Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yet another --private-etc symlink issue, with /etc/alternatives/ #5378

Closed
3 of 7 tasks
JulienPalard opened this issue Sep 23, 2022 · 2 comments · Fixed by #5957
Closed
3 of 7 tasks

Yet another --private-etc symlink issue, with /etc/alternatives/ #5378

JulienPalard opened this issue Sep 23, 2022 · 2 comments · Fixed by #5957

Comments

@JulienPalard
Copy link

Description

Depending on how I set --private-etc, /etc/alternatives/cc is sometimes a symlink, sometimes a copy:

Steps to Reproduce

If I whitelist /etc/alternatives/cc alone, I get a copy of cc instead of its symlink:

$ ls -lah /etc/alternatives/cc
lrwxrwxrwx 1 root root 12 Oct 14  2019 /etc/alternatives/cc -> /usr/bin/gcc
$ firejail --quiet --private-etc=alternatives/cc ls -lah /etc/alternatives/cc
-rwxr-xr-x 1 65534 65534 1.3M Sep 23 12:22 /etc/alternatives/cc

Which is bad (cc is not happy to be here). On the other hand, if I just whielist the whole alternatives directory:

$ firejail --quiet --private-etc=alternatives ls -lah /etc/alternatives/cc
Error fcopy: size limit of 500 MB reached
lrwxrwxrwx 1 65534 65534 32 Sep 23 12:22 /etc/alternatives/cc -> /usr/bin/x86_64-linux-gnu-gcc-12

this time /etc/alternatives/cc is a symlink (and cc is happy). But fcopy whines about a 500MB limit being reached, which is probably wrong as /etc/alternatives only contains symlinks:

$ du -sh /etc/
4.0K	/etc/

Expected behavior

I know that symlink is a security issue magnet, so I may miss something obvious, but as there's already a way to have the symlink I quickly though "what about the other way also giving a symlink ?".

Environment

  • Debian testing (bookworm)
  • Firejail 0.9.70

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)
@gerasiov gerasiov mentioned this issue Aug 13, 2023
Merged
@gerasiov
Copy link
Contributor

The problem is in the logic used for size calculation: for symlinks fcopy looks at target file, not at the symlink itself.

@glitsj16
Copy link
Collaborator

Yet another... FYI, there's been quite a few PR's marked as drafts due to the private-etc refactoring. Most importantly IMO is #5645. Somewhere along the line this should be decided upon. IMO best before the next release.

Just my $ 0.02

@pirate486743186 pirate486743186 mentioned this issue Dec 23, 2023
Closed
kmk3 added a commit that referenced this issue Nov 8, 2024
@kmk3
RELNOTES: improve modif item
d01e177 
Format and add missing PR reference.

Relates to #5378 #5957.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Release 0.9.74
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

modif: fcopy: use lstat when copying directory gerasiov/firejail
3 participants
@JulienPalard @gerasiov @glitsj16