2 files changed, 2 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index e3668140d..f94040d0f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -401,9 +401,6 @@ void fs_whitelist(void) {
                                struct stat s;
                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
                                        goto errexit;
-                                        
-                                // set nonewprivs
-                                arg_nonewprivs = 1;
                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 65744235e..2ddbc9f88 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -947,11 +947,8 @@ $
 Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
-does not result in an increase of privilege.
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
--nonewprivs is enabled by default if seccomp filter is activated, or if a
-symbolic link in user home directory pointing outside user home
-is whitelisted.
 .TP
 \fB\-\-nosound

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e3668140d..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -401,9 +401,6 @@ void fs_whitelist(void) {
401	struct stat s;	401	struct stat s;
402	if (stat(fname, &s) == 0 && s.st_uid != getuid())	402	if (stat(fname, &s) == 0 && s.st_uid != getuid())
403	goto errexit;	403	goto errexit;
404
405	// set nonewprivs
406	arg_nonewprivs = 1;
407	}	404	}
408	}	405	}
409	else if (strncmp(new_name, "/tmp/", 5) == 0) {	406	else if (strncmp(new_name, "/tmp/", 5) == 0) {


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 65744235e..2ddbc9f88 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -947,11 +947,8 @@ $
947	Sets the NO_NEW_PRIVS prctl. This ensures that child processes	947	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
948	cannot acquire new privileges using execve(2); in particular,	948	cannot acquire new privileges using execve(2); in particular,
949	this means that calling a suid binary (or one with file capabilities)	949	this means that calling a suid binary (or one with file capabilities)
950	does not result in an increase of privilege.	950	does not result in an increase of privilege. This option
951		951	is enabled by default if seccomp filter is activated.
952	--nonewprivs is enabled by default if seccomp filter is activated, or if a
953	symbolic link in user home directory pointing outside user home
954	is whitelisted.
955		952
956	.TP	953	.TP
957	\fB\-\-nosound	954	\fB\-\-nosound