diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
-rw-r--r-- | src/firejail/restrict_users.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 982dba5ac..d66deeb97 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/firejail_user.h" | ||
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | 24 | #include <linux/limits.h> |
@@ -26,7 +27,6 @@ | |||
26 | #include <dirent.h> | 27 | #include <dirent.h> |
27 | #include <fcntl.h> | 28 | #include <fcntl.h> |
28 | #include <errno.h> | 29 | #include <errno.h> |
29 | #include "../../uids.h" | ||
30 | 30 | ||
31 | #define MAXBUF 1024 | 31 | #define MAXBUF 1024 |
32 | 32 | ||
@@ -115,8 +115,9 @@ static void sanitize_passwd(void) { | |||
115 | struct stat s; | 115 | struct stat s; |
116 | if (stat("/etc/passwd", &s) == -1) | 116 | if (stat("/etc/passwd", &s) == -1) |
117 | return; | 117 | return; |
118 | assert(uid_min); | ||
118 | if (arg_debug) | 119 | if (arg_debug) |
119 | printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); | 120 | printf("Sanitizing /etc/passwd, UID_MIN %d\n", uid_min); |
120 | if (is_link("/etc/passwd")) { | 121 | if (is_link("/etc/passwd")) { |
121 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | 122 | fprintf(stderr, "Error: invalid /etc/passwd\n"); |
122 | exit(1); | 123 | exit(1); |
@@ -167,7 +168,8 @@ static void sanitize_passwd(void) { | |||
167 | int rv = sscanf(ptr, "%d:", &uid); | 168 | int rv = sscanf(ptr, "%d:", &uid); |
168 | if (rv == 0 || uid < 0) | 169 | if (rv == 0 || uid < 0) |
169 | goto errout; | 170 | goto errout; |
170 | if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534 | 171 | assert(uid_min); |
172 | if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534 | ||
171 | fprintf(fpout, "%s", buf); | 173 | fprintf(fpout, "%s", buf); |
172 | continue; | 174 | continue; |
173 | } | 175 | } |
@@ -248,8 +250,9 @@ static void sanitize_group(void) { | |||
248 | struct stat s; | 250 | struct stat s; |
249 | if (stat("/etc/group", &s) == -1) | 251 | if (stat("/etc/group", &s) == -1) |
250 | return; | 252 | return; |
253 | assert(gid_min); | ||
251 | if (arg_debug) | 254 | if (arg_debug) |
252 | printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); | 255 | printf("Sanitizing /etc/group, GID_MIN %d\n", gid_min); |
253 | if (is_link("/etc/group")) { | 256 | if (is_link("/etc/group")) { |
254 | fprintf(stderr, "Error: invalid /etc/group\n"); | 257 | fprintf(stderr, "Error: invalid /etc/group\n"); |
255 | exit(1); | 258 | exit(1); |
@@ -299,7 +302,8 @@ static void sanitize_group(void) { | |||
299 | int rv = sscanf(ptr, "%d:", &gid); | 302 | int rv = sscanf(ptr, "%d:", &gid); |
300 | if (rv == 0 || gid < 0) | 303 | if (rv == 0 || gid < 0) |
301 | goto errout; | 304 | goto errout; |
302 | if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup | 305 | assert(gid_min); |
306 | if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup | ||
303 | if (copy_line(fpout, buf, ptr)) | 307 | if (copy_line(fpout, buf, ptr)) |
304 | goto errout; | 308 | goto errout; |
305 | continue; | 309 | continue; |