diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rwxr-xr-x | configure | 6 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rwxr-xr-x | mkuid.sh | 20 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 9 |
5 files changed, 38 insertions, 5 deletions
diff --git a/Makefile.in b/Makefile.in index 3008ba703..7bb59db6e 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -66,7 +66,7 @@ distclean: clean | |||
66 | for dir in $(MYLIBS); do \ | 66 | for dir in $(MYLIBS); do \ |
67 | $(MAKE) -C $$dir distclean; \ | 67 | $(MAKE) -C $$dir distclean; \ |
68 | done | 68 | done |
69 | rm -fr Makefile autom4te.cache config.log config.status config.h | 69 | rm -fr Makefile autom4te.cache config.log config.status config.h uids.h |
70 | 70 | ||
71 | realinstall: | 71 | realinstall: |
72 | # firejail executable | 72 | # firejail executable |
@@ -3673,6 +3673,9 @@ if test "$prefix" = /usr; then | |||
3673 | sysconfdir="/etc" | 3673 | sysconfdir="/etc" |
3674 | fi | 3674 | fi |
3675 | 3675 | ||
3676 | # extract UID_MIN and GID_MIN from login.def | ||
3677 | ./mkuid.sh | ||
3678 | |||
3676 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" | 3679 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" |
3677 | 3680 | ||
3678 | cat >confcache <<\_ACEOF | 3681 | cat >confcache <<\_ACEOF |
@@ -4861,6 +4864,9 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
4861 | echo " whitelisting: $HAVE_WHITELIST" | 4864 | echo " whitelisting: $HAVE_WHITELIST" |
4862 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4865 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4863 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4866 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4867 | printf " uid_min: "; grep UID_MIN uids.h | ||
4868 | printf " gid_min: "; grep GID_MIN uids.h | ||
4864 | echo | 4869 | echo |
4865 | 4870 | ||
4866 | 4871 | ||
4872 | |||
diff --git a/configure.ac b/configure.ac index c22228d0f..a84396ad4 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -106,6 +106,9 @@ if test "$prefix" = /usr; then | |||
106 | sysconfdir="/etc" | 106 | sysconfdir="/etc" |
107 | fi | 107 | fi |
108 | 108 | ||
109 | # extract UID_MIN and GID_MIN from login.def | ||
110 | ./mkuid.sh | ||
111 | |||
109 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) | 112 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) |
110 | 113 | ||
111 | echo | 114 | echo |
@@ -123,6 +126,9 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
123 | echo " whitelisting: $HAVE_WHITELIST" | 126 | echo " whitelisting: $HAVE_WHITELIST" |
124 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 127 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
125 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 128 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
129 | printf " uid_min: "; grep UID_MIN uids.h | ||
130 | printf " gid_min: "; grep GID_MIN uids.h | ||
126 | echo | 131 | echo |
127 | 132 | ||
128 | 133 | ||
134 | |||
diff --git a/mkuid.sh b/mkuid.sh new file mode 100755 index 000000000..f03fdaf94 --- /dev/null +++ b/mkuid.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "extracting UID_MIN and GID_MIN" | ||
4 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h | ||
5 | echo "#define FIREJAIL_UIDS_H" >> uids.h | ||
6 | |||
7 | if [ -f /etc/login.defs ] | ||
8 | then | ||
9 | echo "// using values extracted from /etc/login.defs" >> uids.h | ||
10 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
11 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
12 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
13 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
14 | else | ||
15 | echo "// using default values" >> uids.h | ||
16 | echo "#define UID_MIN 1000" >> uids.h | ||
17 | echo "#define GID_MIN 1000" >> uids.h | ||
18 | fi | ||
19 | |||
20 | echo "#endif" >> uids.h | ||
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5a41c441b..de798037f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | #include "../../uids.h" | ||
29 | 30 | ||
30 | #define MAXBUF 1024 | 31 | #define MAXBUF 1024 |
31 | 32 | ||
@@ -118,7 +119,7 @@ static void sanitize_passwd(void) { | |||
118 | if (stat("/etc/passwd", &s) == -1) | 119 | if (stat("/etc/passwd", &s) == -1) |
119 | return; | 120 | return; |
120 | if (arg_debug) | 121 | if (arg_debug) |
121 | printf("Sanitizing /etc/passwd\n"); | 122 | printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); |
122 | if (is_link("/etc/passwd")) { | 123 | if (is_link("/etc/passwd")) { |
123 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | 124 | fprintf(stderr, "Error: invalid /etc/passwd\n"); |
124 | exit(1); | 125 | exit(1); |
@@ -170,7 +171,7 @@ static void sanitize_passwd(void) { | |||
170 | int rv = sscanf(ptr, "%d:", &uid); | 171 | int rv = sscanf(ptr, "%d:", &uid); |
171 | if (rv == 0 || uid < 0) | 172 | if (rv == 0 || uid < 0) |
172 | goto errout; | 173 | goto errout; |
173 | if (uid < 1000) { // todo extract UID_MIN from /etc/login.def | 174 | if (uid < UID_MIN) { |
174 | fprintf(fpout, "%s", buf); | 175 | fprintf(fpout, "%s", buf); |
175 | continue; | 176 | continue; |
176 | } | 177 | } |
@@ -255,7 +256,7 @@ static void sanitize_group(void) { | |||
255 | if (stat("/etc/group", &s) == -1) | 256 | if (stat("/etc/group", &s) == -1) |
256 | return; | 257 | return; |
257 | if (arg_debug) | 258 | if (arg_debug) |
258 | printf("Sanitizing /etc/group\n"); | 259 | printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); |
259 | if (is_link("/etc/group")) { | 260 | if (is_link("/etc/group")) { |
260 | fprintf(stderr, "Error: invalid /etc/group\n"); | 261 | fprintf(stderr, "Error: invalid /etc/group\n"); |
261 | exit(1); | 262 | exit(1); |
@@ -306,7 +307,7 @@ static void sanitize_group(void) { | |||
306 | int rv = sscanf(ptr, "%d:", &gid); | 307 | int rv = sscanf(ptr, "%d:", &gid); |
307 | if (rv == 0 || gid < 0) | 308 | if (rv == 0 || gid < 0) |
308 | goto errout; | 309 | goto errout; |
309 | if (gid < 1000) { // todo extract GID_MIN from /etc/login.def | 310 | if (gid < GID_MIN) { |
310 | if (copy_line(fpout, buf, ptr)) | 311 | if (copy_line(fpout, buf, ptr)) |
311 | goto errout; | 312 | goto errout; |
312 | continue; | 313 | continue; |