diff options
| -rw-r--r-- | src/firejail/x11.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 91017237d..4e0b46fb8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -653,11 +653,7 @@ void x11_xorg(void) { | |||
| 653 | struct stat s; | 653 | struct stat s; |
| 654 | if (stat(dest, &s) == -1) { | 654 | if (stat(dest, &s) == -1) { |
| 655 | // create an .Xauthority file | 655 | // create an .Xauthority file |
| 656 | FILE *fp = fopen(dest, "w"); | 656 | touch_file_as_user(dest, getuid(), getgid(), 0600); |
| 657 | if (!fp) | ||
| 658 | errExit("fopen"); | ||
| 659 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
| 660 | fclose(fp); | ||
| 661 | } | 657 | } |
| 662 | 658 | ||
| 663 | // check xauth utility is present in the system | 659 | // check xauth utility is present in the system |
| @@ -666,6 +662,10 @@ void x11_xorg(void) { | |||
| 666 | exit(1); | 662 | exit(1); |
| 667 | } | 663 | } |
| 668 | 664 | ||
| 665 | // temporarily mount a tempfs on top of /tmp directory | ||
| 666 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
| 667 | errExit("mounting /tmp"); | ||
| 668 | |||
| 669 | // create a temporary .Xauthority file | 669 | // create a temporary .Xauthority file |
| 670 | char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; | 670 | char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; |
| 671 | int fd = mkstemp(tmpfname); | 671 | int fd = mkstemp(tmpfname); |
| @@ -673,9 +673,9 @@ void x11_xorg(void) { | |||
| 673 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); | 673 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); |
| 674 | exit(1); | 674 | exit(1); |
| 675 | } | 675 | } |
| 676 | close(fd); | 676 | if (fchown(fd, getuid(), getgid()) == -1) |
| 677 | if (chown(tmpfname, getuid(), getgid()) == -1) | ||
| 678 | errExit("chown"); | 677 | errExit("chown"); |
| 678 | close(fd); | ||
| 679 | 679 | ||
| 680 | pid_t child = fork(); | 680 | pid_t child = fork(); |
| 681 | if (child < 0) | 681 | if (child < 0) |
| @@ -713,7 +713,7 @@ void x11_xorg(void) { | |||
| 713 | 713 | ||
| 714 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 714 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
| 715 | // automatically when the sandbox is closed | 715 | // automatically when the sandbox is closed |
| 716 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { | 716 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed |
| 717 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 717 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); |
| 718 | exit(1); | 718 | exit(1); |
| 719 | } | 719 | } |
| @@ -730,5 +730,8 @@ void x11_xorg(void) { | |||
| 730 | if (set_perms(dest, getuid(), getgid(), 0600)) | 730 | if (set_perms(dest, getuid(), getgid(), 0600)) |
| 731 | errExit("set_perms"); | 731 | errExit("set_perms"); |
| 732 | free(dest); | 732 | free(dest); |
| 733 | |||
| 734 | // unmount /tmp | ||
| 735 | umount("/tmp"); | ||
| 733 | #endif | 736 | #endif |
| 734 | } | 737 | } |