From 44ec35dc99641a54a58d5af71bab17e92f03772f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 29 Jul 2016 07:45:19 -0400
Subject: noexec fix

---
 src/firejail/fs.c    | 32 +++++++++++---------------------
 src/man/firejail.txt |  2 +-
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 630458549..ff5887c10 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -716,10 +716,8 @@ void fs_proc_sys_dev_boot(void) {
 }
 
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
-static void disable_firejail_config(void) {
+static void disable_config(void) {
 	struct stat s;
-//	if (stat("/etc/firejail", &s) == 0)
-//		disable_file(BLACKLIST_FILE, "/etc/firejail");
 
 	char *fname;
 	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
@@ -728,18 +726,6 @@ static void disable_firejail_config(void) {
 		disable_file(BLACKLIST_FILE, fname);
 	free(fname);
 	
-//	if (stat("/usr/local/etc/firejail", &s) == 0)
-//		disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
-//
-//	if (strcmp(PREFIX, "/usr/local")) {
-//		if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-//			errExit("asprintf");
-//		if (stat(fname, &s) == 0)
-//			disable_file(BLACKLIST_FILE, fname);
-//		free(fname);
-//	}
-	
-	
 	// disable run time information
 	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
 		disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
@@ -754,16 +740,20 @@ static void disable_firejail_config(void) {
 
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
+	uid_t uid = getuid();
+	
 	if (arg_debug)
 		printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
 	if (!arg_writable_etc) {
 		fs_rdonly("/etc");
-		fs_noexec("/etc");
+		if (uid)
+			fs_noexec("/etc");
 		if (arg_debug) printf(", /etc");
 	}
 	if (!arg_writable_var) {
 		fs_rdonly("/var");
-		fs_noexec("/var");
+		if (uid)
+			fs_noexec("/var");
 		if (arg_debug) printf(", /var");
 	}
 	if (arg_debug) printf("\n");
@@ -791,8 +781,8 @@ void fs_basic_fs(void) {
 	// when starting as root, firejail config is not disabled;
 	// this mode could be used to install and test new software by chaining
 	// firejail sandboxes (firejail --force)
-	if (getuid() != 0)
-		disable_firejail_config();
+	if (uid)
+		disable_config();
 }
 
 
@@ -1028,7 +1018,7 @@ void fs_overlayfs(void) {
 	// this mode could be used to install and test new software by chaining
 	// firejail sandboxes (firejail --force)
 	if (getuid() != 0)
-		disable_firejail_config();
+		disable_config();
 
 	// cleanup and exit
 	free(option);
@@ -1185,7 +1175,7 @@ void fs_chroot(const char *rootdir) {
 	// this mode could be used to install and test new software by chaining
 	// firejail sandboxes (firejail --force)
 	if (getuid() != 0)
-		disable_firejail_config();
+		disable_config();
 }
 #endif
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2ddbc9f88..d34cfdb20 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -862,7 +862,7 @@ $ firejail \-\-noexec=/tmp
 .br
 
 .br
-/etc and /var are noexec by default. If there are more than one mount operation
+/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
 on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
 
 .TP
-- 
cgit v1.2.3-70-g09d2