From 90877c63eecf5e161c86df6b0c62006029e2677e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 23 Apr 2018 09:38:21 -0400
Subject: fix user database access

---
 src/firejail/firejail.h    |  2 +-
 src/firejail/main.c        |  7 +++++--
 src/firejail/run_symlink.c | 17 ++++++++---------
 src/lib/firejail_user.c    | 11 +++++------
 src/man/firejail-users.txt |  6 +++++-
 5 files changed, 24 insertions(+), 19 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2746deea1..0df832c09 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -671,7 +671,7 @@ void fs_logger_change_owner(void);
 void fs_logger_print_log(pid_t pid);
 
 // run_symlink.c
-void run_symlink(int argc, char **argv);
+void run_symlink(int argc, char **argv, int run_as_is);
 
 // paths.c
 char **build_paths(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1a37aca2f..9a013989a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -239,12 +239,15 @@ static void init_cfg(int argc, char **argv) {
 	}
 	cfg.cwd = getcwd(NULL, 0);
 
-	// chack user database
+	// check user database
 	if (!firejail_user_check(cfg.username)) {
 		fprintf(stderr, "Error: the user is not allowed to use Firejail. "
 			"Please add the user in %s/firejail.users file, "
 			"either by running \"sudo firecfg\", or by editing the file directly.\n"
 			"See \"man firejail-users\" for more details.\n", SYSCONFDIR);
+
+		// attempt to run the program as is
+		run_symlink(argc, argv, 1);
 		exit(1);
 	}
 
@@ -914,7 +917,7 @@ int main(int argc, char **argv) {
 
 	// check argv[0] symlink wrapper if this is not a login shell
 	if (*argv[0] != '-')
-		run_symlink(argc, argv); // if symlink detected, this function will not return
+		run_symlink(argc, argv, 0); // if symlink detected, this function will not return
 
 	// check if we already have a sandbox running
 	// If LXC is detected, start firejail sandbox
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 5d59afad4..2bb4a2ed7 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,7 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-void run_symlink(int argc, char **argv) {
+void run_symlink(int argc, char **argv, int run_as_is) {
 	EUID_ASSERT();
 
 	char *program = strrchr(argv[0], '/');
@@ -33,6 +33,12 @@ void run_symlink(int argc, char **argv) {
 	if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting
 		return;
 
+	// drop privileges
+	if (setgid(getgid()) < 0)
+		errExit("setgid/getgid");
+	if (setuid(getuid()) < 0)
+		errExit("setuid/getuid");
+
 	// find the real program by looking in PATH
 	char *p = getenv("PATH");
 	if (!p) {
@@ -84,20 +90,13 @@ void run_symlink(int argc, char **argv) {
 	free(selfpath);
 
 	// desktop integration is not supported for root user; instead, the original program is started
-	if (getuid() == 0) {
+	if (getuid() == 0 || run_as_is) {
 		argv[0] = program;
 		execv(program, argv);
 		exit(1);
 	}
 
 	// start the argv[0] program in a new sandbox
-	// drop privileges
-	if (setgid(getgid()) < 0)
-		errExit("setgid/getgid");
-	if (setuid(getuid()) < 0)
-		errExit("setuid/getuid");
-
-	// run command
 	char *a[3 + argc];
 	a[0] =PATH_FIREJAIL;
 	a[1] = program;
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 7d9784392..09a4da0e7 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -28,6 +28,7 @@
 #include "../include/common.h"
 #include <sys/types.h>
 #include <pwd.h>
+#include "../../uids.h"
 
 #define MAXBUF 4098
 static inline char *get_fname(void) {
@@ -41,15 +42,13 @@ static inline char *get_fname(void) {
 int firejail_user_check(const char *name) {
 	assert(name);
 
-	// root allowed by default
+	// root is allowed to run firejail by default
 	if (strcmp(name, "root") == 0)
 		return 1;
 
-	// user nobody disabled by default
-	if (strcmp(name, "nobody") == 0) {
-		fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
-		exit(1);
-	}
+	// other system users will run the program as is
+	if (getuid() < UID_MIN || strcmp(name, "nobody") == 0)
+		return 0;
 
 	// check file existence
 	char *fname = get_fname();
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index ec91e495c..c29de0705 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,11 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default, user nobody is denied access by default.
+root user is allowed by default. Other system users (users with an ID below UID_MIN value
+defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
+
+If the user is not allowed to start the sandbox, Firejail will attempt to run the
+program without sandboxing it.
 
 Example:
 
-- 
cgit v1.2.3-54-g00ecf