From 35ff4ef959ba3bfc66ad1fd2eb1244fb49335ac0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2016 15:28:31 -0400 Subject: fixed login shell --- src/firejail/firejail.h | 2 +- src/firejail/main.c | 27 +++++++++++++++++++++++++++ src/firejail/no_sandbox.c | 7 +++++-- src/firejail/restricted_shell.c | 1 - src/firejail/sandbox.c | 4 +++- 5 files changed, 36 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c45b324fc..2a96afa1b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -265,6 +265,7 @@ extern int arg_audit; // audit extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor +extern int login_shell; extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; extern pid_t sandbox_pid; @@ -356,7 +357,6 @@ void shut(pid_t pid); void shut_name(const char *name); // restricted_shell.c -extern char *restricted_user; int restricted_shell(const char *user); // arp.c diff --git a/src/firejail/main.c b/src/firejail/main.c index c8cc3f460..fbffedbde 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -102,6 +102,7 @@ int arg_appimage = 0; // appimage int arg_audit = 0; // audit char *arg_audit_prog; // audit int arg_apparmor; // apparmor +int login_shell = 0; int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -877,6 +878,31 @@ int main(int argc, char **argv) { if (strcmp(comm, "sshd") == 0) { arg_quiet = 1; parent_sshd = 1; + +#if 0 +EUID_ROOT(); +FILE *fp = fopen("/mylog", "w"); +if (fp) { + int i; + for (i = 0; i < argc; i++) + fprintf(fp, "#%s# ", argv[i]); + fprintf(fp, "\n"); + fclose(fp); +} +EUID_USER(); +#endif + + // run sftp and ssh directly without any sandboxing + // regular login has argv[0] == "-firejail" + if (*argv[0] != '-') { + if (strcmp(argv[1], "-c") == 0 && argc > 2) { + if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 || + strncmp(argv[2], "scp ", 4) == 0) { + drop_privs(1); + run_no_sandbox(argc, argv); + } + } + } } free(comm); } @@ -884,6 +910,7 @@ int main(int argc, char **argv) { // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { + login_shell = 1; fullargc = restricted_shell(cfg.username); if (fullargc) { int j; diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index f1fd04aec..933922ece 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -172,6 +172,8 @@ void run_no_sandbox(int argc, char **argv) { int len = 0; int i; for (i = 1; i < argc; i++) { +// if (i == 1 && strcmp(argv[i], "-c") == 0) +// continue; if (*argv[i] == '-') continue; break; @@ -202,8 +204,9 @@ void run_no_sandbox(int argc, char **argv) { } // start the program in /bin/sh - fprintf(stderr, "Warning: an existing sandbox was detected. " - "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); +// if (!arg_quiet) + fprintf(stderr, "Warning: an existing sandbox was detected. " + "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); int rv = system(command); (void) rv; if (allocated) diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index ee6e94957..1920da40a 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -76,7 +76,6 @@ int restricted_shell(const char *user) { // process user if (strcmp(user, usr) == 0) { - restricted_user = strdup(user); // extract program arguments fullargv[0] = "firejail"; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5451c6d6c..3e8b5f934 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -327,9 +327,11 @@ static void start_application(void) { else { assert(cfg.shell); - char *arg[5]; + char *arg[6]; int index = 0; arg[index++] = cfg.shell; + if (login_shell) + arg[index++] = "-l"; arg[index++] = "-c"; assert(cfg.command_line); if (arg_debug) -- cgit v1.2.3-70-g09d2