diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-11-25 07:36:31 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-11-25 07:36:31 -0500 |
| commit | ea96a480d7e33c5e7cf40bdb99223b49470f6f61 (patch) | |
| tree | 76f5966897ee5d18c6719aafe2dccbabb5716bb4 /src | |
| parent | feature testing (diff) | |
| download | firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.tar.gz firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.tar.zst firejail-ea96a480d7e33c5e7cf40bdb99223b49470f6f61.zip | |
fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/restrict_users.c | 55 |
1 files changed, 51 insertions, 4 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 733dbef41..4930dd1ea 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -59,6 +59,40 @@ static USER_LIST *ulist_find(const char *user) { | |||
| 59 | return NULL; | 59 | return NULL; |
| 60 | } | 60 | } |
| 61 | 61 | ||
| 62 | static int mkpath(const char* path) { | ||
| 63 | assert(path && *path); | ||
| 64 | |||
| 65 | // work on a copy of the path | ||
| 66 | char *file_path = strdup(path); | ||
| 67 | if (!file_path) | ||
| 68 | errExit("strdup"); | ||
| 69 | |||
| 70 | char* p; | ||
| 71 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | ||
| 72 | *p='\0'; | ||
| 73 | if (mkdir(file_path, 0755)==-1) { | ||
| 74 | if (errno != EEXIST) { | ||
| 75 | *p='/'; | ||
| 76 | free(file_path); | ||
| 77 | return -1; | ||
| 78 | } | ||
| 79 | } | ||
| 80 | else { | ||
| 81 | if (chmod(file_path, 0755) == -1) | ||
| 82 | errExit("chmod"); | ||
| 83 | if (chown(file_path, 0, 0) == -1) | ||
| 84 | errExit("chown"); | ||
| 85 | } | ||
| 86 | |||
| 87 | *p='/'; | ||
| 88 | } | ||
| 89 | |||
| 90 | free(file_path); | ||
| 91 | return 0; | ||
| 92 | } | ||
| 93 | |||
| 94 | |||
| 95 | |||
| 62 | static void sanitize_home(void) { | 96 | static void sanitize_home(void) { |
| 63 | assert(getuid() != 0); // this code works only for regular users | 97 | assert(getuid() != 0); // this code works only for regular users |
| 64 | 98 | ||
| @@ -85,9 +119,13 @@ static void sanitize_home(void) { | |||
| 85 | errExit("mount tmpfs"); | 119 | errExit("mount tmpfs"); |
| 86 | 120 | ||
| 87 | // create user home directory | 121 | // create user home directory |
| 88 | if (mkdir(cfg.homedir, 0755) == -1) | 122 | if (mkdir(cfg.homedir, 0755) == -1) { |
| 89 | errExit("mkdir"); | 123 | if (mkpath(cfg.homedir)) |
| 90 | 124 | errExit("mkpath"); | |
| 125 | if (mkdir(cfg.homedir, 0755) == -1) | ||
| 126 | errExit("mkdir"); | ||
| 127 | } | ||
| 128 | |||
| 91 | // set mode and ownership | 129 | // set mode and ownership |
| 92 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | 130 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) |
| 93 | errExit("chown"); | 131 | errExit("chown"); |
| @@ -320,7 +358,16 @@ errout: | |||
| 320 | void restrict_users(void) { | 358 | void restrict_users(void) { |
| 321 | // only in user mode | 359 | // only in user mode |
| 322 | if (getuid()) { | 360 | if (getuid()) { |
| 323 | sanitize_home(); | 361 | if (strncmp(cfg.homedir, "/home/", 6) == 0) { |
| 362 | // user has the home directory under /home | ||
| 363 | sanitize_home(); | ||
| 364 | } | ||
| 365 | else { | ||
| 366 | // user has the home diercotry outside /home | ||
| 367 | // mount tmpfs on top of /home in order to hide it | ||
| 368 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
| 369 | errExit("mount tmpfs"); | ||
| 370 | } | ||
| 324 | sanitize_passwd(); | 371 | sanitize_passwd(); |
| 325 | sanitize_group(); | 372 | sanitize_group(); |
| 326 | } | 373 | } |