-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nogroups
+ wrc prints confusing messages
#4930
Comments
Reproduced on Arch Linux. I can definately agree on |
@rusty-snake commented on Feb 11:
Good catch. I think this probably happens because IIRC I had tried originally to make the checks run only once a startup, which I think I'll just comment these messages for now until a better solution is |
Added on commit 7abce0b ("Fix keeping certain groups with nogroups", 2021-11-30) / PR netblue30#4732. As reported by @rusty-snake on netblue30#4930, conflicting messages are printed when using whitelist-run-common.inc with nogroups: $ cat test.profile include whitelist-run-common.inc nogroups $ firejail --profile=./test.profile groups Reading profile ./test.profile Reading profile /etc/firejail/whitelist-run-common.inc Parent pid 1234, child pid 1235 Warning: logind not detected, nogroups command ignored <--- is a lie Warning: cleaning all supplementary groups Child process initialized in 30.00 ms rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned Parent is shutting down, bye... This probably happens because wrc causes /run/systemd to be hidden in the sandbox and because check_can_drop_all_groups is called multiple times, seemingly both before and after the whitelisting goes into effect. So disable the message about nogroups being ignored, but keep the message about cleaning all supplementary groups (which is unlikely to be printed unless it really happens). Fixes netblue30#4930.
When nogroups is used, the following warning may be issued (potentially multiple times, as drop_privs may be called more than once): Warning: cleaning all supplementary groups But the warning is being shown even when it seems that all supplementary groups can be safely dropped (and are thus dropped), which is likely a common scenario. This commit prevents the warning from being printed in that case, making it so that it is only shown in the non-happy paths (as was the case on firejail 0.9.66). Misc: The added code was copied from drop_privs. This amends commit 7abce0b ("Fix keeping certain groups with nogroups", 2021-11-30) / PR netblue30#4732. Kind of relates to netblue30#4930.
Description
nogroups
+ wrc prints confusing messages.Steps to Reproduce
Expected behavior
Warning: logind not detected
is only shown when there is no logindWarning: nogroups command ignored
is only shown when it is relly ignoredActual behavior
Warning: logind not detected
is shown on logind systemsWarning: nogroups command ignored; cleaning all supplementary groups
makes no sense and confuses users.Additional context
Environment
Edit by @kmk3: Formatting.
The text was updated successfully, but these errors were encountered: