diff options
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 27 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 7 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 |
5 files changed, 36 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c45b324fc..2a96afa1b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -265,6 +265,7 @@ extern int arg_audit; // audit | |||
265 | extern char *arg_audit_prog; // audit | 265 | extern char *arg_audit_prog; // audit |
266 | extern int arg_apparmor; // apparmor | 266 | extern int arg_apparmor; // apparmor |
267 | 267 | ||
268 | extern int login_shell; | ||
268 | extern int parent_to_child_fds[2]; | 269 | extern int parent_to_child_fds[2]; |
269 | extern int child_to_parent_fds[2]; | 270 | extern int child_to_parent_fds[2]; |
270 | extern pid_t sandbox_pid; | 271 | extern pid_t sandbox_pid; |
@@ -356,7 +357,6 @@ void shut(pid_t pid); | |||
356 | void shut_name(const char *name); | 357 | void shut_name(const char *name); |
357 | 358 | ||
358 | // restricted_shell.c | 359 | // restricted_shell.c |
359 | extern char *restricted_user; | ||
360 | int restricted_shell(const char *user); | 360 | int restricted_shell(const char *user); |
361 | 361 | ||
362 | // arp.c | 362 | // arp.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 75ad69ce4..3e5663a9b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -102,6 +102,7 @@ int arg_appimage = 0; // appimage | |||
102 | int arg_audit = 0; // audit | 102 | int arg_audit = 0; // audit |
103 | char *arg_audit_prog; // audit | 103 | char *arg_audit_prog; // audit |
104 | int arg_apparmor; // apparmor | 104 | int arg_apparmor; // apparmor |
105 | int login_shell = 0; | ||
105 | 106 | ||
106 | int parent_to_child_fds[2]; | 107 | int parent_to_child_fds[2]; |
107 | int child_to_parent_fds[2]; | 108 | int child_to_parent_fds[2]; |
@@ -877,6 +878,31 @@ int main(int argc, char **argv) { | |||
877 | if (strcmp(comm, "sshd") == 0) { | 878 | if (strcmp(comm, "sshd") == 0) { |
878 | arg_quiet = 1; | 879 | arg_quiet = 1; |
879 | parent_sshd = 1; | 880 | parent_sshd = 1; |
881 | |||
882 | #if 0 | ||
883 | EUID_ROOT(); | ||
884 | FILE *fp = fopen("/mylog", "w"); | ||
885 | if (fp) { | ||
886 | int i; | ||
887 | for (i = 0; i < argc; i++) | ||
888 | fprintf(fp, "#%s# ", argv[i]); | ||
889 | fprintf(fp, "\n"); | ||
890 | fclose(fp); | ||
891 | } | ||
892 | EUID_USER(); | ||
893 | #endif | ||
894 | |||
895 | // run sftp and ssh directly without any sandboxing | ||
896 | // regular login has argv[0] == "-firejail" | ||
897 | if (*argv[0] != '-') { | ||
898 | if (strcmp(argv[1], "-c") == 0 && argc > 2) { | ||
899 | if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 || | ||
900 | strncmp(argv[2], "scp ", 4) == 0) { | ||
901 | drop_privs(1); | ||
902 | run_no_sandbox(argc, argv); | ||
903 | } | ||
904 | } | ||
905 | } | ||
880 | } | 906 | } |
881 | free(comm); | 907 | free(comm); |
882 | } | 908 | } |
@@ -884,6 +910,7 @@ int main(int argc, char **argv) { | |||
884 | 910 | ||
885 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users | 911 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users |
886 | if (*argv[0] == '-' || parent_sshd) { | 912 | if (*argv[0] == '-' || parent_sshd) { |
913 | login_shell = 1; | ||
887 | fullargc = restricted_shell(cfg.username); | 914 | fullargc = restricted_shell(cfg.username); |
888 | if (fullargc) { | 915 | if (fullargc) { |
889 | int j; | 916 | int j; |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index f1fd04aec..933922ece 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -172,6 +172,8 @@ void run_no_sandbox(int argc, char **argv) { | |||
172 | int len = 0; | 172 | int len = 0; |
173 | int i; | 173 | int i; |
174 | for (i = 1; i < argc; i++) { | 174 | for (i = 1; i < argc; i++) { |
175 | // if (i == 1 && strcmp(argv[i], "-c") == 0) | ||
176 | // continue; | ||
175 | if (*argv[i] == '-') | 177 | if (*argv[i] == '-') |
176 | continue; | 178 | continue; |
177 | break; | 179 | break; |
@@ -202,8 +204,9 @@ void run_no_sandbox(int argc, char **argv) { | |||
202 | } | 204 | } |
203 | 205 | ||
204 | // start the program in /bin/sh | 206 | // start the program in /bin/sh |
205 | fprintf(stderr, "Warning: an existing sandbox was detected. " | 207 | // if (!arg_quiet) |
206 | "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); | 208 | fprintf(stderr, "Warning: an existing sandbox was detected. " |
209 | "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); | ||
207 | int rv = system(command); | 210 | int rv = system(command); |
208 | (void) rv; | 211 | (void) rv; |
209 | if (allocated) | 212 | if (allocated) |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index ee6e94957..1920da40a 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -76,7 +76,6 @@ int restricted_shell(const char *user) { | |||
76 | 76 | ||
77 | // process user | 77 | // process user |
78 | if (strcmp(user, usr) == 0) { | 78 | if (strcmp(user, usr) == 0) { |
79 | restricted_user = strdup(user); | ||
80 | // extract program arguments | 79 | // extract program arguments |
81 | 80 | ||
82 | fullargv[0] = "firejail"; | 81 | fullargv[0] = "firejail"; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5451c6d6c..3e8b5f934 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -327,9 +327,11 @@ static void start_application(void) { | |||
327 | else { | 327 | else { |
328 | assert(cfg.shell); | 328 | assert(cfg.shell); |
329 | 329 | ||
330 | char *arg[5]; | 330 | char *arg[6]; |
331 | int index = 0; | 331 | int index = 0; |
332 | arg[index++] = cfg.shell; | 332 | arg[index++] = cfg.shell; |
333 | if (login_shell) | ||
334 | arg[index++] = "-l"; | ||
333 | arg[index++] = "-c"; | 335 | arg[index++] = "-c"; |
334 | assert(cfg.command_line); | 336 | assert(cfg.command_line); |
335 | if (arg_debug) | 337 | if (arg_debug) |