user access database in /etc/firejail/firejail.users - more to come

author: netblue30 <netblue30@yahoo.com> 2018-04-05 18:40:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-04-05 18:40:28 -0400
commit: 0992ba0b6ea4c01dee0fbcf30068e64be638162b (patch)
tree: fba3ab0abc43f95f8c7008540bae9ccd23d639af /src
parent: Merge pull request #1864 from glitsj16/enchant (diff)
download: firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.tar.gz
firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.tar.zst
firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.zip
6 files changed, 187 insertions, 9 deletions
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index b6dbb039d..e860643df 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -2,11 +2,11 @@ all: firecfg
 include ../common.mk
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-firecfg: $(OBJS) ../lib/common.o
+firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index e636dc385..a54607aec 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -19,6 +19,7 @@
 */
 #include "firecfg.h"
+#include "../include/firejail_user.h"
 int arg_debug = 0;
 static char *usage_str =
@@ -29,6 +30,7 @@ static char *usage_str =
        "The symbolic links are placed in /usr/local/bin. For more information, see\n"
        "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
        "Usage: firecfg [OPTIONS]\n\n"
+        "   --add-users user [user] - add the users to Firejail access database\n"
        "   --clean - remove all firejail symbolic links.\n\n"
        "   --debug - print debug messages.\n\n"
        "   --fix - fix .desktop files.\n\n"
@@ -315,6 +317,19 @@ int main(int argc, char **argv) {
                        sound();
                        return 0;
                }
+                else if (strcmp(argv[i], "--add-users") == 0) {
+                        int j;
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: you need to be root to use this option\n");
+                                exit(1);
+                        }
+                        for (j = i + 1; j < argc; j++) {
+                                printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR);
+                                firejail_user_add(argv[j]);
+                        }
+                        return 0;
+                }
                else {
                        fprintf(stderr, "Error: invalid command line option\n");
                        usage();
@@ -353,7 +368,7 @@ int main(int argc, char **argv) {
-        // switch to the local user, and fix desktop files
+        // user setup
        char *user = getlogin();
        if (!user) {
                user = getenv("SUDO_USER");
@@ -362,6 +377,13 @@ int main(int argc, char **argv) {
                }
        }
+        // add user to firejail access database
+        if (user) {
+                printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+                firejail_user_add(user);
+        }
+        // switch to the local user, and fix desktop files
        if (user) {
                // find home directory
                struct passwd *pw = getpwnam(user);
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 9bd2f9c22..48d985d73 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,11 +2,11 @@ all: firejail
 include ../common.mk
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f34d2eb79..e676bbd7c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -19,6 +19,7 @@
 */
 #include "firejail.h"
 #include "../include/pid.h"
+#include "../include/firejail_user.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -229,6 +230,15 @@ static void init_cfg(int argc, char **argv) {
        }
        cfg.cwd = getcwd(NULL, 0);
+        // chack user database
+        if (!firejail_user_check(cfg.username)) {
+                fprintf(stderr, "Error: the user is not allowed to use Firejail. "
+                        "Please add the user in %s/firejail.users file, "
+                        "either by running \"sudo firecfg\", or by editing the file directly."
+                        "See \"man firejail-users\" for more details.\n", SYSCONFDIR);
+                exit(1);
+        }
        // initialize random number generator
        sandbox_pid = getpid();
        time_t t = time(NULL);
