diff options
-rw-r--r-- | src/firejail/main.c | 54 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 4 |
2 files changed, 30 insertions, 28 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index aead29957..db9a9c8cb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2472,32 +2472,34 @@ int main(int argc, char **argv) { | |||
2472 | sprintf(ptr, "%d %d 1\n", gid, gid); | 2472 | sprintf(ptr, "%d %d 1\n", gid, gid); |
2473 | ptr += strlen(ptr); | 2473 | ptr += strlen(ptr); |
2474 | 2474 | ||
2475 | // add tty group | 2475 | if (!arg_nogroups) { |
2476 | gid_t g = get_group_id("tty"); | 2476 | // add tty group |
2477 | if (g) { | 2477 | gid_t g = get_group_id("tty"); |
2478 | sprintf(ptr, "%d %d 1\n", g, g); | 2478 | if (g) { |
2479 | ptr += strlen(ptr); | 2479 | sprintf(ptr, "%d %d 1\n", g, g); |
2480 | } | 2480 | ptr += strlen(ptr); |
2481 | 2481 | } | |
2482 | // add audio group | 2482 | |
2483 | g = get_group_id("audio"); | 2483 | // add audio group |
2484 | if (g) { | 2484 | g = get_group_id("audio"); |
2485 | sprintf(ptr, "%d %d 1\n", g, g); | 2485 | if (g) { |
2486 | ptr += strlen(ptr); | 2486 | sprintf(ptr, "%d %d 1\n", g, g); |
2487 | } | 2487 | ptr += strlen(ptr); |
2488 | 2488 | } | |
2489 | // add video group | 2489 | |
2490 | g = get_group_id("video"); | 2490 | // add video group |
2491 | if (g) { | 2491 | g = get_group_id("video"); |
2492 | sprintf(ptr, "%d %d 1\n", g, g); | 2492 | if (g) { |
2493 | ptr += strlen(ptr); | 2493 | sprintf(ptr, "%d %d 1\n", g, g); |
2494 | } | 2494 | ptr += strlen(ptr); |
2495 | 2495 | } | |
2496 | // add games group | 2496 | |
2497 | g = get_group_id("games"); | 2497 | // add games group |
2498 | if (g) { | 2498 | g = get_group_id("games"); |
2499 | sprintf(ptr, "%d %d 1\n", g, g); | 2499 | if (g) { |
2500 | } | 2500 | sprintf(ptr, "%d %d 1\n", g, g); |
2501 | } | ||
2502 | } | ||
2501 | 2503 | ||
2502 | EUID_ROOT(); | 2504 | EUID_ROOT(); |
2503 | update_map(gidmap, map_path); | 2505 | update_map(gidmap, map_path); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 774e2908f..f759e7333 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -167,7 +167,7 @@ static void sanitize_passwd(void) { | |||
167 | int rv = sscanf(ptr, "%d:", &uid); | 167 | int rv = sscanf(ptr, "%d:", &uid); |
168 | if (rv == 0 || uid < 0) | 168 | if (rv == 0 || uid < 0) |
169 | goto errout; | 169 | goto errout; |
170 | if (uid < UID_MIN) { | 170 | if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534 |
171 | fprintf(fpout, "%s", buf); | 171 | fprintf(fpout, "%s", buf); |
172 | continue; | 172 | continue; |
173 | } | 173 | } |
@@ -299,7 +299,7 @@ static void sanitize_group(void) { | |||
299 | int rv = sscanf(ptr, "%d:", &gid); | 299 | int rv = sscanf(ptr, "%d:", &gid); |
300 | if (rv == 0 || gid < 0) | 300 | if (rv == 0 || gid < 0) |
301 | goto errout; | 301 | goto errout; |
302 | if (gid < GID_MIN) { | 302 | if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup |
303 | if (copy_line(fpout, buf, ptr)) | 303 | if (copy_line(fpout, buf, ptr)) |
304 | goto errout; | 304 | goto errout; |
305 | continue; | 305 | continue; |