From 5440bc47971bfbe0db570283973bafb0b2486e69 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 12 Jan 2017 20:10:17 -0500 Subject: cleanup --- src/firejail/fs.c | 36 ++++++++++++++++++++++++++++++++++-- src/firejail/fs_mkdir.c | 29 ++--------------------------- src/firejail/util.c | 2 +- 3 files changed, 37 insertions(+), 30 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7764accd..0da4cc111 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { // create ~/.firejail directory if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); + + if (is_link(dirname)) { + fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + exit(1); + } if (stat(dirname, &s) == -1) { - mkdir_attr(dirname, 0700, 0, 0); + // create directory + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // create directory + if (mkdir(dirname, 0700)) + errExit("mkdir"); + if (chmod(dirname, 0700) == -1) + errExit("chmod"); + ASSERT_PERMS(dirname, getuid(), getgid(), 0700); + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + if (stat(dirname, &s) == -1) { + fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); + exit(1); + } } - else if (is_link(dirname)) { + else if (s.st_uid != getuid()) { fprintf(stderr, "Error: invalid ~/.firejail directory\n"); exit(1); } @@ -1141,10 +1167,16 @@ void fs_chroot(const char *rootdir) { free(newx11); } + // some older distros don't have a /run directory + // create one by default // create /run/firejail directory in chroot char *rundir; if (asprintf(&rundir, "%s/run", rootdir) == -1) errExit("asprintf"); + if (is_link(rundir)) { + fprintf(stderr, "Error: invalid run directory inside chroot\n"); + exit(1); + } create_empty_dir_as_root(rundir, 0755); free(rundir); if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5b6ceae90..d29f58a58 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -112,33 +112,8 @@ void fs_mkfile(const char *name) { } // create file - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - /* coverity[toctou] */ - FILE *fp = fopen(expanded, "w"); - if (!fp) - fprintf(stderr, "Warning: cannot create %s file\n", expanded); - else { - int fd = fileno(fp); - if (fd == -1) - errExit("fileno"); - int rv = fchmod(fd, 0600); - (void) rv; - fclose(fp); - } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); - + touch_file_as_user(expanded, getuid(), getgid(), 0600); + doexit: free(expanded); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 763e6b58b..10000e912 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -231,7 +231,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid // copy, set permissions and ownership int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + fprintf(stderr, "Warning: cannot copy %s\n", srcname); #ifdef HAVE_GCOV __gcov_flush(); #endif -- cgit v1.2.3-70-g09d2