5 files changed, 36 insertions, 5 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c45b324fc..2a96afa1b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -265,6 +265,7 @@ extern int arg_audit;		// audit
 extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 
+extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
@@ -356,7 +357,6 @@ void shut(pid_t pid);
 void shut_name(const char *name);
 
 // restricted_shell.c
-extern char *restricted_user;
 int restricted_shell(const char *user);
 
 // arp.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 75ad69ce4..3e5663a9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -102,6 +102,7 @@ int arg_appimage = 0;				// appimage
 int arg_audit = 0;                              // audit
 char *arg_audit_prog;                           // audit
 int arg_apparmor;                               // apparmor
+int login_shell = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -877,6 +878,31 @@ int main(int argc, char **argv) {
                         if (strcmp(comm, "sshd") == 0) {
                                 arg_quiet = 1;
                                 parent_sshd = 1;
+
+#if 0
+EUID_ROOT();
+FILE *fp = fopen("/mylog", "w");
+if (fp) {
+        int i;
+        for (i = 0; i < argc; i++)
+                fprintf(fp, "#%s# ", argv[i]);
+        fprintf(fp, "\n");
+        fclose(fp);
+}
+EUID_USER();
+#endif
+                                
+                                // run sftp and ssh directly without any sandboxing
+                                // regular login has argv[0] == "-firejail"
+                                if (*argv[0] != '-') {
+                                        if (strcmp(argv[1], "-c") == 0 && argc > 2) {
+                                                if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 ||
+                                                    strncmp(argv[2], "scp ", 4) == 0) {
+                                                        drop_privs(1);
+                                                        run_no_sandbox(argc, argv);
+                                                }
+                                        }
+                                }
                         }
                         free(comm);
                 }
@@ -884,6 +910,7 @@ int main(int argc, char **argv) {
         
         // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
+                login_shell = 1;
                 fullargc = restricted_shell(cfg.username);
                 if (fullargc) {
                         int j;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index f1fd04aec..933922ece 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -172,6 +172,8 @@ void run_no_sandbox(int argc, char **argv) {
                 int len = 0;
                 int i;
                 for (i = 1; i < argc; i++) {
+//                      if (i == 1 && strcmp(argv[i], "-c") == 0)
+//                              continue;
                         if (*argv[i] == '-')
                                 continue;
                         break;
@@ -202,8 +204,9 @@ void run_no_sandbox(int argc, char **argv) {
         }
         
         // start the program in /bin/sh
-        fprintf(stderr, "Warning: an existing sandbox was detected. "
-                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
+//      if (!arg_quiet)
+                fprintf(stderr, "Warning: an existing sandbox was detected. "
+                        "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
         int rv = system(command);
         (void) rv;
         if (allocated)
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ee6e94957..1920da40a 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -76,7 +76,6 @@ int restricted_shell(const char *user) {
                 
                 // process user
                 if (strcmp(user, usr) == 0) {
-                        restricted_user = strdup(user);
                         // extract program arguments
 
                         fullargv[0] = "firejail";
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5451c6d6c..3e8b5f934 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -327,9 +327,11 @@ static void start_application(void) {
         else {
                 assert(cfg.shell);
 
-                char *arg[5];
+                char *arg[6];
                 int index = 0;
                 arg[index++] = cfg.shell;
+                if (login_shell)
+                        arg[index++] = "-l";
                 arg[index++] = "-c";
                 assert(cfg.command_line);
                 if (arg_debug)