diff options
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/util.c | 12 |
2 files changed, 13 insertions, 8 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index 12ee4a9a0..c303d3fb8 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -314,12 +314,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
314 | // read cfg.protocol from file | 314 | // read cfg.protocol from file |
315 | if (getuid() != 0) | 315 | if (getuid() != 0) |
316 | protocol_filter_load(RUN_PROTOCOL_CFG); | 316 | protocol_filter_load(RUN_PROTOCOL_CFG); |
317 | if (cfg.protocol) { // not available for uid 0 | 317 | if (cfg.protocol) // not available for uid 0 |
318 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter | 318 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
319 | } | ||
320 | 319 | ||
321 | // set seccomp filter | 320 | // set seccomp filter |
322 | if (apply_seccomp == 1) // not available for uid 0 | 321 | if (apply_seccomp == 1) // not available for uid 0 |
323 | seccomp_load(RUN_SECCOMP_CFG); | 322 | seccomp_load(RUN_SECCOMP_CFG); |
324 | #endif | 323 | #endif |
325 | 324 | ||
@@ -335,9 +334,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
335 | if (apply_caps == 1) // not available for uid 0 | 334 | if (apply_caps == 1) // not available for uid 0 |
336 | caps_set(caps); | 335 | caps_set(caps); |
337 | } | 336 | } |
338 | else | ||
339 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | ||
340 | |||
341 | 337 | ||
342 | // set nice | 338 | // set nice |
343 | if (arg_nice) { | 339 | if (arg_nice) { |
@@ -385,6 +381,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
385 | } | 381 | } |
386 | } | 382 | } |
387 | 383 | ||
384 | drop_privs(arg_nogroups); | ||
388 | start_application(0); | 385 | start_application(0); |
389 | 386 | ||
390 | // it will never get here!!! | 387 | // it will never get here!!! |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 14e9f6440..3437d495f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -37,7 +37,6 @@ static void clean_supplementary_groups(gid_t gid) { | |||
37 | assert(cfg.username); | 37 | assert(cfg.username); |
38 | gid_t groups[MAX_GROUPS]; | 38 | gid_t groups[MAX_GROUPS]; |
39 | int ngroups = MAX_GROUPS; | 39 | int ngroups = MAX_GROUPS; |
40 | |||
41 | int rv = getgrouplist(cfg.username, gid, groups, &ngroups); | 40 | int rv = getgrouplist(cfg.username, gid, groups, &ngroups); |
42 | if (rv == -1) | 41 | if (rv == -1) |
43 | goto clean_all; | 42 | goto clean_all; |
@@ -74,6 +73,13 @@ static void clean_supplementary_groups(gid_t gid) { | |||
74 | rv = setgroups(new_ngroups, new_groups); | 73 | rv = setgroups(new_ngroups, new_groups); |
75 | if (rv) | 74 | if (rv) |
76 | goto clean_all; | 75 | goto clean_all; |
76 | |||
77 | if (arg_debug) { | ||
78 | printf("Supplementary groups: "); | ||
79 | for (i = 0; i < new_ngroups; i++) | ||
80 | printf("%d ", new_groups[i]); | ||
81 | printf("\n"); | ||
82 | } | ||
77 | } | 83 | } |
78 | else | 84 | else |
79 | goto clean_all; | 85 | goto clean_all; |
@@ -92,13 +98,15 @@ clean_all: | |||
92 | void drop_privs(int nogroups) { | 98 | void drop_privs(int nogroups) { |
93 | EUID_ROOT(); | 99 | EUID_ROOT(); |
94 | gid_t gid = getgid(); | 100 | gid_t gid = getgid(); |
101 | if (arg_debug) | ||
102 | printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups); | ||
95 | 103 | ||
96 | // configure supplementary groups | 104 | // configure supplementary groups |
97 | if (gid == 0 || nogroups) { | 105 | if (gid == 0 || nogroups) { |
98 | if (setgroups(0, NULL) < 0) | 106 | if (setgroups(0, NULL) < 0) |
99 | errExit("setgroups"); | 107 | errExit("setgroups"); |
100 | if (arg_debug) | 108 | if (arg_debug) |
101 | printf("Username %s, no supplementary groups\n", cfg.username); | 109 | printf("No supplementary groups\n"); |
102 | } | 110 | } |
103 | else if (arg_noroot) | 111 | else if (arg_noroot) |
104 | clean_supplementary_groups(gid); | 112 | clean_supplementary_groups(gid); |