symlink whitelist fix

2 files changed, 8 insertions, 5 deletions

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 926e5415c..f94040d0f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -391,14 +391,17 @@ void fs_whitelist(void) {
 
                         entry->home_dir = 1;
                         home_dir = 1;
-                        if (arg_debug)
+                        if (arg_debug || arg_debug_whitelists)
                                 fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
                                         __LINE__, fname, cfg.homedir);
 
                         // both path and absolute path are under /home
-//                      if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-//                              goto errexit;
-//                      }
+                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                                // check if the file is owned by the user
+                                struct stat s;
+                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
+                                        goto errexit;
+                        }
                 }
                 else if (strncmp(new_name, "/tmp/", 5) == 0) {
                         entry->tmp_dir = 1;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c9e24380c..d8bd34f10 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1523,7 +1523,7 @@ firejail version 0.9.27
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
 With the exception of user home, both the link and the real file should be in
-the same top directory.
+the same top directory. For /home, both the link and the real file should be owned by the user.
 .br
 
 .br