[GH-ISSUE #1531] fcopy: Failure to copy file when uid != root

gitea-mirror commented

2026-05-05 07:19:00 -06:00

Owner

Originally created by @miszr on GitHub (Sep 5, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1531

Isssue #1243 still exists.

My system is configured with systemd-networkd and systemd-resolved.

The file /etc/resolv.conf is symlinked to /run/systemd/resolve/resolv.conf with the following permissions:
-rw-r--r-- systemd-resolve systemd-resolve /run/systemd/resolve/resolv.conf

So the file is world readable, but fcopy still refuses to copy it.

The issue is that fcopy only checks the uid of the file, not respecting the actual permissions set on it.

An example where this would fail terribly is if a file owner had no permissions.

To reproduce:

Create a file with a certain owner that is not root.
Run fcopy as root and try to copy that file.

Originally created by @miszr on GitHub (Sep 5, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1531 Isssue #1243 still exists. My system is configured with systemd-networkd and systemd-resolved. The file /etc/resolv.conf is symlinked to /run/systemd/resolve/resolv.conf with the following permissions: -rw-r--r-- systemd-resolve systemd-resolve /run/systemd/resolve/resolv.conf So the file is _world readable_, but fcopy still refuses to copy it. The issue is that fcopy only checks the uid of the file, not respecting the actual permissions set on it. An example where this would fail terribly is if a file owner had no permissions. To reproduce: 1. Create a file with a certain owner that is not root. 2. Run fcopy as root and try to copy that file.

gitea-mirror

2026-05-05 07:19:00 -06:00

closed this issue
added the
bug

networking
labels

gitea-mirror commented

2026-05-05 07:19:05 -06:00

Author

Owner

@ranisalt commented on GitHub (Sep 13, 2017):

I can reproduce too, I have the same setup with systemd-resolved.

@ranisalt commented on GitHub (Sep 13, 2017): I can reproduce too, I have the same setup with systemd-resolved.

gitea-mirror commented

2026-05-05 07:19:08 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 14, 2017):

I put a fix in for issue: https://github.com/netblue30/firejail/issues/1547

I think is the same problem, ~~/run/systemd/resolve/resolv.conf~~ was blacklisted in /etc/firejail/disable-common.inc. Give it a try, thanks.

@netblue30 commented on GitHub (Sep 14, 2017): I put a fix in for issue: https://github.com/netblue30/firejail/issues/1547 I think is the same problem, ~~/run/systemd/resolve/resolv.conf~~ was blacklisted in /etc/firejail/disable-common.inc. Give it a try, thanks.

gitea-mirror commented

2026-05-05 07:19:09 -06:00

Author

Owner

@miszr commented on GitHub (Sep 14, 2017):

No, #1547 is a different issue.

I corrected mine a while back using noblacklist /var/run/systemd in /etc/firejail/globals.local

@miszr commented on GitHub (Sep 14, 2017): No, #1547 is a different issue. I corrected mine a while back using `noblacklist /var/run/systemd` in `/etc/firejail/globals.local`

gitea-mirror commented

2026-05-05 07:19:12 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 15, 2017):

Sorry, actualy I removed /var/run/systemd from disable-common.inc, not /run/systemd/resolve/resolv.conf. The fix is in git.

@netblue30 commented on GitHub (Sep 15, 2017): Sorry, actualy I removed /var/run/systemd from disable-common.inc, not /run/systemd/resolve/resolv.conf. The fix is in git.

gitea-mirror commented

2026-05-05 07:19:13 -06:00

Author

Owner

@miszr commented on GitHub (Sep 15, 2017):

This issue is NOT resolved.

The problem is using fcopy to copy a world readable file but where the owner is not the current user.
Since firejail is using SUID to get root, the current user is root.

None of the above mentioned fixes are affecting the problem.

@miszr commented on GitHub (Sep 15, 2017): This issue is **NOT** resolved. The problem is using fcopy to copy a world readable file but where the owner is not the current user. Since firejail is using SUID to get root, the current user is root. None of the above mentioned fixes are affecting the problem.

gitea-mirror commented

2026-05-05 07:19:14 -06:00

Author

Owner

@eomanis commented on GitHub (Sep 15, 2017):

This problem is currently preventing me from launching Steam, which I have set up to be launched in a --private= home dir.

