From 75311732cc354f8c5aaf4468313822c104b50c9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 8 Apr 2018 14:29:55 -0400 Subject: firejail user access database --- Makefile.in | 2 +- README.md | 59 ++++++++++++++++++++++++++++++++++++++++++++ RELNOTES | 2 ++ src/firecfg/main.c | 2 +- src/man/firecfg.txt | 23 +++++++++++++++++ src/man/firejail-login.txt | 3 ++- src/man/firejail-profile.txt | 3 ++- src/man/firejail-users.txt | 45 +++++++++++++++++++++++++++++++++ src/man/firejail.txt | 3 ++- src/man/firemon.txt | 1 + 10 files changed, 138 insertions(+), 5 deletions(-) create mode 100644 src/man/firejail-users.txt diff --git a/Makefile.in b/Makefile.in index 2d73daa46..135b0a37c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ all: apps man filters MYLIBS = src/lib APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp -MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx prefix=@prefix@ diff --git a/README.md b/README.md index 57c4a0353..1ac6877b7 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,57 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir ````` # Current development version: 0.9.53 +## Firejail user access database +````` +$ man firejail-users +FIREJAIL-USERS(5) firejail.users man page FIREJAIL-USERS(5) + +NAME + firejail.users - Firejail user access database + +DESCRIPTION + /etc/firejail/firejail.users lists the users allowed to run firejail + SUID executable. If the file is not present in the system, all users + are allowed to use the sandbox. root user is allowed by default. + + Example: + + $ cat /etc/firejail/firejail.users + dustin + lucas + mike + eleven + + Use a text editor to add or remove users from the list. You can also + use firecfg --add-users command. Example: + + $ sudo firecfg --add-users dusting lucas mike eleven + + By default, running firecfg creates the file and adds the current user + to the list. Example: + + $ sudo firecfg + + See man 1 firecfg for details. + +FILES + /etc/firejail/firejail.users + +LICENSE + Firejail is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. + + Homepage: https://firejail.wordpress.com + +SEE ALSO + firejail(1), firemon(1), firecfg(1), firejail-profile(5) firejail- + login(5) + +0.9.53 Apr 2018 FIREJAIL-USERS(5) +````` + ## Spectre mitigation If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. @@ -155,6 +206,14 @@ This feature is also supported for LLVM/clang compiler Example: $ firejail --nodbus --net=none + + --noautopulse + Disable automatic ~/.config/pulse init, for complex setups such + as remote pulse servers or non-standard socket paths. + + Example: + $ firejail --noautopulse firefox + ````` ## AppImage development diff --git a/RELNOTES b/RELNOTES index c98adcb72..87b3f3780 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,6 +13,8 @@ firejail (0.9.53) baseline; urgency=low firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc + * Firejail user access database (/etc/firejail/firejail.users, + man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index a54607aec..b79053d3e 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -30,7 +30,7 @@ static char *usage_str = "The symbolic links are placed in /usr/local/bin. For more information, see\n" "DESKTOP INTEGRATION section in man 1 firejail.\n\n" "Usage: firecfg [OPTIONS]\n\n" - " --add-users user [user] - add the users to Firejail access database\n" + " --add-users user [user] - add the users to Firejail user access database.\n\n" " --clean - remove all firejail symbolic links.\n\n" " --debug - print debug messages.\n\n" " --fix - fix .desktop files.\n\n" diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e7a7ef6d9..fc0bbcee4 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -30,8 +30,30 @@ installing new programs. If the program is supported by Firejail, the symbolic l will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. +.SH DEFAULT ACTIONS +The following actions are implemented by default by running sudo firecfg: + +.RS +- set or update the symbolic links for desktop integration; +.br + +.br +- add the current user to Firejail user access database (firecfg --add-users); +.br + +.br +-fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). +.RE .SH OPTIONS +.TP +\fB\-\-add-users user [user] +Add the list of users to Firejail user access databaseRemove all firejail symbolic links. + +Example: +.br +$ sudo firecfg --add-users dustin lucas mike eleven + .TP \fB\-\-clean Remove all firejail symbolic links. @@ -102,3 +124,4 @@ Homepage: https://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) +\&\flfirejail-users\fR\|(5) diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 29030ba45..c2fa63dc4 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -1,4 +1,4 @@ -.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page" +.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page" .SH NAME login.users \- Login file syntax for Firejail @@ -38,3 +38,4 @@ Homepage: https://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5) +\&\flfirejail-users\fR\|(5) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4b6e9766f..b529f63e3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -232,7 +232,7 @@ All modifications are discarded when the sandbox is closed. .TP \fBprivate-lib file,directory Build a new /lib directory and bring in the libraries required by the application to run. -This feature is still under development, see man 1 firejail for some examples. +This feature is still under development, see \fBman 1 firejail\fR for some examples. .TP \fBprivate-opt file,directory Build a new /optin a temporary @@ -610,3 +610,4 @@ Homepage: https://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirecfg\fR\|(1), \&\flfirejail-login\fR\|(5) +\&\flfirejail-users\fR\|(5) diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt new file mode 100644 index 000000000..ac9c1f621 --- /dev/null +++ b/src/man/firejail-users.txt @@ -0,0 +1,45 @@ +.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page" +.SH NAME +firejail.users \- Firejail user access database + +.SH DESCRIPTION +/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. +If the file is not present in the system, all users are allowed to use the sandbox. +root user is allowed by default. + +Example: + + $ cat /etc/firejail/firejail.users +.br + dustin +.br + lucas +.br + mike +.br + eleven + +Use a text editor to add or remove users from the list. You can also use firecfg \-\-add-users +command. Example: + + $ sudo firecfg --add-users dusting lucas mike eleven + +By default, running firecfg creates the file and adds the current user to the list. Example: + + $ sudo firecfg + +See \fBman 1 firecfg\fR for details. + +.SH FILES +/etc/firejail/firejail.users + +.SH LICENSE +Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. +.PP +Homepage: https://firejail.wordpress.com +.SH SEE ALSO +\&\flfirejail\fR\|(1), +\&\flfiremon\fR\|(1), +\&\flfirecfg\fR\|(1), +\&\flfirejail-profile\fR\|(5) +\&\flfirejail-login\fR\|(5) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e55d01253..6e8e4eb2c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2691,7 +2691,7 @@ Child process initialized [...] .RE -See man 5 firejail-profile for profile file syntax information. +See \fBman 5 firejail-profile\fR for profile file syntax information. .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in @@ -2739,3 +2739,4 @@ Homepage: https://firejail.wordpress.com \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) +\&\flfirejail-users\fR\|(5) diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 91c59af4d..9cae72b54 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -111,3 +111,4 @@ Homepage: http://firejail.wordpress.com \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) +\&\flfirejail-users\fR\|(5) -- cgit v1.2.3-54-g00ecf