From ee1d5d7c8cb2f7b3ab81125168881040f5d17d48 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 22 Oct 2021 23:10:07 +0200
Subject: private-bin: switch effective uid

---
 src/firejail/fs_bin.c  | 9 +++++++++
 src/firejail/sandbox.c | 4 ++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index d485de05a..1ff074599 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -41,6 +41,7 @@ static char *paths[] = {
 
 // return 1 if found, 0 if not found
 static char *check_dir_or_file(const char *name) {
+	EUID_ASSERT();
 	assert(name);
 	struct stat s;
 
@@ -80,6 +81,7 @@ static char *check_dir_or_file(const char *name) {
 
 // return 1 if the file is in paths[]
 static int valid_full_path_file(const char *name) {
+	EUID_ASSERT();
 	assert(name);
 
 	if (*name != '/')
@@ -131,6 +133,7 @@ static void report_duplication(const char *fname) {
 }
 
 static void duplicate(char *fname) {
+	EUID_ASSERT();
 	assert(fname);
 
 	if (*fname == '~' || strstr(fname, "..")) {
@@ -202,6 +205,7 @@ static void duplicate(char *fname) {
 }
 
 static void globbing(char *fname) {
+	EUID_ASSERT();
 	assert(fname);
 
 	// go directly to duplicate() if no globbing char is present - see man 7 glob
@@ -252,6 +256,7 @@ static void globbing(char *fname) {
 }
 
 void fs_private_bin_list(void) {
+	EUID_ASSERT();
 	char *private_list = cfg.bin_private_keep;
 	assert(private_list);
 
@@ -259,7 +264,9 @@ void fs_private_bin_list(void) {
 	timetrace_start();
 
 	// create /run/firejail/mnt/bin directory
+	EUID_ROOT();
 	mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
+	EUID_USER();
 
 	if (arg_debug)
 		printf("Copying files in the new bin directory\n");
@@ -287,8 +294,10 @@ void fs_private_bin_list(void) {
 		if (stat(paths[i], &s) == 0) {
 			if (arg_debug)
 				printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
+			EUID_ROOT();
 			if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
 				errExit("mount bind");
+			EUID_USER();
 			fs_logger2("tmpfs", paths[i]);
 			fs_logger2("mount", paths[i]);
 		}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d66b6c573..efa21c34b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -890,16 +890,16 @@ int sandbox(void* sandbox_arg) {
 		else if (arg_overlay)
 			fwarning("private-bin feature is disabled in overlay\n");
 		else {
+			EUID_USER();
 			// for --x11=xorg we need to add xauth command
 			if (arg_x11_xorg) {
-				EUID_USER();
 				char *tmp;
 				if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
 					errExit("asprintf");
 				cfg.bin_private_keep = tmp;
-				EUID_ROOT();
 			}
 			fs_private_bin_list();
+			EUID_ROOT();
 		}
 	}
 
-- 
cgit v1.2.3-70-g09d2