-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Logind conditional #4603
Comments
noroot-if-seat-acl and nogroups-if-seat-acl? Or, noroot and nogroups kick in only if seat-acl is present. |
To me this sounds more useful than a conditional alone. And once facilities are in place, they could also be exposed in Edit to clarify: I was referring to something like #2042 |
@smitsohu Let's say fine-grained group control means something like |
@topimiettinen Right. This kind of fine grained control ( |
@topimiettinen commented on Oct 14:
@smitsohu commented on Oct 14:
Considering If a program requires audio output (e.g.: mpv), would there be any downside in On distros that default to systemd/pulseaudio, are new users added to an audio Also, if there are more things needed to unblock (e.g.: specific device files) allow-audio.inc:
That is, adding Overriding the above (in e.g.: allow-audio.local) would also permit allowing
Note: There is currently no And if someone would like to avoid allowing any groups at all, then something |
It doesn't make much sense to put You should just remove Adding more stuff to counteract existing stuff is counterproductive. We should remove lines instead. If we keep adding stuff without eliminating lines, we may end up with something like |
What about
|
I think I like |
The users would gain access to this GID, which they didn't have before. Then they could make setgid binaries to keep the rights after Firejail exits.
I don't think so. At least my user isn't a member in any audio or cdrom groups.
Nice idea, though I don't think giving access is necessary for logind distros. In my setup, pulseaudio is started from |
This could work well if also coupled with the logind check, so users on distros with logind would not get extra permissions but others would get at least some groups automatically when needed. I think your |
Are you personally using firejail in public multi-seat computers? Isn't In single-user computers, your scenario doesn't make sense. |
Firejail doesn't have a feature similar to systemd's
The 'user' in the scenario could be also an attacker, who temporarily gains limited access using for example browser vulnerabilities or indirectly via an organization's shared network file system. We don't know well in advance what makes sense for all future attack scenarios and every little bit of extra security can help weaken the attacker's capabilities. There's no global switch 'security=on' which could block all possible attacks. Instead there are yet unknown weaknesses of various sizes which may lead to vulnerabilities and exploits, and attempts to make attackers' lives more difficult to counter the possibility of weaknesses. |
For Convenience matters because
|
Even when `nogroups` is not used, avoid keeping the audio and video groups when `nosound` and `novideo` are used, respectively. Based on @rusty-snake's suggestion: netblue30#4603 (comment) Relates to netblue30#4603.
Even when `nogroups` is not used, avoid keeping the audio and video groups when `nosound` and `novideo` are used, respectively. Based on @rusty-snake's suggestion: netblue30#4603 (comment) Relates to netblue30#4603.
Even when `nogroups` is not used, avoid keeping the audio and video groups when `nosound` and `novideo` are used, respectively. Based on @rusty-snake's suggestion: netblue30#4603 (comment) Relates to netblue30#4603.
@rusty-snake commented on Oct 15:
I really like the mapping of the "no" options to groups; it seems like an So, considering the following extra groups from @rusty-snake's code:
Thoughts on adding them to the hardcoded "allowed groups" lists and dropping @topimiettinen commented on Oct 15:
After looking at the code, I think that combining the above ideas would be
And it wouldn't really require any new command or option. So how about we do the following:
("always" above means "regardless of
Currently, the audio/video groups are only dropped if @crocket Can you think of any other group that could be needed? Maybe the lp Note: From what I've seen, using a variable like e.g.: Maybe there could be a Misc: I had written some more comments, but since I wrote some code related to |
New options to consider with regard to
Existing options to consider with regard to
Other considerations:
|
Which groups would
I think it's intended to drop only the groups that are related to non-system From my testing, the option appears to be working correctly (at least by $ firejail --quiet --noprofile --noroot \
getent group | cut -f 3 -d : | tr '\n' '\000' | xargs -0 -I '{}' sh -c \
"test '{}' -ge 1000 && printf '%s\n' '{}'"
65534
1000 The following commands output the same amount of groups inside and outside of getent group | cut -f 3 -d : | tr '\n' '\000' | xargs -0 -I '{}' sh -c \
"test '{}' -lt 1000 && printf '%s\n' '{}'" | wc -l |
Man page doesn't say anything about that. |
FTR: It blocks firejail/src/firejail/fs_dev.c Lines 81 to 91 in efbf74e
|
Currently, on systems that use seat managers that do not implement seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is used. This happens because without ACLs, access to the audio devices in /dev is controlled by the standard group permissions and the "audio" group is always dropped when `nogroups` is used. This patch makes the "audio" and "video" groups be dropped if and only if `noaudio` and `novideo` are in effect, respectively (and independently of `nogroups`). See netblue30#4603 and the linked issues/discussions for details. Note: This is a continuation of commit ea564eb ("Consider nosound and novideo when keeping groups") / PR netblue30#4632. Relates to netblue30#2042 and netblue30#4531.
Mappings of command -> group that this commit adds: * no3d -> render * noprinters -> lp * nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3]) * noinput -> input Mappings that were considered but that are not added: * notv -> ? (unknown group) * nou2f -> ? (devices are apparently owned by root; see netblue30#4603) Based on @rusty-snake's suggestion: netblue30#4603 (comment) See the previous commit ("Keep audio and video groups regardless of nogroups") for details. Relates to netblue30#2042 and netblue30#4632. [1] https://wiki.debian.org/SystemGroups [2] https://api.gentoo.org/uid-gid.txt [3] https://wiki.archlinux.org/title/Users_and_groups
Can this be considered fixed now? |
Is your feature request related to a problem? Please describe.
(e)udev attaches uaccess tag to devices.
systemd-logind and elogind grant logged-in users rights to devices with uaccess tag.
With logind,
noroot
andnogroups
don't break device access.Without logind,
noroot
ornogroups
may break device access.Some linux distributions like Void Linux and Gentoo Linux allow users to replace logind with other seat managers like seatd.
Describe the solution you'd like
To support all linux distributions and all seat managers without any manual user configuration, a logind conditional like
?SEAT-ACL
is desirable. Then,can be replaced with
The text was updated successfully, but these errors were encountered: