From 21570a736b9209b9c70684f865895a4ce47f1134 Mon Sep 17 00:00:00 2001 From: Dmitry Chestnykh Date: Mon, 13 Nov 2023 15:13:47 +0300 Subject: [PATCH] Lookup xauth in PATH. Don't use hardcoded `/usr/bin/xauth`, iterate over directories inside PATH instead. --- RELNOTES | 2 +- src/firejail/fs_lib2.c | 2 +- src/firejail/x11.c | 28 ++++++++++++++++++---------- src/include/common.h | 1 + src/lib/common.c | 22 ++++++++++++++++++++++ 5 files changed, 43 insertions(+), 12 deletions(-) diff --git a/RELNOTES b/RELNOTES index b81ae74c4ed..85ab3dea9ce 100644 --- a/RELNOTES +++ b/RELNOTES @@ -717,7 +717,7 @@ firejail (0.9.46) baseline; urgency=low firejail (0.9.44.10) baseline; urgency=low * security: when using --x11=xorg and --net, incorrect processing of - the return code of /usr/bin/xauth could end up in starting the + the return code of xauth could end up in starting the sandbox without X11 security extension installed. Problem found/fixed by Zack Weinberg * bugfix: ~/.pki directory whitelisted and later blacklisted. This affects diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e40..d2ab0d4f939 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c @@ -167,7 +167,7 @@ void fslib_install_firejail(void) { // bring in xauth libraries if (arg_x11_xorg) - fslib_mount_libs("/usr/bin/xauth", 1); // parse as user + fslib_mount_libs(lookup_executable("xauth"), 1); // parse as user fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); } diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5e4..b851b2d16ab 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) { } #endif - void x11_xorg(void) { #ifdef HAVE_X11 @@ -1175,32 +1174,41 @@ void x11_xorg(void) { exit(1); } + char *xauth_bin = lookup_executable("xauth"); + // check xauth utility is present in the system - struct stat s; - if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); + if (!xauth_bin) { + fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); exit(1); } + + struct stat s; + if (stat(xauth_bin, &s) == -1) { + fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); + exit(1); + } if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { - fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); + fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); exit(1); } if (s.st_size > 1024 * 1024) { - fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); + fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); exit(1); } - // copy /usr/bin/xauth in the sandbox and set mode to 0711 + // copy xauth in the sandbox and set mode to 0711 // users are not able to trace the running xauth this way if (arg_debug) - printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); - if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { - fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); + printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); + if (copy_file(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711)) { + fprintf(stderr, "Error: cannot copy %s executable\n", xauth_bin); exit(1); } + free(xauth_bin); + fmessage("Generating a new .Xauthority file\n"); mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR diff --git a/src/include/common.h b/src/include/common.h index 4a2b8c1bfbc..c16ed22ffaf 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -159,4 +159,5 @@ void reject_meta_chars(const char *fname, int globbing); void warn_dumpable(void); const char *gnu_basename(const char *path); int *str_to_int_array(const char *str, size_t *sz); +char *lookup_executable(const char *exe_name); #endif diff --git a/src/lib/common.c b/src/lib/common.c index eee19c731b4..7b3b4945900 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -591,3 +591,25 @@ float timetrace_end(void) { free(t); return rv; } + +char *lookup_executable(const char *exe_name) { + char *path_dir; + char *exe_bin_path; + + char *path = getenv("PATH"); + if (path == NULL) + return NULL; + + path_dir = strtok(path, ":"); + while (path_dir != NULL) { + if (asprintf(&exe_bin_path, "%s/%s", path_dir, exe_name) == -1) + errExit("asprintf"); + + if (access(exe_bin_path, X_OK) == 0) + return exe_bin_path; + + free(exe_bin_path); + path_dir = strtok(NULL, ":"); + } + return NULL; +}