[myuser@mysystem ~]$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 32 15. Sep 21:51 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
[myuser@mysystem ~]$ ls -la /run/systemd/resolve/resolv.conf 
-rw-r--r-- 1 systemd-resolve systemd-resolve 536 15. Sep 14:36 /run/systemd/resolve/resolv.conf

Launching Steam:

[myuser@mysystem Steam]$ /usr/bin/firejail --profile=/etc/firejail/steam.profile --private="/home/myuser/sandboxes/Steam" -- /usr/bin/steam-runtime
Reading profile /etc/firejail/steam.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /home/myuser/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: noroot option is not available
Parent pid 26240, child pid 26241
Error fcopy: invalid file /etc/resolv.conf
Error: failed to run /usr/lib/firejail/fcopy
Error: proc 26240 cannot sync with peer: unexpected EOF
Peer 26241 unexpectedly exited with status 1

When I copy /run/systemd/resolve/resolv.conf to /etc/resolv.conf it works again, possibly because then it belongs to root:root.

@eomanis commented on GitHub (Sep 15, 2017): This problem is currently preventing me from launching Steam, which I have set up to be launched in a --private= home dir. ``` [myuser@mysystem ~]$ ls -la /etc/resolv.conf lrwxrwxrwx 1 root root 32 15. Sep 21:51 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf [myuser@mysystem ~]$ ls -la /run/systemd/resolve/resolv.conf -rw-r--r-- 1 systemd-resolve systemd-resolve 536 15. Sep 14:36 /run/systemd/resolve/resolv.conf ``` Launching Steam: ``` [myuser@mysystem Steam]$ /usr/bin/firejail --profile=/etc/firejail/steam.profile --private="/home/myuser/sandboxes/Steam" -- /usr/bin/steam-runtime Reading profile /etc/firejail/steam.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /home/myuser/.config/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: noroot option is not available Parent pid 26240, child pid 26241 Error fcopy: invalid file /etc/resolv.conf Error: failed to run /usr/lib/firejail/fcopy Error: proc 26240 cannot sync with peer: unexpected EOF Peer 26241 unexpectedly exited with status 1 ``` When I copy /run/systemd/resolve/resolv.conf to /etc/resolv.conf it works again, possibly because then it belongs to root:root.

gitea-mirror commented

2026-05-05 07:19:15 -06:00

Author

Owner

@ranisalt commented on GitHub (Sep 15, 2017):

This is giving me more issues with other apps that can't copy the resolv.conf link. The apps fail to resolve any DNS address.

@ranisalt commented on GitHub (Sep 15, 2017): This is giving me more issues with other apps that can't copy the resolv.conf link. The apps fail to resolve any DNS address.

gitea-mirror commented

2026-05-05 07:19:16 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 18, 2017):

I have a fix in, give it a try. I'll reopen it if necessary, thanks.

@netblue30 commented on GitHub (Sep 18, 2017): I have a fix in, give it a try. I'll reopen it if necessary, thanks.

gitea-mirror commented

2026-05-05 07:19:17 -06:00

Author

Owner

@miszr commented on GitHub (Sep 19, 2017):

The solution does work. However I do think the solution is overly specific.

The fundamental solution should be allowing world-readable files to be copied. Not allowing a specific file to be copied.

That the issue occurred with systemd-resolved is just one case.

@miszr commented on GitHub (Sep 19, 2017): The solution does work. However I do think the solution is overly specific. The fundamental solution should be allowing world-readable files to be copied. Not allowing a specific file to be copied. That the issue occurred with systemd-resolved is just one case.

gitea-mirror commented

2026-05-05 07:19:19 -06:00

Author

Owner

@ranisalt commented on GitHub (Sep 19, 2017):

It didn't work for me, apps firejailed still can't resolve DNS. I recreated the links with firecfg.

@ranisalt commented on GitHub (Sep 19, 2017): It didn't work for me, apps firejailed still can't resolve DNS. I recreated the links with `firecfg`.

gitea-mirror commented

2026-05-05 07:19:20 -06:00

Author

Owner

@primeroz commented on GitHub (Aug 22, 2021):

I am still having this issue with resolv.conf -> /run/systemd/....

is this supposed to be fixed ?

@primeroz commented on GitHub (Aug 22, 2021): I am still having this issue with resolv.conf -> /run/systemd/.... is this supposed to be fixed ?

gitea-mirror commented

2026-05-05 07:19:21 -06:00

Author

Owner

@solsticedhiver commented on GitHub (Apr 25, 2023):

while using firejail and transmission for a while, this bug has just poop-up on my rpi3 system, for no reason ?

@solsticedhiver commented on GitHub (Apr 25, 2023): while using firejail and transmission for a while, this bug has just poop-up on my rpi3 system, for no reason ?

Rows
Columns

[GH-ISSUE #1531] fcopy: Failure to copy file when uid != root #1022