Bug#900337: firejail: Users from user database should be able to run firejail regardless of UID_MIN on the system

Tue, 29 May 2018 02:40:24 -0700 

Package: firejail
Version: 0.9.54-1
Severity: important

Dear Maintainer,

not able to use firejail after updating to 0.9.54-1 due to new check for
UID_MIN. My user is a system user with UID 256.

Firejail should not ignore users defined in the users database
/etc/firejail/firejail.users even if they have uid lower that UID_MIN
(defined in /etc/login.defs on a buildd!)

Please see the attached patch which simply places the check for UID_MIN
to the very end of firejail_user_check().


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail depends on:
ii  libapparmor1  2.12-4
ii  libc6         2.27-3

Versions of packages firejail recommends:
ii  firejail-profiles  0.9.54-1
ii  iptables           1.6.2-1
ii  xauth              1:1.0.10-1
ii  xvfb               2:1.19.6-1

firejail suggests no packages.

-- no debconf information

Description: check_for_system_users_at_the_very_end_of_firejail_user_check()
 Firejail should not ignore users defined in the users database
 /etc/firejail/firejail.users even if they have uid lower that UID_MIN.
Origin: <ames...@rsh2.donotuse.de>
Last-Update: 2018-05-29

--- firejail-0.9.54.orig/src/lib/firejail_user.c
+++ firejail-0.9.54/src/lib/firejail_user.c
@@ -46,11 +46,6 @@ int firejail_user_check(const char *name
 	if (strcmp(name, "root") == 0)
 		return 1;
 
-	// other system users will run the program as is
-	uid_t uid = getuid();
-	if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0)
-		return 0;
-
 	// check file existence
 	char *fname = get_fname();
 	if (access(fname, F_OK)) {
@@ -83,6 +78,11 @@ int firejail_user_check(const char *name
 
 	fclose(fp);
 	return 0;
+
+	// other system users will run the program as is
+	uid_t uid = getuid();
+	if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0)
+		return 0;
 }
 
 // add a user to the database

Reply via email to