5 files changed, 19 insertions, 33 deletions
diff --git a/RELNOTES b/RELNOTES
index 2f9206518..f6045304e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.51) baseline; urgency=low
    read-only, read-write, tmpfs and noexec are allowed in
    private home directories
  * modif: remount-proc-sys deprecated from firejail.config
+  * modif: follow-symlink-private-bin deprecated from firejail.config
  * modif: --profile-path was deprecated
  * enhancement: support Firejail user config directory in firecfg
  * enhancement: disable DBus activation in firecfg
@@ -39,7 +40,7 @@ firejail (0.9.51) baseline; urgency=low
      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
      xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass
- -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Thu, 9 Nov 2017 08:00:00 -0500
 firejail (0.9.50~rc1) baseline; urgency=low
  * release pending!
diff --git a/etc/firejail.config b/etc/firejail.config
index 26f2dedfc..6fd5f1b06 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -37,10 +37,6 @@
 # Enabled by default
 # follow-symlink-as-user yes
-# Follow symlink for private-bin command.
-# Disabled by default
-# follow-symlink-private-bin no
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 1dee87a64..2fedb2f81 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -47,7 +47,6 @@ int checkcfg(int val) {
                cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
                cfg_val[CFG_FIREJAIL_PROMPT] = 0;
-                cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
                cfg_val[CFG_DISABLE_MNT] = 0;
                cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
                cfg_val[CFG_XPRA_ATTACH] = 0;
@@ -151,12 +150,8 @@ int checkcfg(int val) {
                        }
                        // follow symlink in private-bin command
                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                if (strcmp(ptr + 27, "yes") == 0)
+                                if (!arg_quiet)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1;
+                                        fprintf(stderr, "Warning:follow-symlink-private-bin from firejail.config was deprecated\n");
-                                else if (strcmp(ptr + 27, "no") == 0)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
-                                else
-                                        goto errout;
                        }
                        // nonewprivs
                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5d6d94d16..59bd4b959 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -734,7 +734,6 @@ enum {
        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_FIREJAIL_PROMPT,
        CFG_FOLLOW_SYMLINK_AS_USER,
-        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
        CFG_DISABLE_MNT,
        CFG_JOIN,
        CFG_ARP_PROBES,
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 364431077..9e19ac8d7 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -182,29 +182,24 @@ static void duplicate(char *fname, FILE *fplist) {
        if (fplist)
                fprintf(fplist, "%s\n", full_path);
-        // copy the file
+        // if full_path is symlink, and the link is in our path, copy both the file and the symlink
-        if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
+        if (is_link(full_path)) {
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+                char *actual_path = realpath(full_path, NULL);
-        else {
+                if (actual_path) {
-                // if full_path is simlink, and the link is in our path, copy both
+                        if (valid_full_path_file(actual_path)) {
-                if (is_link(full_path)) {
+                                // solving problems such as /bin/sh -> /bin/dash
-                        char *actual_path = realpath(full_path, NULL);
+                                // copy the real file pointed by symlink
-                        if (actual_path) {
+                                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
-                                if (valid_full_path_file(actual_path)) {
+                                char *f = strrchr(actual_path, '/');
-                                        // solving problems such as /bin/sh -> /bin/dash
+                                if (f && *(++f) !='\0')
-                                        // copy the real file pointed by symlink
+                                        report_duplication(f);
-                                        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
-                                        char *f = strrchr(actual_path, '/');
-                                        if (f && *(++f) !='\0')
-                                                report_duplication(f);
-                                }
-                                free(actual_path);
                        }
+                        free(actual_path);
                }
-                // copy a file or a symlink
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
        }
+        // copy a file or a symlink
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
        free(full_path);
        report_duplication(fname);
 }