Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

private-cwd leaks access to the entire filesystem #4780

Closed
2 tasks done
WhyNotHugo opened this issue Dec 16, 2021 · 5 comments
Closed
2 tasks done

private-cwd leaks access to the entire filesystem #4780

WhyNotHugo opened this issue Dec 16, 2021 · 5 comments
Labels
bug Something isn't working security Security issues and discussions
Milestone
0.9.68

Comments

@WhyNotHugo
Copy link
Contributor

Description

Using firejail --private --private-cwd=. /usr/bin/sh leaks access to the entire filesystem.

Steps to Reproduce

  1. cd into some subdirectory of $HOME.
  2. `firejail --private --private-cwd=. /usr/bin/sh
  3. ls ../../some-file (for a relative path that exists). cat also works.

Expected behavior

Access to these files should not be possible.

Actual behavior

Access to files using relative paths is permitted, allowing access to the entire filesystem.

Note: changing directory into those locations does not work, but reading files without changing directory does.

Behavior without a profile

n/a

Additional context

Environment

➜ uname -sro
Linux 5.15.8-arch1-1 GNU/Linux

➜ firejail --version
firejail version 0.9.67

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

(removed some non-applicable items)

  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
@rusty-snake rusty-snake added bug Something isn't working security Security issues and discussions labels Dec 16, 2021
@glitsj16
Copy link
Collaborator

@WhyNotHugo Nice find! Thanks for reporting.

@rusty-snake I'm new to marking issues to a milestone. Any thoughts on adding this to 0.9.68? Even when this isn't fixed by then (whenever it comes), it's a nice way to keep track of things.

@rusty-snake rusty-snake added this to the 0.9.68 milestone Dec 17, 2021
@netblue30
Copy link
Owner

Fixed: d2e10f8

Very cool bug, thanks!

@WhyNotHugo
Copy link
Contributor Author

The command in the example above no longer works:

$ firejail --private --private-cwd=. /usr/bin/sh
Error: invalid private working directory

@kmk3
Copy link
Collaborator

kmk3 commented Dec 23, 2021

@WhyNotHugo commented on Dec 20:

The command in the example above no longer works:

$ firejail --private --private-cwd=. /usr/bin/sh
Error: invalid private working directory

Hello, could you open a new issue for this?

kmk3 added a commit to kmk3/firejail that referenced this issue Feb 1, 2022
@kmk3
RELNOTES: add security-related items
110f698 
Note: netblue30#4780 was fixed on commit d2e10f8 ("fix --private-cwd problem",
2021-12-19).

Relates to netblue30#4748 netblue30#4780.
kmk3 added a commit to kmk3/firejail that referenced this issue Feb 1, 2022
@kmk3
RELNOTES: add security-related items
84f6b72 
Note: netblue30#4780 was closed by commit d2e10f8 ("fix --private-cwd problem",
2021-12-19).

Relates to netblue30#4748 netblue30#4780.
@kmk3 kmk3 mentioned this issue Feb 1, 2022
Merged
kmk3 added a commit to kmk3/firejail that referenced this issue Feb 1, 2022
@kmk3
RELNOTES: add security-related items
dc22b13 
Note: netblue30#4780 was closed by commit d2e10f8 ("fix --private-cwd problem",
2021-12-19).

Relates to netblue30#4748 netblue30#4780.
kmk3 added a commit to kmk3/firejail that referenced this issue Feb 2, 2022
@kmk3
RELNOTES: add security-related items
bbf5ec4 
Note: netblue30#4780 was closed by commit d2e10f8 ("fix --private-cwd problem",
2021-12-19).

Relates to netblue30#4748 netblue30#4780.
@rusty-snake rusty-snake mentioned this issue Feb 7, 2022
Closed
@Ding-yixia
Copy link

这个问题还没有修复

@kmk3 kmk3 moved this to Done (on RELNOTES) in Release 0.9.68 Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Security issues and discussions
Projects
Release 0.9.68
Status: Done (on RELNOTES)
Milestone
0.9.68
Development

No branches or pull requests
6 participants
@WhyNotHugo @glitsj16 @netblue30 @kmk3 @rusty-snake @Ding-yixia