diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-13 22:38:14 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-13 23:00:12 -0300 |
| commit | 8f33e7284cb5dc78e6543cfad6f9a1c51556f564 (patch) | |
| tree | a4238114f73f3ecbdf455cae604f0b92b0df10c7 /src | |
| parent | landlock: use uint32_t instead of __u32 in firejail.h (diff) | |
| download | firejail-8f33e7284cb5dc78e6543cfad6f9a1c51556f564.tar.gz firejail-8f33e7284cb5dc78e6543cfad6f9a1c51556f564.tar.zst firejail-8f33e7284cb5dc78e6543cfad6f9a1c51556f564.zip | |
Revert "Lookup xauth in PATH."
This reverts commit 407c05ebefe23e725f858b6170b3e52659e044a2.
If --private-lib is used (and firejail is configured with
--enable-private-lib), the following error occurs:
$ firejail --quiet --noprofile --private-lib true
firejail: fs_lib.c:56: find_in_path: Assertion `geteuid() != 0' failed.
Error: proc 10000 cannot sync with peer: unexpected EOF
Peer 10001 unexpectedly killed (Segmentation fault)
Given that it causes an uid assertion failure, the logic appears to not
be correct and the current behavior may be unsafe, so for now revert
that commit until the issue is properly addressed.
Relates to #6006 #6087.
Fixes #6113.
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_lib2.c | 6 | ||||
| -rw-r--r-- | src/firejail/x11.c | 30 |
2 files changed, 13 insertions, 23 deletions
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index b43c36c1a..583888e0e 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
| @@ -166,12 +166,8 @@ void fslib_install_firejail(void) { | |||
| 166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user | 166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
| 167 | 167 | ||
| 168 | // bring in xauth libraries | 168 | // bring in xauth libraries |
| 169 | |||
| 170 | char *xauth_bin = find_in_path("xauth"); | ||
| 171 | if (arg_x11_xorg) | 169 | if (arg_x11_xorg) |
| 172 | fslib_mount_libs(xauth_bin, 1); // parse as user | 170 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user |
| 173 | |||
| 174 | free(xauth_bin); | ||
| 175 | 171 | ||
| 176 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 172 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
| 177 | } | 173 | } |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 3721a2c2c..2eaa9bde5 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -1164,6 +1164,7 @@ void x11_start(int argc, char **argv) { | |||
| 1164 | } | 1164 | } |
| 1165 | #endif | 1165 | #endif |
| 1166 | 1166 | ||
| 1167 | |||
| 1167 | void x11_xorg(void) { | 1168 | void x11_xorg(void) { |
| 1168 | #ifdef HAVE_X11 | 1169 | #ifdef HAVE_X11 |
| 1169 | 1170 | ||
| @@ -1174,38 +1175,31 @@ void x11_xorg(void) { | |||
| 1174 | exit(1); | 1175 | exit(1); |
| 1175 | } | 1176 | } |
| 1176 | 1177 | ||
| 1177 | char *xauth_bin = find_in_path("xauth"); | ||
| 1178 | |||
| 1179 | // check xauth utility is present in the system | 1178 | // check xauth utility is present in the system |
| 1180 | if (!xauth_bin) { | 1179 | struct stat s; |
| 1181 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); | 1180 | if (stat("/usr/bin/xauth", &s) == -1) { |
| 1181 | fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); | ||
| 1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); | 1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
| 1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); | 1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); |
| 1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); | 1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); |
| 1185 | exit(1); | 1185 | exit(1); |
| 1186 | } | 1186 | } |
| 1187 | |||
| 1188 | struct stat s; | ||
| 1189 | if (stat(xauth_bin, &s) == -1) { | ||
| 1190 | fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); | ||
| 1191 | exit(1); | ||
| 1192 | } | ||
| 1193 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { | 1187 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { |
| 1194 | fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); | 1188 | fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); |
| 1195 | exit(1); | 1189 | exit(1); |
| 1196 | } | 1190 | } |
| 1197 | if (s.st_size > 1024 * 1024) { | 1191 | if (s.st_size > 1024 * 1024) { |
| 1198 | fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); | 1192 | fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); |
| 1199 | exit(1); | 1193 | exit(1); |
| 1200 | } | 1194 | } |
| 1201 | // copy xauth in the sandbox and set mode to 0711 | 1195 | // copy /usr/bin/xauth in the sandbox and set mode to 0711 |
| 1202 | // users are not able to trace the running xauth this way | 1196 | // users are not able to trace the running xauth this way |
| 1203 | if (arg_debug) | 1197 | if (arg_debug) |
| 1204 | printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); | 1198 | printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); |
| 1205 | 1199 | if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { | |
| 1206 | copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711); | 1200 | fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); |
| 1207 | 1201 | exit(1); | |
| 1208 | free(xauth_bin); | 1202 | } |
| 1209 | 1203 | ||
| 1210 | fmessage("Generating a new .Xauthority file\n"); | 1204 | fmessage("Generating a new .Xauthority file\n"); |
| 1211 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); | 1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); |