@@ -830,7 +840,6 @@ int main(int argc, char **argv) {
        int lockfd_directory = -1;
        int option_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
-        atexit(clear_atexit);
        // drop permissions by default and rise them when required
        EUID_INIT();
@@ -844,9 +853,11 @@ int main(int argc, char **argv) {
        if (check_arg(argc, argv, "--quiet", 1))
                arg_quiet = 1;
+        // cleanup at exit
+        EUID_ROOT();
+        atexit(clear_atexit);
        // build /run/firejail directory structure
-        EUID_ROOT();
        preproc_build_firejail_dir();
        char *container_name = getenv("container");
        if (!container_name || strcmp(container_name, "firejail")) {
diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h
new file mode 100644
index 000000000..a7d30225e
--- /dev/null
+++ b/src/include/firejail_user.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef FIREJAIL_USER_H
+#define FIREJAIL_USER_H
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name);
+// add a user to the database
+void firejail_user_add(const char *name);
+#endif
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
new file mode 100644
index 000000000..5d92aa133
--- /dev/null
+++ b/src/lib/firejail_user.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+//
+// Firejail access database inplementation
+//
+// The database is a simple list of users allowed to run firejail SUID executable
+// It is usually stored in /etc/firejail/firejail.users
+// One username per line in the file
+#include "../include/common.h"
+#include <sys/types.h>
+#include <pwd.h>
+#define MAXBUF 4098
+static inline char *get_fname(void) {
+        char *fname;
+        if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1)
+                errExit("asprintf");
+        return fname;
+}
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name) {
+        assert(name);
+        // root allowed by default
+        if (strcmp(name, "root") == 0)
+                return 1;
+        // check file existence
+        char *fname = get_fname();
+        if (access(fname, F_OK)) {
+                free(fname);
+                return 1;       // assume the user doesn't care about access checking
+        }
+        FILE *fp = fopen(fname, "r");
+        free(fname);
+        if (!fp)
+                return 0;
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                // lines starting with # are comments
+                if (*buf == '#')
+                        continue;
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                // compare
+                if (strcmp(buf, name) == 0) {
+                        fclose(fp);
+                        return 1;
+                }
+        }
+        fclose(fp);
+        return 0;
+}
+// add a user to the database
+void firejail_user_add(const char *name) {
+        assert(name);
+        // is this a real user?
+        struct passwd *pw = getpwnam(name);
+        if (!pw) {
+                fprintf(stderr, "Error: user %s not found on this system.\n", name);
+                return;
+        }
+        // check the user is not already in the database
+        char *fname = get_fname();
+        assert(fname);
+        if (access(fname, F_OK) == 0) {
+                if (firejail_user_check(name)) {
+                        printf("User %s already in the database\n", name);
+                        return;
+                }
+        }
+        printf("%s created\n", fname);
+        FILE *fp = fopen(fname, "a+");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                perror("fopen");
+                free(fname);
+                return;
+        }
+        free(fname);
+        fprintf(fp, "%s\n", name);
+        fclose(fp);
+}
author	netblue30 <netblue30@yahoo.com>	2018-04-05 18:40:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-04-05 18:40:28 -0400
commit	0992ba0b6ea4c01dee0fbcf30068e64be638162b (patch)
tree	fba3ab0abc43f95f8c7008540bae9ccd23d639af /src
parent	Merge pull request #1864 from glitsj16/enchant (diff)
download	firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.tar.gz firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.tar.zst firejail-0992ba0b6ea4c01dee0fbcf30068e64be638162b.zip

diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index b6dbb039d..e860643df 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in
@@ -2,11 +2,11 @@ all: firecfg
2		2
3	include ../common.mk	3	include ../common.mk
4		4
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	firecfg: $(OBJS) ../lib/common.o	8	firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -f .o firecfg .gcov .gcda .gcno	11	clean:; rm -f .o firecfg .gcov .gcda .gcno
12		12


diff --git a/src/firecfg/main.c b/src/firecfg/main.c index e636dc385..a54607aec 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c
@@ -19,6 +19,7 @@
19	*/	19	*/
20		20
21	#include "firecfg.h"	21	#include "firecfg.h"
		22	#include "../include/firejail_user.h"
22	int arg_debug = 0;	23	int arg_debug = 0;
23		24
24	static char *usage_str =	25	static char *usage_str =
@@ -29,6 +30,7 @@ static char *usage_str =
29	"The symbolic links are placed in /usr/local/bin. For more information, see\n"	30	"The symbolic links are placed in /usr/local/bin. For more information, see\n"
30	"DESKTOP INTEGRATION section in man 1 firejail.\n\n"	31	"DESKTOP INTEGRATION section in man 1 firejail.\n\n"
31	"Usage: firecfg [OPTIONS]\n\n"	32	"Usage: firecfg [OPTIONS]\n\n"
		33	" --add-users user [user] - add the users to Firejail access database\n"
32	" --clean - remove all firejail symbolic links.\n\n"	34	" --clean - remove all firejail symbolic links.\n\n"
33	" --debug - print debug messages.\n\n"	35	" --debug - print debug messages.\n\n"
34	" --fix - fix .desktop files.\n\n"	36	" --fix - fix .desktop files.\n\n"
@@ -315,6 +317,19 @@ int main(int argc, char **argv) {
315	sound();	317	sound();
316	return 0;	318	return 0;
317	}	319	}
		320	else if (strcmp(argv[i], "--add-users") == 0) {
		321	int j;
		322	if (getuid() != 0) {
		323	fprintf(stderr, "Error: you need to be root to use this option\n");
		324	exit(1);
		325	}
		326
		327	for (j = i + 1; j < argc; j++) {
		328	printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR);
		329	firejail_user_add(argv[j]);
		330	}
		331	return 0;
		332	}
318	else {	333	else {
319	fprintf(stderr, "Error: invalid command line option\n");	334	fprintf(stderr, "Error: invalid command line option\n");
320	usage();	335	usage();
@@ -353,7 +368,7 @@ int main(int argc, char **argv) {
353		368
354		369
355		370
356	// switch to the local user, and fix desktop files	371	// user setup
357	char *user = getlogin();	372	char *user = getlogin();
358	if (!user) {	373	if (!user) {
359	user = getenv("SUDO_USER");	374	user = getenv("SUDO_USER");
@@ -362,6 +377,13 @@ int main(int argc, char **argv) {
362	}	377	}
363	}	378	}
364		379
		380	// add user to firejail access database
		381	if (user) {
		382	printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
		383	firejail_user_add(user);
		384	}
		385
		386	// switch to the local user, and fix desktop files
365	if (user) {	387	if (user) {
366	// find home directory	388	// find home directory
367	struct passwd *pw = getpwnam(user);	389	struct passwd *pw = getpwnam(user);


diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 9bd2f9c22..48d985d73 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -2,11 +2,11 @@ all: firejail
2		2
3	include ../common.mk	3	include ../common.mk
4		4
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o	8	firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -f .o firejail .gcov .gcda .gcno	11	clean:; rm -f .o firejail .gcov .gcda .gcno
12		12


diff --git a/src/firejail/main.c b/src/firejail/main.c index f34d2eb79..e676bbd7c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -19,6 +19,7 @@
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
21	#include "../include/pid.h"	21	#include "../include/pid.h"
		22	#include "../include/firejail_user.h"
22	#define _GNU_SOURCE	23	#define _GNU_SOURCE
23	#include <sys/utsname.h>	24	#include <sys/utsname.h>
24	#include <sched.h>	25	#include <sched.h>
@@ -229,6 +230,15 @@ static void init_cfg(int argc, char **argv) {
229	}	230	}
230	cfg.cwd = getcwd(NULL, 0);	231	cfg.cwd = getcwd(NULL, 0);
231		232
		233	// chack user database
		234	if (!firejail_user_check(cfg.username)) {
		235	fprintf(stderr, "Error: the user is not allowed to use Firejail. "
		236	"Please add the user in %s/firejail.users file, "
		237	"either by running \"sudo firecfg\", or by editing the file directly."
		238	"See \"man firejail-users\" for more details.\n", SYSCONFDIR);
		239	exit(1);
		240	}
		241
232	// initialize random number generator	242	// initialize random number generator
233	sandbox_pid = getpid();	243	sandbox_pid = getpid();
234	time_t t = time(NULL);	244	time_t t = time(NULL);
@@ -830,7 +840,6 @@ int main(int argc, char **argv) {
830	int lockfd_directory = -1;	840	int lockfd_directory = -1;
831	int option_cgroup = 0;	841	int option_cgroup = 0;
832	int custom_profile = 0; // custom profile loaded	842	int custom_profile = 0; // custom profile loaded
833	atexit(clear_atexit);
834		843
835	// drop permissions by default and rise them when required	844	// drop permissions by default and rise them when required
836	EUID_INIT();	845	EUID_INIT();
@@ -844,9 +853,11 @@ int main(int argc, char **argv) {
844	if (check_arg(argc, argv, "--quiet", 1))	853	if (check_arg(argc, argv, "--quiet", 1))
845	arg_quiet = 1;	854	arg_quiet = 1;
846		855
		856	// cleanup at exit
		857	EUID_ROOT();
		858	atexit(clear_atexit);
847		859
848	// build /run/firejail directory structure	860	// build /run/firejail directory structure
849	EUID_ROOT();
850	preproc_build_firejail_dir();	861	preproc_build_firejail_dir();
851	char *container_name = getenv("container");	862	char *container_name = getenv("container");
852	if (!container_name \|\| strcmp(container_name, "firejail")) {	863	if (!container_name \|\| strcmp(container_name, "firejail")) {


diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h new file mode 100644 index 000000000..a7d30225e --- /dev/null +++ b/src/include/firejail_user.h
@@ -0,0 +1,30 @@
		1	/*
		2	* Copyright (C) 2014-2018 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#ifndef FIREJAIL_USER_H
		21	#define FIREJAIL_USER_H
		22
		23
		24	// returns 1 if the user is found in the database or if the database was not created
		25	int firejail_user_check(const char *name);
		26
		27	// add a user to the database
		28	void firejail_user_add(const char *name);
		29
		30	#endif


diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c new file mode 100644 index 000000000..5d92aa133 --- /dev/null +++ b/src/lib/firejail_user.c
@@ -0,0 +1,115 @@
		1	/*
		2	* Copyright (C) 2014-2018 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20
		21	//
		22	// Firejail access database inplementation
		23	//
		24	// The database is a simple list of users allowed to run firejail SUID executable
		25	// It is usually stored in /etc/firejail/firejail.users
		26	// One username per line in the file
		27
		28	#include "../include/common.h"
		29	#include <sys/types.h>
		30	#include <pwd.h>
		31
		32	#define MAXBUF 4098
		33	static inline char *get_fname(void) {
		34	char *fname;
		35	if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1)
		36	errExit("asprintf");
		37	return fname;
		38	}
		39
		40	// returns 1 if the user is found in the database or if the database was not created
		41	int firejail_user_check(const char *name) {
		42	assert(name);
		43
		44	// root allowed by default
		45	if (strcmp(name, "root") == 0)
		46	return 1;
		47
		48	// check file existence
		49	char *fname = get_fname();
		50	if (access(fname, F_OK)) {
		51	free(fname);
		52	return 1; // assume the user doesn't care about access checking
		53	}
		54
		55	FILE *fp = fopen(fname, "r");
		56	free(fname);
		57	if (!fp)
		58	return 0;
		59
		60	char buf[MAXBUF];
		61	while (fgets(buf, MAXBUF, fp)) {
		62	// lines starting with # are comments
		63	if (*buf == '#')
		64	continue;
		65
		66	// remove \n
		67	char *ptr = strchr(buf, '\n');
		68	if (ptr)
		69	*ptr = '\0';
		70
		71	// compare
		72	if (strcmp(buf, name) == 0) {
		73	fclose(fp);
		74	return 1;
		75	}
		76	}
		77
		78	fclose(fp);
		79	return 0;
		80	}
		81
		82	// add a user to the database
		83	void firejail_user_add(const char *name) {
		84	assert(name);
		85
		86	// is this a real user?
		87	struct passwd *pw = getpwnam(name);
		88	if (!pw) {
		89	fprintf(stderr, "Error: user %s not found on this system.\n", name);
		90	return;
		91	}
		92
		93	// check the user is not already in the database
		94	char *fname = get_fname();
		95	assert(fname);
		96	if (access(fname, F_OK) == 0) {
		97	if (firejail_user_check(name)) {
		98	printf("User %s already in the database\n", name);
		99	return;
		100	}
		101	}
		102
		103	printf("%s created\n", fname);
		104	FILE *fp = fopen(fname, "a+");
		105	if (!fp) {
		106	fprintf(stderr, "Error: cannot open %s\n", fname);
		107	perror("fopen");
		108	free(fname);
		109	return;
		110	}
		111	free(fname);
		112
		113	fprintf(fp, "%s\n", name);
		114	fclose(fp);
		115	}