allow system users to run the sandbox

netblue30 · Aug 26, 2018 · 95deecf · 95deecf
1 parent fc7a950
commit 95deecf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 10 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -5,6 +5,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
  * modif: removed compile time --disable-bind
  * modif: --net=none allowed even if networking was disabled at compile
  time or at run time
+ * modif: allow system users to run the sandbox
  * support wireless devices in --net option
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
@@ -13,7 +14,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
  * globbing support in private-lib
- * support for local user directories in firecfg
+ * support for local user directories in firecfg (--bindir)
  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,

diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) {
  if (strcmp(name, "root") == 0)
  return 1;
 
- // other system users will run the program as is
- uid_t uid = getuid();
- assert(uid_min > 0);
- if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0)
+ // user nobody is never allowed
+ if (strcmp(name, "root") == 0)
  return 0;
 
  // check file existence
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) {
  struct passwd *pw = getpwnam(name);
  if (!pw) {
  fprintf(stderr, "Error: user %s not found on this system.\n", name);
- return;
+ exit(1);
  }
 
  // check the user is not already in the database

diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database
 
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
-If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default. Other system users (users with an ID below UID_MIN value
-defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
+root user is allowed by default, user nobody is never allowed.
 
 If the user is not allowed to start the sandbox, Firejail will attempt to run the
 program without sandboxing it.
 
+If the file is not present in the system, all users are allowed to use the sandbox.
+
 Example:
 
  $ cat /etc/firejail/firejail.users
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li
 
 See \fBman 1 firecfg\fR for details.
 
+.SH ALTERNATIVE SOLUTION
+An alternative way of restricting user access to firejail executable is to create a special firejail user group and
+allow only users in this group to run the sandbox:
+
+ # addgroup firejail
+.br
+ # chown root:firejail /usr/bin/firejail
+.br
+ # chmod 4750 /usr/bin/firejail
+
+
 .SH FILES
 /etc/firejail/firejail.users
 
 .SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO