aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-11-12 09:52:53 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-11-12 09:52:53 -0500
commit3ed5918832344db694d094eefbe2189fd847345d (patch)
treebdc2d85eb7e31c0eebf1a572a6996168f1b74b50 /src
parenttesting (diff)
downloadfirejail-3ed5918832344db694d094eefbe2189fd847345d.tar.gz
firejail-3ed5918832344db694d094eefbe2189fd847345d.tar.zst
firejail-3ed5918832344db694d094eefbe2189fd847345d.zip
set_perms cleanup
Diffstat (limited to 'src')
-rw-r--r--src/firejail/appimage.c6
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/fs.c29
-rw-r--r--src/firejail/fs_home.c17
-rw-r--r--src/firejail/fs_whitelist.c55
-rw-r--r--src/firejail/preproc.c24
-rw-r--r--src/firejail/pulseaudio.c18
-rw-r--r--src/firejail/restrict_users.c6
-rw-r--r--src/firejail/util.c23
-rw-r--r--src/firejail/x11.c24
10 files changed, 73 insertions, 130 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 176326a2b..96c054048 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -98,10 +98,8 @@ void appimage_set(const char *appimage_path) {
98 fprintf(stderr, "Error: cannot create appimage mount point\n"); 98 fprintf(stderr, "Error: cannot create appimage mount point\n");
99 exit(1); 99 exit(1);
100 } 100 }
101 if (chmod(mntdir, 0700) == -1) 101 if (set_perms(mntdir, getuid(), getgid(), 0700))
102 errExit("chmod"); 102 errExit("set_perms");
103 if (chown(mntdir, getuid(), getgid()) == -1)
104 errExit("chown");
105 EUID_USER(); 103 EUID_USER();
106 ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); 104 ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
107 105
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 435405fd9..282271a64 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -460,6 +460,7 @@ int remove_directory(const char *path);
460void flush_stdin(void); 460void flush_stdin(void);
461void create_empty_dir_as_root(const char *dir, mode_t mode); 461void create_empty_dir_as_root(const char *dir, mode_t mode);
462void create_empty_file_as_root(const char *dir, mode_t mode); 462void create_empty_file_as_root(const char *dir, mode_t mode);
463int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
463 464
464// fs_var.c 465// fs_var.c
465void fs_var_log(void); // mounting /var/log 466void fs_var_log(void); // mounting /var/log
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 65b0773ca..3a2fd8c38 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -273,11 +273,8 @@ void fs_blacklist(void) {
273 if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0) 273 if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
274 errExit("mount bind"); 274 errExit("mount bind");
275 /* coverity[toctou] */ 275 /* coverity[toctou] */
276 if (chown(dname2, s.st_uid, s.st_gid) == -1) 276 if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode))
277 errExit("mount-bind chown"); 277 errExit("set_perms");
278 /* coverity[toctou] */
279 if (chmod(dname2, s.st_mode) == -1)
280 errExit("mount-bind chmod");
281 278
282 entry = entry->next; 279 entry = entry->next;
283 continue; 280 continue;
@@ -773,10 +770,8 @@ void fs_overlayfs(void) {
773 errExit("mkdir"); 770 errExit("mkdir");
774 } 771 }
775 772
776 if (chown(odiff, 0, 0) < 0) 773 if (set_perms(odiff, 0, 0, 0755))
777 errExit("chown"); 774 errExit("set_perms");
778 if (chmod(odiff, 0755) < 0)
779 errExit("chmod");
780 775
781 char *owork; 776 char *owork;
782 if(asprintf(&owork, "%s/owork", basedir) == -1) 777 if(asprintf(&owork, "%s/owork", basedir) == -1)
@@ -788,10 +783,8 @@ void fs_overlayfs(void) {
788 errExit("mkdir"); 783 errExit("mkdir");
789 } 784 }
790 785
791 if (chown(owork, 0, 0) < 0) 786 if (set_perms(owork, 0, 0, 0755))
792 errExit("chown"); 787 errExit("chown");
793 if (chmod(owork, 0755) < 0)
794 errExit("chmod");
795 788
796 // mount overlayfs 789 // mount overlayfs
797 if (arg_debug) 790 if (arg_debug)
@@ -850,10 +843,8 @@ void fs_overlayfs(void) {
850 errExit("mkdir"); 843 errExit("mkdir");
851 } 844 }
852 845
853 if (chown(hdiff, 0, 0) < 0) 846 if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
854 errExit("chown"); 847 errExit("set_perms");
855 if (chmod(hdiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
856 errExit("chmod");
857 848
858 if(asprintf(&hwork, "%s/hwork", basedir) == -1) 849 if(asprintf(&hwork, "%s/hwork", basedir) == -1)
859 errExit("asprintf"); 850 errExit("asprintf");
@@ -864,10 +855,8 @@ void fs_overlayfs(void) {
864 errExit("mkdir"); 855 errExit("mkdir");
865 } 856 }
866 857
867 if (chown(hwork, 0, 0) < 0) 858 if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
868 errExit("chown"); 859 errExit("set_perms");
869 if (chmod(hwork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
870 errExit("chmod");
871 860
872 // no homedir in overlay so now mount another overlay for /home 861 // no homedir in overlay so now mount another overlay for /home
873 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) 862 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index a2532c367..91fbe592a 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -398,15 +398,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s
398 else if (ftype == FTW_D) { 398 else if (ftype == FTW_D) {
399 if (mkdir(dest, s.st_mode) == -1) 399 if (mkdir(dest, s.st_mode) == -1)
400 errExit("mkdir"); 400 errExit("mkdir");
401 if (chmod(dest, s.st_mode) < 0) { 401 if (set_perms(dest, firejail_uid, firejail_gid, s.st_mode))
402 fprintf(stderr, "Error: cannot change mode for %s\n", path); 402 errExit("set_perms");
403 exit(1);
404 }
405 if (chown(dest, firejail_uid, firejail_gid) < 0) {
406 fprintf(stderr, "Error: cannot change ownership for %s\n", path);
407 exit(1);
408 }
409
410#if 0 403#if 0
411struct stat s2; 404struct stat s2;
412if (stat(dest, &s2) == 0) { 405if (stat(dest, &s2) == 0) {
@@ -590,10 +583,8 @@ void fs_private_home_list(void) {
590 int rv = mkdir(RUN_HOME_DIR, 0755); 583 int rv = mkdir(RUN_HOME_DIR, 0755);
591 if (rv == -1) 584 if (rv == -1)
592 errExit("mkdir"); 585 errExit("mkdir");
593 if (chown(RUN_HOME_DIR, u, g) < 0) 586 if (set_perms(RUN_HOME_DIR, u, g, 0755))
594 errExit("chown"); 587 errExit("set_perms");
595 if (chmod(RUN_HOME_DIR, 0755) < 0)
596 errExit("chmod");
597 ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); 588 ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755);
598 589
599 fs_logger_print(); // save the current log 590 fs_logger_print(); // save the current log
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9cd8f7681..9d8021219 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -157,10 +157,8 @@ static int mkpath(const char* path, mode_t mode) {
157 } 157 }
158 } 158 }
159 else { 159 else {
160 if (chmod(file_path, mode) == -1) 160 if (set_perms(file_path, uid, gid, mode))
161 errExit("chmod"); 161 errExit("set_perms");
162 if (chown(file_path, uid, gid) == -1)
163 errExit("chown");
164 done = 1; 162 done = 1;
165 } 163 }
166 164
@@ -535,11 +533,8 @@ void fs_whitelist(void) {
535 int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); 533 int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
536 if (rv == -1) 534 if (rv == -1)
537 errExit("mkdir"); 535 errExit("mkdir");
538 if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) 536 if (set_perms(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid(), 0755))
539 errExit("chown"); 537 errExit("set_perms");
540 if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0)
541 errExit("chmod");
542
543 if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 538 if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
544 errExit("mount bind"); 539 errExit("mount bind");
545 540
@@ -553,10 +548,8 @@ void fs_whitelist(void) {
553 int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); 548 int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
554 if (rv == -1) 549 if (rv == -1)
555 errExit("mkdir"); 550 errExit("mkdir");
556 if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) 551 if (set_perms(RUN_WHITELIST_TMP_DIR, 0, 0, 1777))
557 errExit("chown"); 552 errExit("set_perms");
558 if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
559 errExit("chmod");
560 553
561 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 554 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
562 errExit("mount bind"); 555 errExit("mount bind");
@@ -578,10 +571,8 @@ void fs_whitelist(void) {
578 int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); 571 int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
579 if (rv == -1) 572 if (rv == -1)
580 errExit("mkdir"); 573 errExit("mkdir");
581 if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) 574 if (set_perms(RUN_WHITELIST_MEDIA_DIR, 0, 0, 0755))
582 errExit("chown"); 575 errExit("set_perms");
583 if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
584 errExit("chmod");
585 576
586 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 577 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
587 errExit("mount bind"); 578 errExit("mount bind");
@@ -606,10 +597,8 @@ void fs_whitelist(void) {
606 int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); 597 int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755);
607 if (rv == -1) 598 if (rv == -1)
608 errExit("mkdir"); 599 errExit("mkdir");
609 if (chown(RUN_WHITELIST_MNT_DIR, 0, 0) < 0) 600 if (set_perms(RUN_WHITELIST_MNT_DIR, 0, 0, 0755))
610 errExit("chown"); 601 errExit("set_perms");
611 if (chmod(RUN_WHITELIST_MNT_DIR, 0755) < 0)
612 errExit("chmod");
613 602
614 if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 603 if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
615 errExit("mount bind"); 604 errExit("mount bind");
@@ -632,10 +621,8 @@ void fs_whitelist(void) {
632 int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); 621 int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
633 if (rv == -1) 622 if (rv == -1)
634 errExit("mkdir"); 623 errExit("mkdir");
635 if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) 624 if (set_perms(RUN_WHITELIST_VAR_DIR, 0, 0, 0755))
636 errExit("chown"); 625 errExit("set_perms");
637 if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0)
638 errExit("chmod");
639 626
640 if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 627 if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
641 errExit("mount bind"); 628 errExit("mount bind");
@@ -654,10 +641,8 @@ void fs_whitelist(void) {
654 int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); 641 int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
655 if (rv == -1) 642 if (rv == -1)
656 errExit("mkdir"); 643 errExit("mkdir");
657 if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) 644 if (set_perms(RUN_WHITELIST_DEV_DIR, 0, 0, 0755))
658 errExit("chown"); 645 errExit("set_perms");
659 if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
660 errExit("chmod");
661 646
662 if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) 647 if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0)
663 errExit("mount bind"); 648 errExit("mount bind");
@@ -676,10 +661,8 @@ void fs_whitelist(void) {
676 int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); 661 int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
677 if (rv == -1) 662 if (rv == -1)
678 errExit("mkdir"); 663 errExit("mkdir");
679 if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) 664 if (set_perms(RUN_WHITELIST_OPT_DIR, 0, 0, 0755))
680 errExit("chown"); 665 errExit("set_perms");
681 if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0)
682 errExit("chmod");
683 666
684 if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 667 if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
685 errExit("mount bind"); 668 errExit("mount bind");
@@ -701,10 +684,8 @@ void fs_whitelist(void) {
701 int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); 684 int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755);
702 if (rv == -1) 685 if (rv == -1)
703 errExit("mkdir"); 686 errExit("mkdir");
704 if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0) 687 if (set_perms(RUN_WHITELIST_SRV_DIR, 0, 0, 0755))
705 errExit("chown"); 688 errExit("set_perms");
706 if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0)
707 errExit("chmod");
708 689
709 if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 690 if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
710 errExit("mount bind"); 691 errExit("mount bind");
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2873571a9..fe5f2eb44 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -78,31 +78,23 @@ void preproc_mount_mnt_dir(void) {
78 // create all seccomp files 78 // create all seccomp files
79 // as root, create RUN_SECCOMP_I386 file 79 // as root, create RUN_SECCOMP_I386 file
80 create_empty_file_as_root(RUN_SECCOMP_I386, 0644); 80 create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
81 if (chown(RUN_SECCOMP_I386, getuid(), getgid()) == -1) 81 if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
82 errExit("chown"); 82 errExit("set_perms");
83 if (chmod(RUN_SECCOMP_I386, 0644) == -1)
84 errExit("chmod");
85 83
86 // as root, create RUN_SECCOMP_AMD64 file 84 // as root, create RUN_SECCOMP_AMD64 file
87 create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); 85 create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
88 if (chown(RUN_SECCOMP_AMD64, getuid(), getgid()) == -1) 86 if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
89 errExit("chown"); 87 errExit("set_perms");
90 if (chmod(RUN_SECCOMP_AMD64, 0644) == -1)
91 errExit("chmod");
92 88
93 // as root, create RUN_SECCOMP file 89 // as root, create RUN_SECCOMP file
94 create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); 90 create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
95 if (chown(RUN_SECCOMP_CFG, getuid(), getgid()) == -1) 91 if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
96 errExit("chown"); 92 errExit("set_perms");
97 if (chmod(RUN_SECCOMP_CFG, 0644) == -1)
98 errExit("chmod");
99 93
100 // as root, create RUN_SECCOMP_PROTOCOL file 94 // as root, create RUN_SECCOMP_PROTOCOL file
101 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); 95 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
102 if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) 96 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
103 errExit("chown"); 97 errExit("set_perms");
104 if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1)
105 errExit("chmod");
106 } 98 }
107} 99}
108 100
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index e1a58c1c8..c76505591 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -106,10 +106,8 @@ void pulseaudio_init(void) {
106 // create the new user pulseaudio directory 106 // create the new user pulseaudio directory
107 int rv = mkdir(RUN_PULSE_DIR, 0700); 107 int rv = mkdir(RUN_PULSE_DIR, 0700);
108 (void) rv; // in --chroot mode the directory can already be there 108 (void) rv; // in --chroot mode the directory can already be there
109 if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) 109 if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
110 errExit("chown"); 110 errExit("set_perms");
111 if (chmod(RUN_PULSE_DIR, 0700) < 0)
112 errExit("chmod");
113 111
114 // create the new client.conf file 112 // create the new client.conf file
115 char *pulsecfg = NULL; 113 char *pulsecfg = NULL;
@@ -131,10 +129,8 @@ void pulseaudio_init(void) {
131 if (stat(dir1, &s) == -1) { 129 if (stat(dir1, &s) == -1) {
132 int rv = mkdir(dir1, 0755); 130 int rv = mkdir(dir1, 0755);
133 if (rv == 0) { 131 if (rv == 0) {
134 rv = chown(dir1, getuid(), getgid()); 132 if (set_perms(dir1, getuid(), getgid(), 0755))
135 (void) rv; 133 ; // do nothing
136 rv = chmod(dir1, 0755);
137 (void) rv;
138 } 134 }
139 } 135 }
140 free(dir1); 136 free(dir1);
@@ -143,10 +139,8 @@ void pulseaudio_init(void) {
143 if (stat(dir1, &s) == -1) { 139 if (stat(dir1, &s) == -1) {
144 int rv = mkdir(dir1, 0700); 140 int rv = mkdir(dir1, 0700);
145 if (rv == 0) { 141 if (rv == 0) {
146 rv = chown(dir1, getuid(), getgid()); 142 if (set_perms(dir1, getuid(), getgid(), 0700))
147 (void) rv; 143 ; // do nothing
148 rv = chmod(dir1, 0700);
149 (void) rv;
150 } 144 }
151 } 145 }
152 free(dir1); 146 free(dir1);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 57e84e5cc..393851148 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -95,10 +95,8 @@ static void sanitize_home(void) {
95 fs_logger2("mkdir", cfg.homedir); 95 fs_logger2("mkdir", cfg.homedir);
96 96
97 // set mode and ownership 97 // set mode and ownership
98 if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) 98 if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
