fix --join

2 files changed, 13 insertions, 8 deletions

diff --git a/src/firejail/join.c b/src/firejail/join.c
index 12ee4a9a0..c303d3fb8 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -314,12 +314,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 // read cfg.protocol from file
                 if (getuid() != 0)
                         protocol_filter_load(RUN_PROTOCOL_CFG);
-                if (cfg.protocol) {     // not available for uid 0
+                if (cfg.protocol)       // not available for uid 0
                         seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
-                }
 
                 // set seccomp filter
-                if (apply_seccomp == 1) // not available for uid 0
+                if (apply_seccomp == 1)  // not available for uid 0
                         seccomp_load(RUN_SECCOMP_CFG);
 #endif
 
@@ -335,9 +334,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         if (apply_caps == 1)    // not available for uid 0
                                 caps_set(caps);
                 }
-                else
-                        drop_privs(arg_nogroups);       // nogroups not available for uid 0
-
 
                 // set nice
                 if (arg_nice) {
@@ -385,6 +381,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         }
                 }
 
+                drop_privs(arg_nogroups);
                 start_application(0);
 
                 // it will never get here!!!
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 14e9f6440..3437d495f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -37,7 +37,6 @@ static void clean_supplementary_groups(gid_t gid) {
         assert(cfg.username);
         gid_t groups[MAX_GROUPS];
         int ngroups = MAX_GROUPS;
-
         int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
         if (rv == -1)
                 goto clean_all;
@@ -74,6 +73,13 @@ static void clean_supplementary_groups(gid_t gid) {
                 rv = setgroups(new_ngroups, new_groups);
                 if (rv)
                         goto clean_all;
+
+                if (arg_debug) {
+                        printf("Supplementary groups: ");
+                        for (i = 0; i < new_ngroups; i++)
+                                printf("%d ", new_groups[i]);
+                        printf("\n");
+                }
         }
         else
                 goto clean_all;
@@ -92,13 +98,15 @@ clean_all:
 void drop_privs(int nogroups) {
         EUID_ROOT();
         gid_t gid = getgid();
+        if (arg_debug)
+                printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n",  getpid(), getuid(), gid, nogroups);
 
         // configure supplementary groups
         if (gid == 0 || nogroups) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
                 if (arg_debug)
-                        printf("Username %s, no supplementary groups\n", cfg.username);
+                        printf("No supplementary groups\n");
         }
         else if (arg_noroot)
                 clean_supplementary_groups(gid);