fcopy: Failure to copy file when uid != root

[miszr]

Isssue #1243 still exists.

My system is configured with systemd-networkd and systemd-resolved.

The file /etc/resolv.conf is symlinked to /run/systemd/resolve/resolv.conf with the following permissions:
-rw-r--r-- systemd-resolve systemd-resolve /run/systemd/resolve/resolv.conf

So the file is world readable, but fcopy still refuses to copy it.

The issue is that fcopy only checks the uid of the file, not respecting the actual permissions set on it.

An example where this would fail terribly is if a file owner had no permissions.

To reproduce:

1. Create a file with a certain owner that is not root.
2. Run fcopy as root and try to copy that file.

[ranisalt]

I can reproduce too, I have the same setup with systemd-resolved.

[netblue30]

I put a fix in for issue: #1547

I think is the same problem, /run/systemd/resolve/resolv.conf was blacklisted in /etc/firejail/disable-common.inc. Give it a try, thanks.

[miszr]

No, #1547 is a different issue.

I corrected mine a while back using noblacklist /var/run/systemd in /etc/firejail/globals.local

[netblue30]

Sorry, actualy I removed /var/run/systemd from disable-common.inc, not /run/systemd/resolve/resolv.conf. The fix is in git.

[miszr]

This issue is NOT resolved.

The problem is using fcopy to copy a world readable file but where the owner is not the current user.
Since firejail is using SUID to get root, the current user is root.

None of the above mentioned fixes are affecting the problem.

[eomanis]

This problem is currently preventing me from launching Steam, which I have set up to be launched in a --private= home dir.

[myuser@mysystem ~]$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 32 15. Sep 21:51 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
[myuser@mysystem ~]$ ls -la /run/systemd/resolve/resolv.conf 
-rw-r--r-- 1 systemd-resolve systemd-resolve 536 15. Sep 14:36 /run/systemd/resolve/resolv.conf

Launching Steam:

[myuser@mysystem Steam]$ /usr/bin/firejail --profile=/etc/firejail/steam.profile --private="/home/myuser/sandboxes/Steam" -- /usr/bin/steam-runtime
Reading profile /etc/firejail/steam.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /home/myuser/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: noroot option is not available
Parent pid 26240, child pid 26241
Error fcopy: invalid file /etc/resolv.conf
Error: failed to run /usr/lib/firejail/fcopy
Error: proc 26240 cannot sync with peer: unexpected EOF
Peer 26241 unexpectedly exited with status 1

When I copy /run/systemd/resolve/resolv.conf to /etc/resolv.conf it works again, possibly because then it belongs to root:root.

[ranisalt]

This is giving me more issues with other apps that can't copy the resolv.conf link. The apps fail to resolve any DNS address.

[netblue30]

I have a fix in, give it a try. I'll reopen it if necessary, thanks.

[miszr]

The solution does work. However I do think the solution is overly specific.

The fundamental solution should be allowing world-readable files to be copied. Not allowing a specific file to be copied.

That the issue occurred with systemd-resolved is just one case.

[ranisalt]

It didn't work for me, apps firejailed still can't resolve DNS. I recreated the links with firecfg.

[primeroz]

I am still having this issue with resolv.conf -> /run/systemd/....

is this supposed to be fixed ?

[solsticedhiver]

while using firejail and transmission for a while, this bug has just poop-up on my rpi3 system, for no reason ?