1 files changed, 16 insertions, 0 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 666f02e4d..122c100f8 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -735,6 +735,22 @@ void fs_whitelist(void) {
                                errExit("mounting tmpfs on /tmp");
                        fs_logger("tmpfs /tmp");
+                        // pam-tmpdir - issue #2685
+                        char *env = getenv("TMP");
+                        if (env) {
+                                char *pamtmpdir;
+                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir) == 0) {
+                                        // create empty user-owned /tmp/user/$uid directory
+                                        mkdir_attr("/tmp/user", 0755, 0, 0);
+                                        fs_logger("mkdir /tmp/user");
+                                        mkdir_attr(pamtmpdir, 0700, getuid(), getgid());
+                                        fs_logger2("mkdir", pamtmpdir);
+                                }
+                                free(pamtmpdir);
+                        }
                        // autowhitelist home directory if it is masked by the tmpfs
                        if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
                                whitelist_home(WLDIR_TMP);

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 666f02e4d..122c100f8 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -735,6 +735,22 @@ void fs_whitelist(void) {
735	errExit("mounting tmpfs on /tmp");	735	errExit("mounting tmpfs on /tmp");
736	fs_logger("tmpfs /tmp");	736	fs_logger("tmpfs /tmp");
737		737
		738	// pam-tmpdir - issue #2685
		739	char *env = getenv("TMP");
		740	if (env) {
		741	char *pamtmpdir;
		742	if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
		743	errExit("asprintf");
		744	if (strcmp(env, pamtmpdir) == 0) {
		745	// create empty user-owned /tmp/user/$uid directory
		746	mkdir_attr("/tmp/user", 0755, 0, 0);
		747	fs_logger("mkdir /tmp/user");
		748	mkdir_attr(pamtmpdir, 0700, getuid(), getgid());
		749	fs_logger2("mkdir", pamtmpdir);
		750	}
		751	free(pamtmpdir);
		752	}
		753
738	// autowhitelist home directory if it is masked by the tmpfs	754	// autowhitelist home directory if it is masked by the tmpfs
739	if (strncmp(cfg.homedir, "/tmp/", 5) == 0)	755	if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
740	whitelist_home(WLDIR_TMP);	756	whitelist_home(WLDIR_TMP);