blob: e3cce7ed50eec79d6fa1bbc0a660bf5a80a12045 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page"
.SH NAME
firejail.users \- Firejail user access database
.SH DESCRIPTION
/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
root user is allowed by default, user nobody is never allowed.
If the user is not allowed to start the sandbox, Firejail will attempt to run the
program without sandboxing it.
If the file is not present in the system, all users are allowed to use the sandbox.
Example:
$ cat /etc/firejail/firejail.users
.br
dustin
.br
lucas
.br
mike
.br
eleven
Use a text editor to add or remove users from the list. You can also use firecfg \-\-add-users
command. Example:
$ sudo firecfg --add-users dustin lucas mike eleven
By default, running firecfg creates the file and adds the current user to the list. Example:
$ sudo firecfg
See \fBman 1 firecfg\fR for details.
.SH ALTERNATIVE SOLUTION
An alternative way of restricting user access to firejail executable is to create a special firejail user group and
allow only users in this group to run the sandbox:
# addgroup --system firejail
.br
# chown root:firejail /usr/bin/firejail
.br
# chmod 4750 /usr/bin/firejail
.SH FILES
/etc/firejail/firejail.users
.SH LICENSE
Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.PP
Homepage: https://firejail.wordpress.com
.SH SEE ALSO
.BR firejail (1),
.BR firemon (1),
.BR firecfg (1),
.BR firejail-profile (5),
.BR firejail-login (5),
.BR jailcheck (1)
|
