[GH-ISSUE #1560] Cannot open files from sshfs

gitea-mirror commented

2026-05-05 07:20:17 -06:00

Owner

Originally created by @graywolf on GitHub (Sep 17, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1560

I cannot open files from sshfs when using vlc in firejail. For some reason it seems that it ignores path and just tries to open filename in home?

$ pwd
/home/wolf/raid/shared/アニメ/D-Frag!

$ vlc \[FFF\]\ D-Frag\!\ -\ 01\ \[BD\]\[1080p-FLAC\]\[665D6B4E\].mkv 
Reading profile /home/wolf/.config/firejail/vlc.profile
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: noroot option is not available
Parent pid 25824, child pid 25825
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 100.11 ms
VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c)
[000056152e10a148] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[00007fa6e4000ea8] filesystem access error: cannot open file /home/wolf/[FFF] D-Frag! - 01 [BD][1080p-FLAC][665D6B4E].mkv (No such file or directory)
[00007fa6f0003d88] core input error: open of `file:///home/wolf/%5BFFF%5D%20D-Frag%21%20-%2001%20%5BBD%5D%5B1080p-FLAC%5D%5B665D6B4E%5D.mkv' failed

When I call it with /usr/bin/vlc (therefore bypassing firejail) it works as expected.

Originally created by @graywolf on GitHub (Sep 17, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1560 I cannot open files from sshfs when using vlc in firejail. For some reason it seems that it ignores path and just tries to open filename in home? $ pwd /home/wolf/raid/shared/アニメ/D-Frag! $ vlc \[FFF\]\ D-Frag\!\ -\ 01\ \[BD\]\[1080p-FLAC\]\[665D6B4E\].mkv Reading profile /home/wolf/.config/firejail/vlc.profile Reading profile /etc/firejail/vlc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: noroot option is not available Parent pid 25824, child pid 25825 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 100.11 ms VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c) [000056152e10a148] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [00007fa6e4000ea8] filesystem access error: cannot open file /home/wolf/[FFF] D-Frag! - 01 [BD][1080p-FLAC][665D6B4E].mkv (No such file or directory) [00007fa6f0003d88] core input error: open of `file:///home/wolf/%5BFFF%5D%20D-Frag%21%20-%2001%20%5BBD%5D%5B1080p-FLAC%5D%5B665D6B4E%5D.mkv' failed When I call it with `/usr/bin/vlc` (therefore bypassing firejail) it works as expected.

gitea-mirror

2026-05-05 07:20:17 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:20:22 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 17, 2017):

This seems related to #1419

@SkewedZeppelin commented on GitHub (Sep 17, 2017): This seems related to #1419

gitea-mirror commented

2026-05-05 07:20:24 -06:00

Author

Owner

@graywolf commented on GitHub (Sep 17, 2017):

I found #1419 but it seems to me that in that one sshfs is approach that is working as opposed to gvfs-* providers (whatever that is). It even ends with suggestion to try smbnetfs which uses FUSE (same as sshfs).

@graywolf commented on GitHub (Sep 17, 2017): I found #1419 but it seems to me that in that one sshfs is approach that is working as opposed to `gvfs-*` providers (whatever that is). It even ends with suggestion to try `smbnetfs` which uses FUSE (same as `sshfs`).

gitea-mirror commented

2026-05-05 07:20:25 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 20, 2017):

Hi @graywolf! Is this possibly related to your mount options? With something basic like reconnect,allow_other,nodev,nosuid,noexec it is working for me.

@smitsohu commented on GitHub (Sep 20, 2017): Hi @graywolf! Is this possibly related to your mount options? With something basic like `reconnect,allow_other,nodev,nosuid,noexec` it is working for me.

gitea-mirror commented

2026-05-05 07:20:27 -06:00

Author

Owner

@graywolf commented on GitHub (Sep 20, 2017):

Hm, so the reason was that I didn't have allow_other in mount options. Well, allow_root is enough. Now question is why do I need it? While firejail is suid binary, doesn't it change back to the original user and launch the program under the normal (non-root) user? So why do I need allow_root? I still think this is a bug...

@graywolf commented on GitHub (Sep 20, 2017): Hm, so the reason was that I didn't have `allow_other` in mount options. Well, `allow_root` is enough. Now question is why do I need it? While firejail is suid binary, doesn't it change back to the original user and launch the program under the normal (non-root) user? So why do I need `allow_root`? I still think this is a bug...

gitea-mirror commented

2026-05-05 07:20:28 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 20, 2017):

Something must go wrong when the sandbox is set up, which is done by Firejail as root. Noteworthy from the fuse manpage:

No other user (including root) can access the contents of the mounted filesystem.

that means unless allow_root or allow_other is specified.

@smitsohu commented on GitHub (Sep 20, 2017): Something must go wrong when the sandbox is set up, which is done by Firejail as root. Noteworthy from the fuse manpage: > No other user (including root) can access the contents of the mounted filesystem. that means unless allow_root or allow_other is specified.

gitea-mirror commented

2026-05-05 07:20:30 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 20, 2017):

For me, operations like whitelisting, noexec, read-write make such sshfs paths unavailable inside the jail.
I see you have a custom profile, are you doing something like this?

EDIT:

smitsohu@home:~$ cd ~
smitsohu@home:~$ firejail --noprofile --debug-whitelists --whitelist=/home/smitsohu/sshfsmount
Parent pid 19042, child pid 19043
Debug 374: new_name #/home/smitsohu/sshfsmount/#, whitelist
Removed whitelist/nowhitelist path: whitelist /home/smitsohu/sshfsmount
        expanded: /home/smitsohu/sshfsmount
        real path: (null)
        realpath: Permission denied
Child process initialized in 30.72 ms
smitsohu@home:~$ ls
smitsohu@home:~$

@smitsohu commented on GitHub (Sep 20, 2017): For me, operations like whitelisting, noexec, read-write make such sshfs paths unavailable inside the jail. I see you have a custom profile, are you doing something like this? EDIT: ``` smitsohu@home:~$ cd ~ smitsohu@home:~$ firejail --noprofile --debug-whitelists --whitelist=/home/smitsohu/sshfsmount Parent pid 19042, child pid 19043 Debug 374: new_name #/home/smitsohu/sshfsmount/#, whitelist Removed whitelist/nowhitelist path: whitelist /home/smitsohu/sshfsmount expanded: /home/smitsohu/sshfsmount real path: (null) realpath: Permission denied Child process initialized in 30.72 ms smitsohu@home:~$ ls smitsohu@home:~$ ```

gitea-mirror commented

2026-05-05 07:20:31 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 20, 2017):

For some reason it seems that it ignores path and just tries to open filename in home?

I got the same thing, but adding a"allow_other" to sshfs fixed the problem (thanks @smitsoh). Even whitelists and blacklists are working. This is how I mount it:

$ cd ~
$ sudo sshfs -o reconect,allow_others netblue@192.168.1.25:/home/netblue/work work

@netblue30 commented on GitHub (Sep 20, 2017): > For some reason it seems that it ignores path and just tries to open filename in home? I got the same thing, but adding a"allow_other" to sshfs fixed the problem (thanks @smitsoh). Even whitelists and blacklists are working. This is how I mount it: ````` $ cd ~ $ sudo sshfs -o reconect,allow_others netblue@192.168.1.25:/home/netblue/work work `````

gitea-mirror commented

2026-05-05 07:20:33 -06:00

Author

Owner

@graywolf commented on GitHub (Sep 20, 2017):

@smitsohu While I have custom profile, it's extremely simple:

$ cat ~/.config/firejail/vlc.profile 
# VLC media player profile

include /etc/firejail/vlc.profile

net none

@netblue30 yep, allow_other fixes the issue for me too (as does allow_root which I used), but I'm more curious why it's needed when the vlc runs under regular user (uid == 1000) and not root...

@graywolf commented on GitHub (Sep 20, 2017): @smitsohu While I have custom profile, it's extremely simple: $ cat ~/.config/firejail/vlc.profile # VLC media player profile include /etc/firejail/vlc.profile net none @netblue30 yep, `allow_other` fixes the issue for me too (as does `allow_root` which I used), but I'm more curious why it's needed when the vlc runs under regular user (`uid == 1000`) and not root...

gitea-mirror commented

2026-05-05 07:20:35 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 21, 2017):

It seems to be a problem with with the way fuse interacts with the mount namespace. You can run a fuse filesystem as regular user but mount namespace requires it to be root. By the time vlc is started, the filesystem is already broken.

@netblue30 commented on GitHub (Sep 21, 2017): It seems to be a problem with with the way fuse interacts with the mount namespace. You can run a fuse filesystem as regular user but mount namespace requires it to be root. By the time vlc is started, the filesystem is already broken.

gitea-mirror commented

2026-05-05 07:20:36 -06:00

Author

Owner

@graywolf commented on GitHub (Sep 22, 2017):

So nothing to do from firejail's side? Than this can probably be closed, after all workaround is reasonably simple (allow_root).

@graywolf commented on GitHub (Sep 22, 2017): So nothing to do from firejail's side? Than this can probably be closed, after all workaround is reasonably simple (`allow_root`).

gitea-mirror commented

2026-05-05 07:20:37 -06:00

Author

Owner

@hyiltiz commented on GitHub (Oct 23, 2020):

Still cannot connect to it even if /usr/bin/sshfs is directly called without going thru firejail.

hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect -o allow_others tilde.club:/home/hyiltiz/priv b
SSHFS version 3.7.0
fuse: unknown option(s): `-o allow_others'
hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect,allow_other,nodev,nosuid,noexec tilde.club:/home/hyiltiz/priv b
SSHFS version 3.7.0
fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect,nodev,nosuid,noexec tilde.club:/home/hyiltiz/priv b
SSHFS version 3.7.0
executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-2> <tilde.club> <-s> <sftp>
^Cread: Interrupted system call
hyiltiz@iPhone ~ :( $ Error: proc 1 cannot sync with peer: unexpected EOF

