From a43d86b9904052ccbe33a8a3c62dadee2b755e87 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Mar 2016 21:43:10 -0400 Subject: x11 fix --- src/firejail/x11.c | 7 +++++++ src/man/firejail.txt | 14 +++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 8c781c67a..a7bd9fd29 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -127,6 +127,13 @@ void x11_start(int argc, char **argv) { pid_t client = 0; pid_t server = 0; + + // unfortunately, xpra does a number of wired things when started by root user!!! + if (getuid() == 0) { + fprintf(stderr, "Error: this feature is not available when running as root\n"); + exit(1); + } + // check xpra if (x11_check_xpra() == 0) { fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fead4eaf5..b72296387 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1516,7 +1516,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger -applications started in the sandbox from accessing display 0. +applications started in the sandbox from accessing display 0. This feature is not available when running as root. .br .br @@ -1535,29 +1535,29 @@ Example: $ firejail \-\-zsh .SH FILE TRANSFER -These features allow the user to inspect the file system container of an existing sandbox -and transfer files from the container to the host file system. +These features allow the user to inspect the filesystem container of an existing sandbox +and transfer files from the container to the host filesystem. .TP \fB\-\-get=name filename Retrieve the container file and store it on the host in the current working directory. -The container is spececified by name (\-\-name option). Full path is needed for filename. +The container is specified by name (\-\-name option). Full path is needed for filename. .TP \fB\-\-get=pid filename Retrieve the container file and store it on the host in the current working directory. -The container is spececified by process ID. Full path is needed for filename. +The container is specified by process ID. Full path is needed for filename. .TP \fB\-\-ls=name dir_or_filename List container files. -The container is spececified by name (\-\-name option). +The container is specified by name (\-\-name option). Full path is needed for dir_or_filename. .TP \fB\-\-ls=pid dir_or_filename List container files. -The container is spececified by process ID. +The container is specified by process ID. Full path is needed for dir_or_filename. .TP -- cgit v1.2.3-70-g09d2