diff options
-rw-r--r-- | src/firejail/fs_whitelist.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index bdc0e277d..481a63ac2 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -337,21 +337,34 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
337 | // fix pam-tmpdir (#2685) | 337 | // fix pam-tmpdir (#2685) |
338 | const char *env = env_get("TMP"); | 338 | const char *env = env_get("TMP"); |
339 | if (env) { | 339 | if (env) { |
340 | char *pamtmpdir; | 340 | // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151 |
341 | if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) | 341 | char *pamtmpdir1; |
342 | if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1) | ||
342 | errExit("asprintf"); | 343 | errExit("asprintf"); |
343 | if (strcmp(env, pamtmpdir) == 0) { | 344 | char *pamtmpdir2; // see #4151 |
345 | if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1) | ||
346 | errExit("asprintf"); | ||
347 | if (strcmp(env, pamtmpdir1) == 0) { | ||
344 | // create empty user-owned /tmp/user/$UID directory | 348 | // create empty user-owned /tmp/user/$UID directory |
345 | EUID_ROOT(); | 349 | EUID_ROOT(); |
346 | mkdir_attr("/tmp/user", 0711, 0, 0); | 350 | mkdir_attr("/tmp/user", 0755, 0, 0); |
347 | selinux_relabel_path("/tmp/user", "/tmp/user"); | 351 | selinux_relabel_path("/tmp/user", "/tmp/user"); |
348 | fs_logger("mkdir /tmp/user"); | 352 | fs_logger("mkdir /tmp/user"); |
349 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); | 353 | mkdir_attr(pamtmpdir1, 0700, getuid(), 0); |
350 | selinux_relabel_path(pamtmpdir, pamtmpdir); | 354 | selinux_relabel_path(pamtmpdir1, pamtmpdir1); |
351 | fs_logger2("mkdir", pamtmpdir); | 355 | fs_logger2("mkdir", pamtmpdir1); |
356 | EUID_USER(); | ||
357 | } | ||
358 | else if (strcmp(env, pamtmpdir2) == 0) { | ||
359 | // create empty user-owned /tmp/user/$UID directory | ||
360 | EUID_ROOT(); | ||
361 | mkdir_attr(pamtmpdir2, 0700, getuid(), 0); | ||
362 | selinux_relabel_path(pamtmpdir2, pamtmpdir2); | ||
363 | fs_logger2("mkdir", pamtmpdir2); | ||
352 | EUID_USER(); | 364 | EUID_USER(); |
353 | } | 365 | } |
354 | free(pamtmpdir); | 366 | free(pamtmpdir1); |
367 | free(pamtmpdir2); | ||
355 | } | 368 | } |
356 | } | 369 | } |
357 | 370 | ||