From e2483cbe787a473b9aaa0bb6f40e4c438f4ee440 Mon Sep 17 00:00:00 2001 From: Dmitry Chestnykh Date: Mon, 13 Nov 2023 15:13:47 +0300 Subject: [PATCH] Lookup xauth in PATH. Don't use hardcoded `/usr/bin/xauth`, iterate over directories inside PATH instead. This fixes https://github.com/netblue30/firejail/issues/6006 --- src/firejail/fs_lib2.c | 6 +++++- src/firejail/x11.c | 28 ++++++++++++++++++---------- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e40..b43c36c1a71 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c @@ -166,8 +166,12 @@ void fslib_install_firejail(void) { fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user // bring in xauth libraries + + char *xauth_bin = find_in_path("xauth"); if (arg_x11_xorg) - fslib_mount_libs("/usr/bin/xauth", 1); // parse as user + fslib_mount_libs(xauth_bin, 1); // parse as user + + free(xauth_bin); fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); } diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5e4..0366790c910 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) { } #endif - void x11_xorg(void) { #ifdef HAVE_X11 @@ -1175,32 +1174,41 @@ void x11_xorg(void) { exit(1); } + char *xauth_bin = find_in_path("xauth"); + // check xauth utility is present in the system - struct stat s; - if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); + if (!xauth_bin) { + fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); exit(1); } + + struct stat s; + if (stat(xauth_bin, &s) == -1) { + fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); + exit(1); + } if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { - fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); + fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); exit(1); } if (s.st_size > 1024 * 1024) { - fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); + fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); exit(1); } - // copy /usr/bin/xauth in the sandbox and set mode to 0711 + // copy xauth in the sandbox and set mode to 0711 // users are not able to trace the running xauth this way if (arg_debug) - printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); - if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { - fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); + printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); + if (copy_file(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711)) { + fprintf(stderr, "Error: cannot copy %s executable\n", xauth_bin); exit(1); } + free(xauth_bin); + fmessage("Generating a new .Xauthority file\n"); mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR