user access database in /etc/firejail/firejail.users - more to come

netblue30 · Apr 5, 2018 · 0992ba0 · reinerh · Apr 6, 2018 · Fred-Barclay
1 parent 2517a07
commit 0992ba0
Show file tree

Hide file tree

Showing 6 changed files with 187 additions and 9 deletions.
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
@@ -2,11 +2,11 @@ all: firecfg
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
  $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-firecfg: $(OBJS) ../lib/common.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
 

diff --git a/src/firecfg/main.c b/src/firecfg/main.c
@@ -19,6 +19,7 @@
 */
 
 #include "firecfg.h"
+#include "../include/firejail_user.h"
 int arg_debug = 0;
 
 static char *usage_str =
@@ -29,6 +30,7 @@ static char *usage_str =
  "The symbolic links are placed in /usr/local/bin. For more information, see\n"
  "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
  "Usage: firecfg [OPTIONS]\n\n"
+ " --add-users user [user] - add the users to Firejail access database\n"
  " --clean - remove all firejail symbolic links.\n\n"
  " --debug - print debug messages.\n\n"
  " --fix - fix .desktop files.\n\n"
@@ -315,6 +317,19 @@ int main(int argc, char **argv) {
  sound();
  return 0;
  }
+ else if (strcmp(argv[i], "--add-users") == 0) {
+ int j;
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: you need to be root to use this option\n");
+ exit(1);
+ }
+
+ for (j = i + 1; j < argc; j++) {
+ printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR);
+ firejail_user_add(argv[j]);
+ }
+ return 0;
+ }
  else {
  fprintf(stderr, "Error: invalid command line option\n");
  usage();
@@ -353,7 +368,7 @@ int main(int argc, char **argv) {
 
 
 
- // switch to the local user, and fix desktop files
+ // user setup
  char *user = getlogin();
  if (!user) {
  user = getenv("SUDO_USER");
@@ -362,6 +377,13 @@ int main(int argc, char **argv) {
  }
  }
 
+ // add user to firejail access database
+ if (user) {
+ printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+ firejail_user_add(user);
+ }
+
+ // switch to the local user, and fix desktop files
  if (user) {
  // find home directory
  struct passwd *pw = getpwnam(user);

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
@@ -2,11 +2,11 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
  $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
 

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -19,6 +19,7 @@
  */
 #include "firejail.h"
 #include "../include/pid.h"
+#include "../include/firejail_user.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -229,6 +230,15 @@ static void init_cfg(int argc, char **argv) {
  }
  cfg.cwd = getcwd(NULL, 0);
 
+ // chack user database
+ if (!firejail_user_check(cfg.username)) {
+ fprintf(stderr, "Error: the user is not allowed to use Firejail. "
+ "Please add the user in %s/firejail.users file, "
+ "either by running \"sudo firecfg\", or by editing the file directly."
+ "See \"man firejail-users\" for more details.\n", SYSCONFDIR);
+ exit(1);
+ }
+
  // initialize random number generator
  sandbox_pid = getpid();
  time_t t = time(NULL);
@@ -830,7 +840,6 @@ int main(int argc, char **argv) {
  int lockfd_directory = -1;
  int option_cgroup = 0;
  int custom_profile = 0; // custom profile loaded
- atexit(clear_atexit);
 
  // drop permissions by default and rise them when required
  EUID_INIT();
@@ -844,9 +853,11 @@ int main(int argc, char **argv) {
  if (check_arg(argc, argv, "--quiet", 1))
  arg_quiet = 1;
 
+ // cleanup at exit
+ EUID_ROOT();
+ atexit(clear_atexit);
 
  // build /run/firejail directory structure
- EUID_ROOT();
  preproc_build_firejail_dir();
  char *container_name = getenv("container");
  if (!container_name || strcmp(container_name, "firejail")) {

diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef FIREJAIL_USER_H
+#define FIREJAIL_USER_H
+
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name);
+
+// add a user to the database
+void firejail_user_add(const char *name);
+
+#endif
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+//
+// Firejail access database inplementation
+//
+// The database is a simple list of users allowed to run firejail SUID executable
+// It is usually stored in /etc/firejail/firejail.users
+// One username per line in the file
+
+#include "../include/common.h"
+#include <sys/types.h>
+#include <pwd.h>
+
+#define MAXBUF 4098
+static inline char *get_fname(void) {
+ char *fname;
+ if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1)
+ errExit("asprintf");
+ return fname;
+}
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name) {
+ assert(name);
+
+ // root allowed by default
+ if (strcmp(name, "root") == 0)
+ return 1;
+
+ // check file existence
+ char *fname = get_fname();
+ if (access(fname, F_OK)) {
+ free(fname);
+ return 1; // assume the user doesn't care about access checking
+ }
+
+ FILE *fp = fopen(fname, "r");
+ free(fname);
+ if (!fp)
+ return 0;
+
+ char buf[MAXBUF];
+ while (fgets(buf, MAXBUF, fp)) {
+ // lines starting with # are comments
+ if (*buf == '#')
+ continue;
+
+ // remove \n
+ char *ptr = strchr(buf, '\n');
+ if (ptr)
+ *ptr = '\0';
+
+ // compare
+ if (strcmp(buf, name) == 0) {
+ fclose(fp);
+ return 1;
+ }
+ }
+
+ fclose(fp);
+ return 0;
+}
+
+// add a user to the database
+void firejail_user_add(const char *name) {
+ assert(name);
+
+ // is this a real user?
+ struct passwd *pw = getpwnam(name);
+ if (!pw) {
+ fprintf(stderr, "Error: user %s not found on this system.\n", name);
+ return;
+ }
+
+ // check the user is not already in the database
+ char *fname = get_fname();
+ assert(fname);
+ if (access(fname, F_OK) == 0) {
+ if (firejail_user_check(name)) {
+ printf("User %s already in the database\n", name);
+ return;
+ }
+ }
+
+ printf("%s created\n", fname);
+ FILE *fp = fopen(fname, "a+");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot open %s\n", fname);
+ perror("fopen");
+ free(fname);
+ return;
+ }
+ free(fname);
+
+ fprintf(fp, "%s\n", name);
+ fclose(fp);
+}