diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
| -rw-r--r-- | src/firejail/restrict_users.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 53e395b89..892244b5f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -246,6 +246,11 @@ static void sanitize_passwd(void) { | |||
| 246 | // mount-bind tne new password file | 246 | // mount-bind tne new password file |
| 247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
| 248 | errExit("mount"); | 248 | errExit("mount"); |
| 249 | |||
| 250 | // blacklist RUN_PASSWD_FILE | ||
| 251 | if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 252 | errExit("mount"); | ||
| 253 | |||
| 249 | fs_logger("create /etc/passwd"); | 254 | fs_logger("create /etc/passwd"); |
| 250 | 255 | ||
| 251 | return; | 256 | return; |
| @@ -376,6 +381,11 @@ static void sanitize_group(void) { | |||
| 376 | // mount-bind tne new group file | 381 | // mount-bind tne new group file |
| 377 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 382 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
| 378 | errExit("mount"); | 383 | errExit("mount"); |
| 384 | |||
| 385 | // blacklist RUN_GROUP_FILE | ||
| 386 | if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 387 | errExit("mount"); | ||
| 388 | |||
| 379 | fs_logger("create /etc/group"); | 389 | fs_logger("create /etc/group"); |
| 380 | 390 | ||
| 381 | return; | 391 | return; |