github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[PR #742] [MERGED] Tighten security #3740

New issue

Closed

opened 2026-05-05 10:07:02 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:07:02 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/742
Author: @manevich
Created: 8/24/2016
Status: ✅ Merged
Merged: 8/24/2016
Merged by: @netblue30

Base: master ← Head: security

📝 Commits (4)

b1de742 remove unneeded chown
9e025da ASSERT_PERMS macros
096f01e Merge branch 'master' into security
c321020 tighten secutiry

📊 Changes

8 files changed (+91 additions, -122 deletions)

View changed files

📝 src/firejail/appimage.c (+14 -10)
📝 src/firejail/firejail.h (+22 -1)
📝 src/firejail/fs.c (+34 -86)
📝 src/firejail/fs_home.c (+8 -17)
📝 src/firejail/ls.c (+1 -5)
📝 src/firejail/pulseaudio.c (+1 -1)
📝 src/firejail/util.c (+6 -1)
📝 src/include/euid_common.h (+5 -1)

📄 Description

appimage.c:

remove redundant mkdir, chown, chmod calls, last two also pose race condition risk.
open appimage file as user, to avoid race condition, that may alllow attacker mount appimage/iso file that unreadable to user.

firejail.h:

add ASSERT_PERMS macros

util.c:

change copy_file function to take uid, gid, and mode for new file, use fchown and fchmod to prevent race condition when setting owner and permissions.

euid_common.h:

set egid when switching euid, so files created as root won't need additional chown to change group.
exit with error if unable to switch euid/egid to user - if we continue to run code than intended to run as user with root privileges - this is disaster.

fs.c and other:

Avoid chown and chmod where possible, using functions and macros mentioned above.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/742 **Author:** [@manevich](https://github.com/manevich) **Created:** 8/24/2016 **Status:** ✅ Merged **Merged:** 8/24/2016 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `security` --- ### 📝 Commits (4) - [`b1de742`](https://github.com/netblue30/firejail/commit/b1de742a08cccb5f3ae7e2a8fa851aa0059c92f4) remove unneeded chown - [`9e025da`](https://github.com/netblue30/firejail/commit/9e025dab2a228092058d170daa78290a33e626b3) ASSERT_PERMS macros - [`096f01e`](https://github.com/netblue30/firejail/commit/096f01e99775e2ccea623e4058b3d7f8090bb6d3) Merge branch 'master' into security - [`c321020`](https://github.com/netblue30/firejail/commit/c321020a559a2640799c4144ade6b4e69140e065) tighten secutiry ### 📊 Changes **8 files changed** (+91 additions, -122 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/appimage.c` (+14 -10) 📝 `src/firejail/firejail.h` (+22 -1) 📝 `src/firejail/fs.c` (+34 -86) 📝 `src/firejail/fs_home.c` (+8 -17) 📝 `src/firejail/ls.c` (+1 -5) 📝 `src/firejail/pulseaudio.c` (+1 -1) 📝 `src/firejail/util.c` (+6 -1) 📝 `src/include/euid_common.h` (+5 -1) </details> ### 📄 Description **appimage.c**: - remove redundant `mkdir`, `chown`, `chmod` calls, last two also pose race condition risk. - open appimage file as user, to avoid race condition, that may alllow attacker mount appimage/iso file that unreadable to user. **firejail.h**: - add `ASSERT_PERMS` macros **util.c**: - change `copy_file` function to take `uid`, `gid`, and `mode` for new file, use `fchown` and `fchmod` to prevent race condition when setting owner and permissions. **euid_common.h**: - set `egid` when switching `euid`, so files created as root won't need additional `chown` to change group. - exit with error if unable to switch `euid`/`egid` to user - if we continue to run code than intended to run as user with root privileges - this is disaster. **fs.c** and other: - Avoid `chown` and `chmod` where possible, using functions and macros mentioned above. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:07:02 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:27:59 -06:00

[PR #3740] [MERGED] minetest.profile: whitelist /usr/share/games/minetest #4864

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3740

No description provided.

Rows
Columns