99 errExit("chown"); 99 errExit("set_perms");
100 if (chmod(cfg.homedir, s.st_mode) == -1)
101 errExit("chmod");
102 100
103 // mount user home directory 101 // mount user home directory
104 if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) 102 if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a7712441e..3424d8ab6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -100,10 +100,8 @@ int mkpath_as_root(const char* path) {
100 } 100 }
101 } 101 }
102 else { 102 else {
103 if (chmod(file_path, 0755) == -1) 103 if (set_perms(file_path, 0, 0, 0755))
104 errExit("chmod"); 104 errExit("set_perms");
105 if (chown(file_path, 0, 0) == -1)
106 errExit("chown");
107 done = 1; 105 done = 1;
108 } 106 }
109 107
@@ -699,10 +697,8 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) {
699 printf("Creating empty %s directory\n", dir); 697 printf("Creating empty %s directory\n", dir);
700 if (mkdir(dir, mode) == -1) 698 if (mkdir(dir, mode) == -1)
701 errExit("mkdir"); 699 errExit("mkdir");
702 if (chmod(dir, mode) == -1) 700 if (set_perms(dir, 0, 0, mode))
703 errExit("chmod"); 701 errExit("set_perms");
704 if (chown(dir, 0, 0) == -1)
705 errExit("chown");
706 ASSERT_PERMS(dir, 0, 0, mode); 702 ASSERT_PERMS(dir, 0, 0, mode);
707 } 703 }
708} 704}
@@ -725,3 +721,14 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
725 } 721 }
726} 722}
727 723
724// return 1 if error
725int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
726 assert(fname);
727 if (chmod(fname, mode) == -1)
728 return 1;
729 if (chown(fname, uid, gid) == -1)
730 return 1;
731 return 0;
732}
733
734
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2b1121958..9da6d3e30 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -137,10 +137,8 @@ void fs_x11(void) {
137 int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); 137 int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
138 if (rv == -1) 138 if (rv == -1)
139 errExit("mkdir"); 139 errExit("mkdir");
140 if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0) 140 if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
141 errExit("chown"); 141 errExit("set_perms");
142 if (chmod(RUN_WHITELIST_X11_DIR, 1777) < 0)
143 errExit("chmod");
144 142
145 if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 143 if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
146 errExit("mount bind"); 144 errExit("mount bind");
@@ -706,10 +704,8 @@ void x11_xorg(void) {
706 fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); 704 fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
707 exit(1); 705 exit(1);
708 } 706 }
709 if (chown(tmpfname, getuid(), getgid()) == -1) 707 if (set_perms(tmpfname, getuid(), getgid(), 0600))
710 errExit("chown"); 708 errExit("set_perms");
711 if (chmod(tmpfname, 0600) == -1)
712 errExit("chmod");
713 709
714 // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted 710 // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
715 // automatically when the sandbox is closed 711 // automatically when the sandbox is closed
@@ -717,10 +713,8 @@ void x11_xorg(void) {
717 fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); 713 fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
718 exit(1); 714 exit(1);
719 } 715 }
720 if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) 716 if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
721 errExit("chown"); 717 errExit("set_perms");
722 if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1)
723 errExit("chmod");
724 unlink(tmpfname); 718 unlink(tmpfname);
725 719
726 // mount 720 // mount
@@ -728,10 +722,8 @@ void x11_xorg(void) {
728 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); 722 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
729 exit(1); 723 exit(1);
730 } 724 }
731 if (chown(dest, getuid(), getgid()) == -1) 725 if (set_perms(dest, getuid(), getgid(), 0600))
732 errExit("chown"); 726 errExit("set_perms");
733 if (chmod(dest, 0600) == -1)
734 errExit("chmod");
735 free(dest); 727 free(dest);
736#endif 728#endif
737} 729}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 16:45:05 +0000