From c56e49cf0c91cb87ca25f3bb8a0228d4045dd075 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 27 Jul 2016 17:38:51 -0400
Subject: symlink whitelist fix

---
 src/firejail/fs_whitelist.c | 11 +++++++----
 src/man/firejail.txt        |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 926e5415c..f94040d0f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -391,14 +391,17 @@ void fs_whitelist(void) {
 
 			entry->home_dir = 1;
 			home_dir = 1;
-			if (arg_debug)
+			if (arg_debug || arg_debug_whitelists)
 				fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
 					__LINE__, fname, cfg.homedir);
 
 			// both path and absolute path are under /home
-//			if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-//				goto errexit;
-//			}
+			if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+				// check if the file is owned by the user
+				struct stat s;
+				if (stat(fname, &s) == 0 && s.st_uid != getuid())
+					goto errexit;
+			}
 		}
 		else if (strncmp(new_name, "/tmp/", 5) == 0) {
 			entry->tmp_dir = 1;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c9e24380c..d8bd34f10 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1523,7 +1523,7 @@ firejail version 0.9.27
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
 With the exception of user home, both the link and the real file should be in
-the same top directory.
+the same top directory. For /home, both the link and the real file should be owned by the user.
 .br
 
 .br
-- 
cgit v1.2.3-70-g09d2