[PR #3241] [MERGED] Harden sbox_run by using fexecve instead of execvp #4694

New issue

Closed

opened 2026-05-05 10:24:52 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:24:52 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3241
Author: @kris7t
Created: 2/23/2020
Status: ✅ Merged
Merged: 2/23/2020
Merged by: @kris7t

Base: master ← Head: sbox-harden-exec

📝 Commits (2)

ead0c01 Harden sbox_run by using fexecve instead of execvp
b7f2906 Remove redundant permission check from dhcp_start

📊 Changes

2 files changed (+38 additions, -27 deletions)

View changed files

📝 src/firejail/dhcp.c (+2 -12)
📝 src/firejail/sbox.c (+36 -15)

📄 Description

Based on the discussion in #3239, this patch aims to make sbox_run less likely to execute malicious binaries as root.

The execvp call is replaces with fexecve, which does not perform PATH resolution. Because the environment was already cleared, this already wasn't a serious problem. But now, by passing absolute paths only to sbox_run, we get a bit more control.
We check the binary to be owned by root (either the user or the group) and not be world-writable. As we are running system utilities, not having these would indicate a serious and dangerous misconfiguration, or some kind of an attack.
The use of open with O_PATH and fexecve prevents TOCTOU errors with the permission check. This prevents a situation when the containing folder is somehow owned by a normal user (maybe by abusing some other setuid functionality to mount a tmpfs over it), and the binary we wish to run is replaced by a malicious one after we check its permissions.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3241 **Author:** [@kris7t](https://github.com/kris7t) **Created:** 2/23/2020 **Status:** ✅ Merged **Merged:** 2/23/2020 **Merged by:** [@kris7t](https://github.com/kris7t) **Base:** `master` ← **Head:** `sbox-harden-exec` --- ### 📝 Commits (2) - [`ead0c01`](https://github.com/netblue30/firejail/commit/ead0c0138810a42005098559ca9a29925e8499b7) Harden sbox_run by using fexecve instead of execvp - [`b7f2906`](https://github.com/netblue30/firejail/commit/b7f2906df34d7ed2d41f27cfcbab93152bc00b3a) Remove redundant permission check from dhcp_start ### 📊 Changes **2 files changed** (+38 additions, -27 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/dhcp.c` (+2 -12) 📝 `src/firejail/sbox.c` (+36 -15) </details> ### 📄 Description Based on the discussion in #3239, this patch aims to make `sbox_run` less likely to execute malicious binaries as root. * The `execvp` call is replaces with `fexecve`, which does not perform PATH resolution. Because the environment was already cleared, this already wasn't a serious problem. But now, by passing absolute paths only to sbox_run, we get a bit more control. * We check the binary to be owned by root (either the user or the group) and not be world-writable. As we are running system utilities, not having these would indicate a serious and dangerous misconfiguration, or some kind of an attack. * The use of `open` with `O_PATH` and `fexecve` prevents TOCTOU errors with the permission check. This prevents a situation when the containing folder is somehow owned by a normal user (maybe by abusing some other setuid functionality to mount a tmpfs over it), and the binary we wish to run is replaced by a malicious one after we check its permissions. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:24:52 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4694

No description provided.

Rows
Columns