fixes

src/firejail/firejail.h

@@ -369,6 +369,7 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
+uid_t get_tty_gid(void);
 
 // fs_var.c
 void fs_var_log(void);	// mounting /var/log

src/firejail/fs_dev.c

@@ -178,9 +178,21 @@ void fs_private_dev(void){
 	create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
 	fs_logger("mknod /dev/pts/ptmx");
 	create_link("/dev/pts/ptmx", "/dev/ptmx");
+
+// code before github issue #351
 	// mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
-	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//		errExit("mounting /dev/pts");
+
+
+	// mount /dev/pts
+	gid_t ttygid = get_tty_gid();
+	char *data;
+	if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
+		errExit("asprintf");
+	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  data) < 0)
 		errExit("mounting /dev/pts");
+	free(data);
 	fs_logger("clone /dev/pts");
 
 #if 0

src/firejail/ls.c

@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) {
 		exit(1);
 	}
 
+	// access chek is performed with the real UID
+	if (access(fname, R_OK) == -1) {
+		fprintf(stderr, "Error: Cannot access file %s\n", fname);
+		exit(1);
+	}
+
 	// list directory contents
 	struct stat s;
 	if (stat(fname, &s) == -1) {

src/firejail/main.c

@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) {
 	 	if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
 	 		errExit("asprintf");
 	 	gid_t gid = getgid();
-	 	if (asprintf(&map, "%d %d 1", gid, gid) == -1)
-	 		errExit("asprintf");
+	 	gid_t ttygid = get_tty_gid();
+	 	if (ttygid == 0)  {
+		 	if (asprintf(&map, "%d %d 1", gid, gid) == -1)
+		 		errExit("asprintf");
+		}
+		else {
+			if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
+				errExit("asprintf");
+		}
  		EUID_ROOT();
 	 	update_map(map, map_path);
 	 	EUID_USER();

src/firejail/util.c

@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) {
 		exit(1);
 	}
 }
+
+uid_t get_tty_gid(void) {
+	// find tty group id
+	gid_t ttygid = 0;
+	struct group *g = getgrnam("tty");
+	if (g)
+		ttygid = g->gr_gid;
+
+	return ttygid;
+}

test/test.sh

@@ -9,6 +9,9 @@
 echo "TESTING: nice (nice.exp)"
 ./nice.exp
 
+echo "TESTING: tty (tty.exp)"
+./tty.exp
+
 echo "TESTING: protocol (protocol.exp)"
 ./protocol.exp
 

test/tty.exp

@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Child process initialized"
+}
+sleep 2
+send -- "xterm &\r"
+sleep 2
+send -- "urxvt &\r"
+sleep 2
+send -- "rxvt &\r"
+sleep 2
+
+send -- "ps aux\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"USER"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"xterm"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"urxvt"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"rxvt"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"ps aux"
+}
+
+send -- "pkill xterm\r"
+sleep 1
+send -- "pkill urxvt\r"
+sleep 1
+send -- "pkill rxvt\r"
+sleep 1
+send -- "exit\r"
+sleep 2
+
+
+send -- "firejail --private-dev\r"
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"Child process initialized"
+}
+sleep 2
+send -- "xterm &\r"
+sleep 2
+send -- "urxvt &\r"
+sleep 2
+send -- "rxvt &\r"
+sleep 2
+
+send -- "ps aux\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"USER"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"xterm"
+}
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"urxvt"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"rxvt"
+}
+expect {
+	timeout {puts "TESTING ERROR 15\n";exit}
+	"ps aux"
+}
+
+send -- "pkill xterm\r"
+sleep 1
+send -- "pkill urxvt\r"
+sleep 1
+send -- "pkill rxvt\r"
+sleep 1
+send -- "exit\r"
+sleep 2
+
+puts "\n"
+