tighten security

author: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-08-25 01:01:06 +0300
committer: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-08-25 01:05:40 +0300
commit: 51d69322896d0f622d77dc581c35876c1c937596 (patch)
tree: 88bf6dd701767267ac564c008335e728a9ab727d /src
parent: tighten security (diff)
download: firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz
firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst
firejail-51d69322896d0f622d77dc581c35876c1c937596.zip
10 files changed, 26 insertions, 80 deletions
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index f6ca28227..bab117b7e 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -37,11 +37,8 @@ void fs_trace_preload(void) {
                FILE *fp = fopen("/etc/ld.so.preload", "w");
                if (!fp)
                        errExit("fopen");
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
                fclose(fp);
-                if (chown("/etc/ld.so.preload", 0, 0) < 0)
-                        errExit("chown");
-                if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /etc/ld.so.preload");
        }
 }
@@ -66,12 +63,9 @@ void fs_trace(void) {
        }       
        else
                assert(0);
-                
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new preload file
        if (arg_debug)
@@ -81,5 +75,3 @@ void fs_trace(void) {
        fs_logger("create /etc/ld.so.preload");
 }
-                
-        
-\ No newline at end of file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 1516d684f..a578d04e6 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -131,22 +131,16 @@ void fs_var_log(void) {
                // create an empty /var/log/wtmp file
                /* coverity[toctou] */
                FILE *fp = fopen("/var/log/wtmp", "w");
+                SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
                if (fp)
                        fclose(fp);
-                if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
-                        errExit("chown");
-                if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/wtmp");
                        
                // create an empty /var/log/btmp file
                fp = fopen("/var/log/btmp", "w");
+                SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
                if (fp)
                        fclose(fp);
-                if (chown("/var/log/btmp", 0, wtmp_group) < 0)
-                        errExit("chown");
-                if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/btmp");
        }
        else
@@ -169,11 +163,8 @@ void fs_var_lib(void) {
                
                if (fp) {
                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
                        fclose(fp);
-                        if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
-                                errExit("chown");
-                        if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH))
-                                errExit("chmod");
                        fs_logger("touch /var/lib/dhcp/dhcpd.leases");
                }
        }
@@ -279,10 +270,9 @@ void fs_var_lock(void) {
                                // create directory
                                if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
                                        errExit("mkdir");
-                                if (chown(lnk, 0, 0))
-                                        errExit("chown");
                                if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
                                        errExit("chmod");
+                                ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO);
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
@@ -353,11 +343,8 @@ void fs_var_utmp(void) {
                        
        // save new utmp file
        fwrite(&u_boot, sizeof(u_boot), 1, fp);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
-                errExit("chown");
-        if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new utmp file
        if (arg_debug)
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 90b91f9dd..33037da29 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -275,18 +275,14 @@ static void whitelist_path(ProfileEntry *entry) {
                                fprintf(stderr, "Error: cannot create empty file in home directory\n");
                                exit(1);
                        }
+                        // set file properties
+                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
                        fclose(fp);
                }
                else
                        return; // the file is already present
        }
        
-        // set file properties
-        if (chown(path, s.st_uid, s.st_gid) < 0)
-                errExit("chown");
-        if (chmod(path, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2181a274b..dbb92a899 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -663,14 +663,10 @@ static void set_name_file(pid_t pid) {
                exit(1);
        }
        fprintf(fp, "%s\n", cfg.name);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_name_file(pid_t pid) {
@@ -694,14 +690,10 @@ static void set_x11_file(pid_t pid, int display) {
                exit(1);
        }
        fprintf(fp, "%d\n", display);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_x11_file(pid_t pid) {
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 7e5ab7dfb..1ef5bf13d 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -273,14 +273,8 @@ void protocol_filter_save(void) {
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s\n", cfg.protocol);
+        SET_PERMS_STREAM(fp, 0, 0, 0600);
        fclose(fp);
-        if (chmod(RUN_PROTOCOL_CFG, 0600) < 0)
-                errExit("chmod");
-        if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0)
-                errExit("chown");
 }
 void protocol_filter_load(const char *fname) {
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index dd26d219c..7db8d2c18 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -120,11 +120,8 @@ void pulseaudio_init(void) {
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s", "\nenable-shm = no\n");
+        SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
        fclose(fp);
-        if (chmod(pulsecfg, 0644) == -1)
-                errExit("chmod");
-        if (chown(pulsecfg, getuid(), getgid()) == -1)
-                errExit("chown");
        // create ~/.config/pulse directory if not present
        char *dir1;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index de798037f..cb999a4a6 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -187,12 +187,9 @@ static void sanitize_passwd(void) {
                fprintf(fpout, "%s", buf);
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_PASSWD_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_PASSWD_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -319,12 +316,9 @@ static void sanitize_group(void) {
                        goto errout;
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_GROUP_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_GROUP_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5f845fbd3..9423ae7e0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -104,9 +104,8 @@ void save_nogroups(void) {
        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
        if (fp) {
                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
                fclose(fp);
-                if (chown(RUN_GROUPS_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot save nogroups state\n");
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7aaf1a5cd..c2da1168a 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -290,9 +290,8 @@ static void write_seccomp_file(void) {
                fprintf(stderr, "Error: cannot save seccomp filter\n");
                exit(1);
        }
+        SET_PERMS_FD(fd, 0, 0, S_IRUSR | S_IWUSR);
        close(fd);
-        if (chown(RUN_SECCOMP_CFG, 0, 0) < 0)
-                errExit("chown");
 }
 // read seccomp filter from /run/firejail/mnt/seccomp
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 3d0918b2c..a68b54cdb 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -132,13 +132,9 @@ void fs_x11(void) {
                fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
                exit(1);
        }
-        fclose(fp);
        // set file properties
-        if (chown(x11file, s.st_uid, s.st_gid) < 0)
+        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(x11file, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        char *wx11file;
author	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-08-25 01:01:06 +0300
committer	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-08-25 01:05:40 +0300
commit	51d69322896d0f622d77dc581c35876c1c937596 (patch)
tree	88bf6dd701767267ac564c008335e728a9ab727d /src
parent	tighten security (diff)
download	firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst firejail-51d69322896d0f622d77dc581c35876c1c937596.zip

diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f6ca28227..bab117b7e 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -37,11 +37,8 @@ void fs_trace_preload(void) {
37	FILE *fp = fopen("/etc/ld.so.preload", "w");	37	FILE *fp = fopen("/etc/ld.so.preload", "w");
38	if (!fp)	38	if (!fp)
39	errExit("fopen");	39	errExit("fopen");
		40	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);
40	fclose(fp);	41	fclose(fp);
41	if (chown("/etc/ld.so.preload", 0, 0) < 0)
42	errExit("chown");
43	if (chmod("/etc/ld.so.preload", S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH ) < 0)
44	errExit("chmod");
45	fs_logger("touch /etc/ld.so.preload");	42	fs_logger("touch /etc/ld.so.preload");
46	}	43	}
47	}	44	}
@@ -66,12 +63,9 @@ void fs_trace(void) {
66	}	63	}
67	else	64	else
68	assert(0);	65	assert(0);
69		66
		67	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);
70	fclose(fp);	68	fclose(fp);
71	if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
72	errExit("chown");
73	if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH ) < 0)
74	errExit("chmod");
75		69
76	// mount the new preload file	70	// mount the new preload file
77	if (arg_debug)	71	if (arg_debug)
@@ -81,5 +75,3 @@ void fs_trace(void) {
81	fs_logger("create /etc/ld.so.preload");	75	fs_logger("create /etc/ld.so.preload");
82	}	76	}
83		77
84
85	\ No newline at end of file


diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 1516d684f..a578d04e6 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c
@@ -131,22 +131,16 @@ void fs_var_log(void) {
131	// create an empty /var/log/wtmp file	131	// create an empty /var/log/wtmp file
132	/* coverity[toctou] */	132	/* coverity[toctou] */
133	FILE *fp = fopen("/var/log/wtmp", "w");	133	FILE *fp = fopen("/var/log/wtmp", "w");
		134	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH);
134	if (fp)	135	if (fp)
135	fclose(fp);	136	fclose(fp);
136	if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
137	errExit("chown");
138	if (chmod("/var/log/wtmp", S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH ) < 0)
139	errExit("chmod");
140	fs_logger("touch /var/log/wtmp");	137	fs_logger("touch /var/log/wtmp");
141		138
142	// create an empty /var/log/btmp file	139	// create an empty /var/log/btmp file
143	fp = fopen("/var/log/btmp", "w");	140	fp = fopen("/var/log/btmp", "w");
		141	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP);
144	if (fp)	142	if (fp)
145	fclose(fp);	143	fclose(fp);
146	if (chown("/var/log/btmp", 0, wtmp_group) < 0)
147	errExit("chown");
148	if (chmod("/var/log/btmp", S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP) < 0)
149	errExit("chmod");
150	fs_logger("touch /var/log/btmp");	144	fs_logger("touch /var/log/btmp");
151	}	145	}
152	else	146	else
@@ -169,11 +163,8 @@ void fs_var_lib(void) {
169		163
170	if (fp) {	164	if (fp) {
171	fprintf(fp, "\n");	165	fprintf(fp, "\n");
		166	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH);
172	fclose(fp);	167	fclose(fp);
173	if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
174	errExit("chown");
175	if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH))
176	errExit("chmod");
177	fs_logger("touch /var/lib/dhcp/dhcpd.leases");	168	fs_logger("touch /var/lib/dhcp/dhcpd.leases");
178	}	169	}
179	}	170	}
@@ -279,10 +270,9 @@ void fs_var_lock(void) {
279	// create directory	270	// create directory
280	if (mkdir(lnk, S_IRWXU\|S_IRWXG\|S_IRWXO))	271	if (mkdir(lnk, S_IRWXU\|S_IRWXG\|S_IRWXO))
281	errExit("mkdir");	272	errExit("mkdir");
282	if (chown(lnk, 0, 0))
283	errExit("chown");
284	if (chmod(lnk, S_IRWXU\|S_IRWXG\|S_IRWXO))	273	if (chmod(lnk, S_IRWXU\|S_IRWXG\|S_IRWXO))
285	errExit("chmod");	274	errExit("chmod");
		275	ASSERT_PERMS(lnk, 0, 0, S_IRWXU\|S_IRWXG\|S_IRWXO);
286	}	276	}
287	if (arg_debug)	277	if (arg_debug)
288	printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);	278	printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
@@ -353,11 +343,8 @@ void fs_var_utmp(void) {
353		343
354	// save new utmp file	344	// save new utmp file
355	fwrite(&u_boot, sizeof(u_boot), 1, fp);	345	fwrite(&u_boot, sizeof(u_boot), 1, fp);
		346	SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH);
356	fclose(fp);	347	fclose(fp);
357	if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
358	errExit("chown");
359	if (chmod(RUN_UTMP_FILE, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH ) < 0)
360	errExit("chmod");
361		348
362	// mount the new utmp file	349	// mount the new utmp file
363	if (arg_debug)	350	if (arg_debug)


