From ab36d4527faf8eed995c62966fe35ca1062e212b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 17:33:01 -0400 Subject: removed --user --- README.md | 4 ++ RELNOTES | 3 +- src/firejail/firejail.h | 3 -- src/firejail/main.c | 1 - src/firejail/usage.c | 1 - src/firejail/user.c | 115 ------------------------------------------------ src/man/firejail.txt | 8 ---- 7 files changed, 6 insertions(+), 129 deletions(-) delete mode 100644 src/firejail/user.c diff --git a/README.md b/README.md index c4d2907af..c16a32e62 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,10 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.41 +## Deprecated --user + +--user option was deprecated, please use "sudo -u username firejail application" instead. + ## AppImage AppImage (http://appimage.org/) is a distribution-agnostic packaging format. diff --git a/RELNOTES b/RELNOTES index 788bfe407..20e7df7f1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,8 +1,9 @@ firejail (0.9.41) baseline; urgency=low * work in progress... + * deprecated --user option, please use "sudo -u username firejail" instead * AppImage support (--appimage) * Sandbox auditing support (--audit) - * Remove environment variable (--rmenv) + * remove environment variable (--rmenv) * include /dev/snd in --private-dev * added mkfile profile command * seccomp filter updated diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 590646f23..c18dacbbb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -545,9 +545,6 @@ void fs_logger_print_log(pid_t pid); // run_symlink.c void run_symlink(int argc, char **argv); -// user.c -void check_user(int argc, char **argv); - // paths.c char **build_paths(void); diff --git a/src/firejail/main.c b/src/firejail/main.c index a0225be15..35f825a07 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -900,7 +900,6 @@ int main(int argc, char **argv) { else { // check --output option and execute it; check_output(argc, argv); // the function will not return if --output option was found - check_user(argc, argv); // the function will not return if --user option was found } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b67300618..6b7a666db 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -252,7 +252,6 @@ void usage(void) { printf(" --tracelog - add a syslog message for every access to files or\n"); printf("\tdirectoires blacklisted by the security profile.\n\n"); printf(" --tree - print a tree of all sandboxed processes.\n\n"); - printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); printf(" --version - print program version and exit.\n\n"); #ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); diff --git a/src/firejail/user.c b/src/firejail/user.c deleted file mode 100644 index a2f34392c..000000000 --- a/src/firejail/user.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#include "firejail.h" -#include -#include -#include -#include -#include - - -void check_user(int argc, char **argv) { - EUID_ASSERT(); - int i; - char *user = NULL; - - int found = 0; - for (i = 1; i < argc; i++) { - // check options - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - - // check user option - if (strncmp(argv[i], "--user=", 7) == 0) { - found = 1; - user = argv[i] + 7; - break; - } - } - if (!found) - return; - - // check root - if (getuid() != 0) { - fprintf(stderr, "Error: you need to be root to use --user command line option\n"); - exit(1); - } - - // switch user - struct passwd *pw = getpwnam(user); - if (!pw) { - fprintf(stderr, "Error: cannot find user %s\n", user); - exit(1); - } - - printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid); - int rv = initgroups(user, pw->pw_gid); - if (rv == -1) { - perror("initgroups"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - rv = setgid(pw->pw_gid); - if (rv == -1) { - perror("setgid"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - rv = setuid(pw->pw_uid); - if (rv == -1) { - perror("setuid"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - // build the new command line - int len = 0; - for (i = 0; i < argc; i++) { - len += strlen(argv[i]) + 1; // + ' ' - } - - char *cmd = malloc(len + 1); // + '\0' - if (!cmd) - errExit("malloc"); - - char *ptr = cmd; - int first = 1; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--user=", 7) == 0 && first) { - first = 0; - continue; - } - - ptr += sprintf(ptr, "%s ", argv[i]); - } - - // run command - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd; - a[3] = NULL; - - execvp(a[0], a); - - perror("execvp"); - exit(1); -} diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8d20cf36b..7c9cd98de 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1485,15 +1485,7 @@ $ firejail \-\-tree 11969:netblue:firejail \-\-net=eth0 transmission-gtk .br 11970:netblue:transmission-gtk -.TP -\fB\-\-user=new-user -Switch the user before starting the sandbox. This command should be run as root. -.br -.br -Example: -.br -# firejail \-\-user=www-data .TP \fB\-\-version Print program version and exit. -- cgit v1.2.3-70-g09d2