goto errout;	169	goto errout;
170	if (uid < UID_MIN) {	170	if (uid < UID_MIN \|\| uid == 65534) { // on Debian platforms user nobody is 65534
171	fprintf(fpout, "%s", buf);	171	fprintf(fpout, "%s", buf);
172	continue;	172	continue;
173	}	173	}
@@ -299,7 +299,7 @@ static void sanitize_group(void) {
299	int rv = sscanf(ptr, "%d:", &gid);	299	int rv = sscanf(ptr, "%d:", &gid);
300	if (rv == 0 \|\| gid < 0)	300	if (rv == 0 \|\| gid < 0)
301	goto errout;	301	goto errout;
302	if (gid < GID_MIN) {	302	if (gid < GID_MIN \|\| gid == 65534) { // on Debian platforms 65534 is group nogroup
303	if (copy_line(fpout, buf, ptr))	303	if (copy_line(fpout, buf, ptr))
304	goto errout;	304	goto errout;
305	continue;	305	continue;