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 90b91f9dd..33037da29 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -275,18 +275,14 @@ static void whitelist_path(ProfileEntry *entry) {
275	fprintf(stderr, "Error: cannot create empty file in home directory\n");	275	fprintf(stderr, "Error: cannot create empty file in home directory\n");
276	exit(1);	276	exit(1);
277	}	277	}
		278	// set file properties
		279	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
278	fclose(fp);	280	fclose(fp);
279	}	281	}
280	else	282	else
281	return; // the file is already present	283	return; // the file is already present
282	}	284	}
283		285
284	// set file properties
285	if (chown(path, s.st_uid, s.st_gid) < 0)
286	errExit("chown");
287	if (chmod(path, s.st_mode) < 0)
288	errExit("chmod");
289
290	// mount	286	// mount
291	if (mount(wfile, path, NULL, MS_BIND\|MS_REC, NULL) < 0)	287	if (mount(wfile, path, NULL, MS_BIND\|MS_REC, NULL) < 0)
292	errExit("mount bind");	288	errExit("mount bind");


diff --git a/src/firejail/main.c b/src/firejail/main.c index 2181a274b..dbb92a899 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -663,14 +663,10 @@ static void set_name_file(pid_t pid) {
663	exit(1);	663	exit(1);
664	}	664	}
665	fprintf(fp, "%s\n", cfg.name);	665	fprintf(fp, "%s\n", cfg.name);
666	fclose(fp);	666
667
668	// mode and ownership	667	// mode and ownership
669	if (chown(fname, 0, 0) == -1)	668	SET_PERMS_STREAM(fp, 0, 0, 0644);
670	errExit("chown");	669	fclose(fp);
671	if (chmod(fname, 0644) == -1)
672	errExit("chmod");
673
674	}	670	}
675		671
676	static void delete_name_file(pid_t pid) {	672	static void delete_name_file(pid_t pid) {
@@ -694,14 +690,10 @@ static void set_x11_file(pid_t pid, int display) {
694	exit(1);	690	exit(1);
695	}	691	}
696	fprintf(fp, "%d\n", display);	692	fprintf(fp, "%d\n", display);
697	fclose(fp);	693
698
699	// mode and ownership	694	// mode and ownership
700	if (chown(fname, 0, 0) == -1)	695	SET_PERMS_STREAM(fp, 0, 0, 0644);
701	errExit("chown");	696	fclose(fp);
702	if (chmod(fname, 0644) == -1)
703	errExit("chmod");
704
705	}	697	}
706		698
707	static void delete_x11_file(pid_t pid) {	699	static void delete_x11_file(pid_t pid) {


diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 7e5ab7dfb..1ef5bf13d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c
@@ -273,14 +273,8 @@ void protocol_filter_save(void) {
273	if (!fp)	273	if (!fp)
274	errExit("fopen");	274	errExit("fopen");
275	fprintf(fp, "%s\n", cfg.protocol);	275	fprintf(fp, "%s\n", cfg.protocol);
		276	SET_PERMS_STREAM(fp, 0, 0, 0600);
276	fclose(fp);	277	fclose(fp);
277
278	if (chmod(RUN_PROTOCOL_CFG, 0600) < 0)
279	errExit("chmod");
280
281	if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0)
282	errExit("chown");
283
284	}	278	}
285		279
286	void protocol_filter_load(const char *fname) {	280	void protocol_filter_load(const char *fname) {


diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index dd26d219c..7db8d2c18 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c
@@ -120,11 +120,8 @@ void pulseaudio_init(void) {
120	if (!fp)	120	if (!fp)
121	errExit("fopen");	121	errExit("fopen");
122	fprintf(fp, "%s", "\nenable-shm = no\n");	122	fprintf(fp, "%s", "\nenable-shm = no\n");
		123	SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
123	fclose(fp);	124	fclose(fp);
124	if (chmod(pulsecfg, 0644) == -1)
125	errExit("chmod");
126	if (chown(pulsecfg, getuid(), getgid()) == -1)
127	errExit("chown");
128		125
129	// create ~/.config/pulse directory if not present	126	// create ~/.config/pulse directory if not present
130	char *dir1;	127	char *dir1;


diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index de798037f..cb999a4a6 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -187,12 +187,9 @@ static void sanitize_passwd(void) {
187	fprintf(fpout, "%s", buf);	187	fprintf(fpout, "%s", buf);
188	}	188	}
189	fclose(fpin);	189	fclose(fpin);
		190	SET_PERMS_STREAM(fpout, 0, 0, 0644);
190	fclose(fpout);	191	fclose(fpout);
191	if (chown(RUN_PASSWD_FILE, 0, 0) == -1)	192
192	errExit("chown");
193	if (chmod(RUN_PASSWD_FILE, 0644) == -1)
194	errExit("chmod");
195
196	// mount-bind tne new password file	193	// mount-bind tne new password file
197	if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)	194	if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
198	errExit("mount");	195	errExit("mount");
@@ -319,12 +316,9 @@ static void sanitize_group(void) {
319	goto errout;	316	goto errout;
320	}	317	}
321	fclose(fpin);	318	fclose(fpin);
		319	SET_PERMS_STREAM(fpout, 0, 0, 0644);
322	fclose(fpout);	320	fclose(fpout);
323	if (chown(RUN_GROUP_FILE, 0, 0) == -1)	321
324	errExit("chown");
325	if (chmod(RUN_GROUP_FILE, 0644) == -1)
326	errExit("chmod");
327
328	// mount-bind tne new group file	322	// mount-bind tne new group file
329	if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)	323	if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
330	errExit("mount");	324	errExit("mount");


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5f845fbd3..9423ae7e0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -104,9 +104,8 @@ void save_nogroups(void) {
104	FILE *fp = fopen(RUN_GROUPS_CFG, "w");	104	FILE *fp = fopen(RUN_GROUPS_CFG, "w");
105	if (fp) {	105	if (fp) {
106	fprintf(fp, "\n");	106	fprintf(fp, "\n");
		107	SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
107	fclose(fp);	108	fclose(fp);
108	if (chown(RUN_GROUPS_CFG, 0, 0) < 0)
109	errExit("chown");
110	}	109	}
111	else {	110	else {
112	fprintf(stderr, "Error: cannot save nogroups state\n");	111	fprintf(stderr, "Error: cannot save nogroups state\n");


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7aaf1a5cd..c2da1168a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -290,9 +290,8 @@ static void write_seccomp_file(void) {
290	fprintf(stderr, "Error: cannot save seccomp filter\n");	290	fprintf(stderr, "Error: cannot save seccomp filter\n");
291	exit(1);	291	exit(1);
292	}	292	}
		293	SET_PERMS_FD(fd, 0, 0, S_IRUSR \| S_IWUSR);
293	close(fd);	294	close(fd);
294	if (chown(RUN_SECCOMP_CFG, 0, 0) < 0)
295	errExit("chown");
296	}	295	}
297		296
298	// read seccomp filter from /run/firejail/mnt/seccomp	297	// read seccomp filter from /run/firejail/mnt/seccomp


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 3d0918b2c..a68b54cdb 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -132,13 +132,9 @@ void fs_x11(void) {
132	fprintf(stderr, "Error: cannot create empty file in x11 directory\n");	132	fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
133	exit(1);	133	exit(1);
134	}	134	}
135	fclose(fp);
136
137	// set file properties	135	// set file properties
138	if (chown(x11file, s.st_uid, s.st_gid) < 0)	136	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
139	errExit("chown");	137	fclose(fp);
140	if (chmod(x11file, s.st_mode) < 0)
141	errExit("chmod");
142		138
143	// mount	139	// mount
144	char *wx11file;	140	char *wx11file;