github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1521] Unable to run a C executable in firejail: Permission denied error. #1017

New issue

Closed

opened 2026-05-05 07:18:41 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 07:18:41 -06:00

Owner

Originally created by @rsg123456 on GitHub (Sep 3, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1521

Hello,

I'm interested in using firejail for testing student programs that are written in C/C++ so that they are contained within a sandbox and isolated from the rest of the system. However, I'm unable to execute any C/C++ executables with firejail. I've written a simple C program and am trying to execute it with firejail. The executable is named bfs and it runs as expected when I don't use firejail. However, it fails to execute with firejail and produces the following output:
[root@spel-lin01 rgrover]# firejail ./bfs
Reading profile /etc/firejail/server.profile

** Note: you can use --noprofile to disable server.profile **

Parent pid 24281, child pid 24282
The new log directory is /proc/24282/root/var/log
Child process initialized in 56.42 ms
/bin/bash: ./bfs: No such file or directory

Parent is shutting down, bye...

[root@spel-lin01 rgrover]# firejail ./bfs
Reading profile /etc/firejail/server.profile

** Note: you can use --noprofile to disable server.profile **

Parent pid 24787, child pid 24788
The new log directory is /proc/24788/root/var/log
Child process initialized in 20.52 ms
/bin/bash: ./bfs: No such file or directory

Parent is shutting down, bye...
[root@spel-lin01 rgrover]# firejail ./bfs
Reading profile /etc/firejail/server.profile

** Note: you can use --noprofile to disable server.profile **

Parent pid 24804, child pid 24805
The new log directory is /proc/24805/root/var/log
Child process initialized in 29.30 ms
/bin/bash: ./bfs: No such file or directory
Parent is shutting down, bye...

[root@spel-lin01 rgrover]# firejail --noprofile ./bfs
Parent pid 24298, child pid 24299
The new log directory is /proc/24299/root/var/log
Child process initialized in 23.18 ms
/bin/bash: ./bfs: Permission denied

Parent is shutting down, bye.

These are the contents /etc/firejail/server.profile:

[root@spel-lin01 rgrover]# cat /etc/firejail/server.profile
# Persistent global definitions go here
include /etc/firejail/globals.local

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/server.local

# generic server profile
# it allows /sbin and /usr/sbin directories - this is where servers are installed
whitelist /home/rgrover/bfs
noblacklist /sbin
noblacklist /usr/sbin
#include /etc/firejail/disable-common.inc
#include /etc/firejail/disable-programs.inc
#include /etc/firejail/disable-passwdmgr.inc

blacklist /tmp/.X11-unix

no3d
nosound
seccomp
caps

private
private-dev
private-tmp
[root@spel-lin01 rgrover]#

The file permissions for bfs are shown here:
-rwxr-xr-x. 1 root root 14944 Sep 2 21:35 bfs
-rw-r--r--. 1 rgrover rgrover 6223 Sep 2 20:14 bfs.c
drwxr-xr-x. 2 rgrover rgrover 63 Sep 2 19:56 Desktop
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Documents
drwxr-xr-x. 3 rgrover rgrover 47 Sep 2 19:03 Downloads
-rwxr-xr-x. 1 root root 8720 Sep 2 22:01 exploit1
-rw-rw-r--. 1 rgrover rgrover 244 Sep 2 19:35 exploit1.c
-rwxr-xr-x. 1 root root 849424 Sep 2 20:03 exploit2
-rw-rw-r--. 1 rgrover rgrover 85 Sep 2 19:34 exploit2.c
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Music
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Pictures
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Public
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Templates
drwxr-xr-x. 2 root root 17 Sep 2 20:17 test
drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Videos
[root@spel-lin01 rgrover]#

I've also created two "exploits" (programs that display the contents of /etc/shadow) to test firejail. However, I'm unable to execute any of these programs.

Originally created by @rsg123456 on GitHub (Sep 3, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1521 Hello, I'm interested in using firejail for testing student programs that are written in C/C++ so that they are contained within a sandbox and isolated from the rest of the system. However, I'm unable to execute any C/C++ executables with firejail. I've written a simple C program and am trying to execute it with firejail. The executable is named bfs and it runs as expected when I don't use firejail. However, it fails to execute with firejail and produces the following output: [root@spel-lin01 rgrover]# firejail ./bfs Reading profile /etc/firejail/server.profile ** Note: you can use --noprofile to disable server.profile ** Parent pid 24281, child pid 24282 The new log directory is /proc/24282/root/var/log Child process initialized in 56.42 ms /bin/bash: ./bfs: No such file or directory Parent is shutting down, bye... [root@spel-lin01 rgrover]# firejail ./bfs Reading profile /etc/firejail/server.profile ** Note: you can use --noprofile to disable server.profile ** Parent pid 24787, child pid 24788 The new log directory is /proc/24788/root/var/log Child process initialized in 20.52 ms /bin/bash: ./bfs: No such file or directory Parent is shutting down, bye... [root@spel-lin01 rgrover]# firejail ./bfs Reading profile /etc/firejail/server.profile ** Note: you can use --noprofile to disable server.profile ** Parent pid 24804, child pid 24805 The new log directory is /proc/24805/root/var/log Child process initialized in 29.30 ms /bin/bash: ./bfs: No such file or directory Parent is shutting down, bye... [root@spel-lin01 rgrover]# firejail --noprofile ./bfs Parent pid 24298, child pid 24299 The new log directory is /proc/24299/root/var/log Child process initialized in 23.18 ms /bin/bash: ./bfs: Permission denied Parent is shutting down, bye. These are the contents /etc/firejail/server.profile: ``` [root@spel-lin01 rgrover]# cat /etc/firejail/server.profile # Persistent global definitions go here include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/server.local # generic server profile # it allows /sbin and /usr/sbin directories - this is where servers are installed whitelist /home/rgrover/bfs noblacklist /sbin noblacklist /usr/sbin #include /etc/firejail/disable-common.inc #include /etc/firejail/disable-programs.inc #include /etc/firejail/disable-passwdmgr.inc blacklist /tmp/.X11-unix no3d nosound seccomp caps private private-dev private-tmp [root@spel-lin01 rgrover]# ``` The file permissions for bfs are shown here: -rwxr-xr-x. 1 root root 14944 Sep 2 21:35 bfs -rw-r--r--. 1 rgrover rgrover 6223 Sep 2 20:14 bfs.c drwxr-xr-x. 2 rgrover rgrover 63 Sep 2 19:56 Desktop drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Documents drwxr-xr-x. 3 rgrover rgrover 47 Sep 2 19:03 Downloads -rwxr-xr-x. 1 root root 8720 Sep 2 22:01 exploit1 -rw-rw-r--. 1 rgrover rgrover 244 Sep 2 19:35 exploit1.c -rwxr-xr-x. 1 root root 849424 Sep 2 20:03 exploit2 -rw-rw-r--. 1 rgrover rgrover 85 Sep 2 19:34 exploit2.c drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Music drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Pictures drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Public drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Templates drwxr-xr-x. 2 root root 17 Sep 2 20:17 test drwxr-xr-x. 2 rgrover rgrover 6 Sep 2 18:45 Videos [root@spel-lin01 rgrover]# I've also created two "exploits" (programs that display the contents of /etc/shadow) to test firejail. However, I'm unable to execute any of these programs.

gitea-mirror

2026-05-05 07:18:41 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:18:46 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 3, 2017):

The server profile has 'private' which means it cannot access any files in your home directory. As for why it didn't work when you used --noprofile is probably due to being logged in as root. You should first create a dedicated user and then create a dedicated profile based off of /etc/firejai/default.profile as specific as possible to the programs you'll be running. And there isn't really a need for a program to test, you could just cat /etc/shadow and get a "No such file or directory" if using private-etc or "Permission denied" without.

@SkewedZeppelin commented on GitHub (Sep 3, 2017): The server profile has 'private' which means it cannot access any files in your home directory. As for why it didn't work when you used --noprofile is probably due to being logged in as root. You should first create a dedicated user and then create a dedicated profile based off of /etc/firejai/default.profile as specific as possible to the programs you'll be running. And there isn't really a need for a program to test, you could just cat /etc/shadow and get a "No such file or directory" if using private-etc or "Permission denied" without.

gitea-mirror commented

2026-05-05 07:18:47 -06:00

Author

Owner

@rsg123456 commented on GitHub (Sep 4, 2017):

SpotComms, many thanks for your suggestion! I'm able to execute the program using firejail when I use the su command for the user rgrover:
#su - rgrover -c "firejail ./bfs"

These are the contents of the default.profile:

[root@spel-lin01 rgrover]# cat /etc/firejail/default.profile
# Persistent global definitions go here
include /etc/firejail/globals.local

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/default.local

################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

#
# depending on your usage, you can enable some of the commands below:
#
# nogroups
 shell none
 private-bin program
 private-etc none
 private-dev
 private-tmp
 nosound

-----

@rsg123456 commented on GitHub (Sep 4, 2017): SpotComms, many thanks for your suggestion! I'm able to execute the program using firejail when I use the su command for the user rgrover: #su - rgrover -c "firejail ./bfs" These are the contents of the default.profile: ````` [root@spel-lin01 rgrover]# cat /etc/firejail/default.profile # Persistent global definitions go here include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/default.local ################################ # Generic GUI application profile ################################ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp # # depending on your usage, you can enable some of the commands below: # # nogroups shell none private-bin program private-etc none private-dev private-tmp nosound -----

gitea-mirror referenced this issue

2026-05-05 10:08:35 -06:00

[PR #1017] [MERGED] Add FossaMail profile #3824

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1017

No description provided.

Rows
Columns