Package: firejail Version: 0.9.54-1 Severity: important Dear Maintainer,
not able to use firejail after updating to 0.9.54-1 due to new check for UID_MIN. My user is a system user with UID 256. Firejail should not ignore users defined in the users database /etc/firejail/firejail.users even if they have uid lower that UID_MIN (defined in /etc/login.defs on a buildd!) Please see the attached patch which simply places the check for UID_MIN to the very end of firejail_user_check(). -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.12-4 ii libc6 2.27-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.54-1 ii iptables 1.6.2-1 ii xauth 1:1.0.10-1 ii xvfb 2:1.19.6-1 firejail suggests no packages. -- no debconf information
Description: check_for_system_users_at_the_very_end_of_firejail_user_check() Firejail should not ignore users defined in the users database /etc/firejail/firejail.users even if they have uid lower that UID_MIN. Origin: <ames...@rsh2.donotuse.de> Last-Update: 2018-05-29 --- firejail-0.9.54.orig/src/lib/firejail_user.c +++ firejail-0.9.54/src/lib/firejail_user.c @@ -46,11 +46,6 @@ int firejail_user_check(const char *name if (strcmp(name, "root") == 0) return 1; - // other system users will run the program as is - uid_t uid = getuid(); - if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0) - return 0; - // check file existence char *fname = get_fname(); if (access(fname, F_OK)) { @@ -83,6 +78,11 @@ int firejail_user_check(const char *name fclose(fp); return 0; + + // other system users will run the program as is + uid_t uid = getuid(); + if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0) + return 0; } // add a user to the database