aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/restrict_users.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/restrict_users.c')
-rw-r--r--src/firejail/restrict_users.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 982dba5ac..d66deeb97 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -18,6 +18,7 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "firejail.h" 20#include "firejail.h"
21#include "../include/firejail_user.h"
21#include <sys/mount.h> 22#include <sys/mount.h>
22#include <sys/stat.h> 23#include <sys/stat.h>
23#include <linux/limits.h> 24#include <linux/limits.h>
@@ -26,7 +27,6 @@
26#include <dirent.h> 27#include <dirent.h>
27#include <fcntl.h> 28#include <fcntl.h>
28#include <errno.h> 29#include <errno.h>
29#include "../../uids.h"
30 30
31#define MAXBUF 1024 31#define MAXBUF 1024
32 32
@@ -115,8 +115,9 @@ static void sanitize_passwd(void) {
115 struct stat s; 115 struct stat s;
116 if (stat("/etc/passwd", &s) == -1) 116 if (stat("/etc/passwd", &s) == -1)
117 return; 117 return;
118 assert(uid_min);
118 if (arg_debug) 119 if (arg_debug)
119 printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); 120 printf("Sanitizing /etc/passwd, UID_MIN %d\n", uid_min);
120 if (is_link("/etc/passwd")) { 121 if (is_link("/etc/passwd")) {
121 fprintf(stderr, "Error: invalid /etc/passwd\n"); 122 fprintf(stderr, "Error: invalid /etc/passwd\n");
122 exit(1); 123 exit(1);
@@ -167,7 +168,8 @@ static void sanitize_passwd(void) {
167 int rv = sscanf(ptr, "%d:", &uid); 168 int rv = sscanf(ptr, "%d:", &uid);
168 if (rv == 0 || uid < 0) 169 if (rv == 0 || uid < 0)
169 goto errout; 170 goto errout;
170 if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534 171 assert(uid_min);
172 if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534
171 fprintf(fpout, "%s", buf); 173 fprintf(fpout, "%s", buf);
172 continue; 174 continue;
173 } 175 }
@@ -248,8 +250,9 @@ static void sanitize_group(void) {
248 struct stat s; 250 struct stat s;
249 if (stat("/etc/group", &s) == -1) 251 if (stat("/etc/group", &s) == -1)
250 return; 252 return;
253 assert(gid_min);
251 if (arg_debug) 254 if (arg_debug)
252 printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); 255 printf("Sanitizing /etc/group, GID_MIN %d\n", gid_min);
253 if (is_link("/etc/group")) { 256 if (is_link("/etc/group")) {
254 fprintf(stderr, "Error: invalid /etc/group\n"); 257 fprintf(stderr, "Error: invalid /etc/group\n");
255 exit(1); 258 exit(1);
@@ -299,7 +302,8 @@ static void sanitize_group(void) {
299 int rv = sscanf(ptr, "%d:", &gid); 302 int rv = sscanf(ptr, "%d:", &gid);
300 if (rv == 0 || gid < 0) 303 if (rv == 0 || gid < 0)
301 goto errout; 304 goto errout;
302 if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup 305 assert(gid_min);
306 if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup
303 if (copy_line(fpout, buf, ptr)) 307 if (copy_line(fpout, buf, ptr))
304 goto errout; 308 goto errout;
305 continue; 309 continue;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 15:19:00 +0000