1 files changed, 10 insertions, 0 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index d7764682a..d0487d49a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -338,6 +338,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                exit(1);
        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
        EUID_ROOT();
        if (join_namespace(child, "net")) {
                fprintf(stderr, "Error: cannot join the network namespace\n");

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index d7764682a..d0487d49a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c
@@ -338,6 +338,16 @@ void bandwidth_pid(pid_t pid, const char command, const char dev, int down, in
338	exit(1);	338	exit(1);
339	}	339	}
340		340
		341	// check privileges for non-root users
		342	uid_t uid = getuid();
		343	if (uid != 0) {
		344	uid_t sandbox_uid = pid_get_uid(pid);
		345	if (uid != sandbox_uid) {
		346	fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
		347	exit(1);
		348	}
		349	}
		350
341	EUID_ROOT();	351	EUID_ROOT();
342	if (join_namespace(child, "net")) {	352	if (join_namespace(child, "net")) {
343	fprintf(stderr, "Error: cannot join the network namespace\n");	353	fprintf(stderr, "Error: cannot join the network namespace\n");