-
Notifications
You must be signed in to change notification settings - Fork 555
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,6 +19,7 @@ | |
*/ | ||
|
||
#include "firecfg.h" | ||
#include "../include/firejail_user.h" | ||
int arg_debug = 0; | ||
|
||
static char *usage_str = | ||
|
@@ -29,6 +30,7 @@ static char *usage_str = | |
"The symbolic links are placed in /usr/local/bin. For more information, see\n" | ||
"DESKTOP INTEGRATION section in man 1 firejail.\n\n" | ||
"Usage: firecfg [OPTIONS]\n\n" | ||
" --add-users user [user] - add the users to Firejail access database\n" | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
Fred-Barclay
Collaborator
|
||
" --clean - remove all firejail symbolic links.\n\n" | ||
" --debug - print debug messages.\n\n" | ||
" --fix - fix .desktop files.\n\n" | ||
|
@@ -315,6 +317,19 @@ int main(int argc, char **argv) { | |
sound(); | ||
return 0; | ||
} | ||
else if (strcmp(argv[i], "--add-users") == 0) { | ||
int j; | ||
if (getuid() != 0) { | ||
fprintf(stderr, "Error: you need to be root to use this option\n"); | ||
exit(1); | ||
} | ||
|
||
for (j = i + 1; j < argc; j++) { | ||
printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR); | ||
firejail_user_add(argv[j]); | ||
} | ||
return 0; | ||
} | ||
else { | ||
fprintf(stderr, "Error: invalid command line option\n"); | ||
usage(); | ||
|
@@ -353,7 +368,7 @@ int main(int argc, char **argv) { | |
|
||
|
||
|
||
// switch to the local user, and fix desktop files | ||
// user setup | ||
char *user = getlogin(); | ||
if (!user) { | ||
user = getenv("SUDO_USER"); | ||
|
@@ -362,6 +377,13 @@ int main(int argc, char **argv) { | |
} | ||
} | ||
|
||
// add user to firejail access database | ||
if (user) { | ||
printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | ||
firejail_user_add(user); | ||
} | ||
|
||
// switch to the local user, and fix desktop files | ||
if (user) { | ||
// find home directory | ||
struct passwd *pw = getpwnam(user); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* Copyright (C) 2014-2018 Firejail Authors | ||
* | ||
* This file is part of firejail project | ||
* | ||
* This program is free software; you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation; either version 2 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License along | ||
* with this program; if not, write to the Free Software Foundation, Inc., | ||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
*/ | ||
#ifndef FIREJAIL_USER_H | ||
#define FIREJAIL_USER_H | ||
|
||
|
||
// returns 1 if the user is found in the database or if the database was not created | ||
int firejail_user_check(const char *name); | ||
|
||
// add a user to the database | ||
void firejail_user_add(const char *name); | ||
|
||
#endif |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
/* | ||
* Copyright (C) 2014-2018 Firejail Authors | ||
* | ||
* This file is part of firejail project | ||
* | ||
* This program is free software; you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation; either version 2 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License along | ||
* with this program; if not, write to the Free Software Foundation, Inc., | ||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
*/ | ||
|
||
// | ||
// Firejail access database inplementation | ||
// | ||
// The database is a simple list of users allowed to run firejail SUID executable | ||
// It is usually stored in /etc/firejail/firejail.users | ||
// One username per line in the file | ||
|
||
#include "../include/common.h" | ||
#include <sys/types.h> | ||
#include <pwd.h> | ||
|
||
#define MAXBUF 4098 | ||
static inline char *get_fname(void) { | ||
char *fname; | ||
if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1) | ||
errExit("asprintf"); | ||
return fname; | ||
} | ||
|
||
// returns 1 if the user is found in the database or if the database was not created | ||
int firejail_user_check(const char *name) { | ||
assert(name); | ||
|
||
// root allowed by default | ||
if (strcmp(name, "root") == 0) | ||
return 1; | ||
|
||
// check file existence | ||
char *fname = get_fname(); | ||
if (access(fname, F_OK)) { | ||
free(fname); | ||
return 1; // assume the user doesn't care about access checking | ||
} | ||
|
||
FILE *fp = fopen(fname, "r"); | ||
free(fname); | ||
if (!fp) | ||
return 0; | ||
|
||
char buf[MAXBUF]; | ||
while (fgets(buf, MAXBUF, fp)) { | ||
// lines starting with # are comments | ||
if (*buf == '#') | ||
continue; | ||
|
||
// remove \n | ||
char *ptr = strchr(buf, '\n'); | ||
if (ptr) | ||
*ptr = '\0'; | ||
|
||
// compare | ||
if (strcmp(buf, name) == 0) { | ||
fclose(fp); | ||
return 1; | ||
} | ||
} | ||
|
||
fclose(fp); | ||
return 0; | ||
} | ||
|
||
// add a user to the database | ||
void firejail_user_add(const char *name) { | ||
assert(name); | ||
|
||
// is this a real user? | ||
struct passwd *pw = getpwnam(name); | ||
if (!pw) { | ||
fprintf(stderr, "Error: user %s not found on this system.\n", name); | ||
return; | ||
} | ||
|
||
// check the user is not already in the database | ||
char *fname = get_fname(); | ||
assert(fname); | ||
if (access(fname, F_OK) == 0) { | ||
if (firejail_user_check(name)) { | ||
printf("User %s already in the database\n", name); | ||
return; | ||
} | ||
} | ||
|
||
printf("%s created\n", fname); | ||
FILE *fp = fopen(fname, "a+"); | ||
if (!fp) { | ||
fprintf(stderr, "Error: cannot open %s\n", fname); | ||
perror("fopen"); | ||
free(fname); | ||
return; | ||
} | ||
free(fname); | ||
|
||
fprintf(fp, "%s\n", name); | ||
fclose(fp); | ||
} |
@netblue30 minor nit-pick:
--add-user
instead of--add-users
? because it's used for adding single users.