Skip to content

Commit

Permalink
Lookup xauth in PATH.
Browse files Browse the repository at this point in the history
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.

This fixes #6006
  • Loading branch information
chestnykh committed Nov 17, 2023
1 parent 6442450 commit e2483cb
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 11 deletions.
6 changes: 5 additions & 1 deletion src/firejail/fs_lib2.c
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user

// bring in xauth libraries

char *xauth_bin = find_in_path("xauth");
if (arg_x11_xorg)
fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
fslib_mount_libs(xauth_bin, 1); // parse as user

free(xauth_bin);

fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
}
Expand Down
28 changes: 18 additions & 10 deletions src/firejail/x11.c
Original file line number Diff line number Diff line change
Expand Up @@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
}
#endif


void x11_xorg(void) {
#ifdef HAVE_X11

Expand All @@ -1175,32 +1174,41 @@ void x11_xorg(void) {
exit(1);
}

char *xauth_bin = find_in_path("xauth");

// check xauth utility is present in the system
struct stat s;
if (stat("/usr/bin/xauth", &s) == -1) {
fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
if (!xauth_bin) {
fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n");
fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n");
exit(1);
}

struct stat s;
if (stat(xauth_bin, &s) == -1) {
fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
exit(1);
}
if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
exit(1);
}
if (s.st_size > 1024 * 1024) {
fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
exit(1);
}
// copy /usr/bin/xauth in the sandbox and set mode to 0711
// copy xauth in the sandbox and set mode to 0711
// users are not able to trace the running xauth this way
if (arg_debug)
printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
if (copy_file(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711)) {
fprintf(stderr, "Error: cannot copy %s executable\n", xauth_bin);
exit(1);
}

free(xauth_bin);

fmessage("Generating a new .Xauthority file\n");
mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
// create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
Expand Down

0 comments on commit e2483cb

Please sign in to comment.