@hyiltiz commented on GitHub (Oct 23, 2020): Still cannot connect to it even if `/usr/bin/sshfs` is directly called without going thru firejail. ``` hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect -o allow_others tilde.club:/home/hyiltiz/priv b SSHFS version 3.7.0 fuse: unknown option(s): `-o allow_others' hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect,allow_other,nodev,nosuid,noexec tilde.club:/home/hyiltiz/priv b SSHFS version 3.7.0 fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf hyiltiz@iPhone ~ :( $ /usr/bin/sshfs -d -o reconnect,nodev,nosuid,noexec tilde.club:/home/hyiltiz/priv b SSHFS version 3.7.0 executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-2> <tilde.club> <-s> <sftp> ^Cread: Interrupted system call hyiltiz@iPhone ~ :( $ Error: proc 1 cannot sync with peer: unexpected EOF ```

gitea-mirror commented

2026-05-05 07:20:39 -06:00

Author

Owner

@wonbug commented on GitHub (Aug 16, 2022):

I'm also having this issue. sshfs with allow_root or allow_other just hangs indefinitely attempting to mount the remote directory. Is there anything else to try from firejail's end?

@wonbug commented on GitHub (Aug 16, 2022): I'm also having this issue. sshfs with `allow_root` or `allow_other` just hangs indefinitely attempting to mount the remote directory. Is there anything else to try from firejail's end?

gitea-mirror commented

2026-05-05 07:20:41 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Aug 16, 2022):

I use SSHFS everyday for my NAS on all my systems. I have zero issues with accessing folders from firejail'ed programs.

Running fuse-sshfs-3.7.3-1.fc36 and firejail from master as of a few days ago.

Here is what i use in fstab:

USER@HOST:/PATH/ON/SERVER /PATH/ON/LOCAL fuse.sshfs rw,defaults,allow_other,noauto,x-systemd.automount,_netdev,noatime,nosuid,nodev,reconnect,dir_cache=yes,max_conns=4,ConnectTimeout=20,ServerAliveInterval=10,Compression=no,Ciphers=aes256-gcm@openssh.com,IdentityFile=/home/USER/.ssh/KEY_TO_USE,uid=YOUR_UID,gid=YOUR_GID 0 0

fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf

Also helps to read the errors you get! 😉

@SkewedZeppelin commented on GitHub (Aug 16, 2022): I use SSHFS everyday for my NAS on all my systems. I have zero issues with accessing folders from firejail'ed programs. Running fuse-sshfs-3.7.3-1.fc36 and firejail from master as of a few days ago. Here is what i use in fstab: ``` USER@HOST:/PATH/ON/SERVER /PATH/ON/LOCAL fuse.sshfs rw,defaults,allow_other,noauto,x-systemd.automount,_netdev,noatime,nosuid,nodev,reconnect,dir_cache=yes,max_conns=4,ConnectTimeout=20,ServerAliveInterval=10,Compression=no,Ciphers=aes256-gcm@openssh.com,IdentityFile=/home/USER/.ssh/KEY_TO_USE,uid=YOUR_UID,gid=YOUR_GID 0 0 ``` > fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf Also helps to read the errors you get! :wink:

gitea-mirror commented

2026-05-05 07:20:42 -06:00

Author

Owner

@wonbug commented on GitHub (Feb 24, 2023):

@SkewedZeppelin thanks for sharing that fstab line - it works well for me now on Debian 11.6!

@wonbug commented on GitHub (Feb 24, 2023): @SkewedZeppelin thanks for sharing that fstab line - it works well for me now on Debian 11.6!

gitea-mirror commented

2026-05-05 07:20:45 -06:00

Author

Owner

@kmille commented on GitHub (Jul 2, 2023):

For me sudo sshfs -o allow_other works. Running it without sudo does not work (user_allow_other is specified in /etc/fuse.conf). It just hangs ...:

kmille@linbox:~ sshfs -o debug,sshfs_debug,loglevel=debug,allow_other server:/dir /mntpoint
SSHFS version 3.7.3
executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-ologlevel=debug> <-2> <desktop> <-s> <sftp>

@kmille commented on GitHub (Jul 2, 2023): For me `sudo sshfs -o allow_other` works. Running it without sudo does not work (user_allow_other is specified in /etc/fuse.conf). It just hangs ...: ```bash kmille@linbox:~ sshfs -o debug,sshfs_debug,loglevel=debug,allow_other server:/dir /mntpoint SSHFS version 3.7.3 executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-ologlevel=debug> <-2> <desktop> <-s> <sftp> ```

gitea-mirror referenced this issue

2026-05-05 10:08:45 -06:00

[PR #1037] [MERGED] typo in changelog #3832

Rows
Columns

[GH-ISSUE #1560] Cannot open files from sshfs #1037