diff options
author | Patrick Griffis <tingping@tingping.se> | 2020-02-12 14:57:54 -0800 |
---|---|---|
committer | Patrick Griffis <tingping@tingping.se> | 2020-02-12 15:09:04 -0800 |
commit | bcd382b12ed1dab2c1106afd161c43d72a3e13e1 (patch) | |
tree | 526e75865980ab0c8b601bbcaee5516621a3ca4e | |
parent | bbd4ee68b4ef15e714f0aec7c5aebc8daca1214f (diff) | |
download | flatpak-wip/tingping/sudo-check.tar.gz |
run: Prevent accidentally running with sudowip/tingping/sudo-check
It is a common user error to prepend many flatpak commands with sudo
and doing so with run is quite unsafe and can cause issues.
This check simply handles the `sudo flatpak run foo` case and does
not prevent running as root or even running in a shell created by
sudo.
See also #1357
-rw-r--r-- | common/flatpak-run.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 7a872ec8..e9fa2961 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -3426,6 +3426,27 @@ open_namespace_fd_if_needed (const char *path, const char *type) return -1; } +static gboolean +check_sudo (GError **error) +{ + const char *sudo_command_env = g_getenv ("SUDO_COMMAND"); + g_auto(GStrv) split_command = NULL; + + /* This check exists to stop accidental usage of `sudo flatpak run` + and is not to prevent running as root. + */ + + if (!sudo_command_env) + return TRUE; + + /* SUDO_COMMAND could be a value like `/usr/bin/flatpak run foo` */ + split_command = g_strsplit (sudo_command_env, " ", 2); + if (g_str_has_suffix (split_command[0], "flatpak")) + return flatpak_fail_error (error, FLATPAK_ERROR, _("\"flatpak run\" is not intended to be ran with sudo")); + + return TRUE; +} + gboolean flatpak_run_app (const char *app_ref, FlatpakDeploy *app_deploy, @@ -3482,6 +3503,9 @@ flatpak_run_app (const char *app_ref, struct stat s; + if (!check_sudo (error)) + return FALSE; + app_ref_parts = flatpak_decompose_ref (app_ref, error); if (app_ref_parts == NULL) return FALSE; |