github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

resolv.conf file as symlink being rejected #1103

New issue

Closed

opened 2026-05-05 07:27:31 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:27:31 -06:00

Owner

Originally created by @nuxwin on GitHub (Nov 9, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1639

@netblue30

Tested with version 0.9.50.1 from the 0.9.50-bugfixes branch.

When installing the resolvconf package under Debian 9/Stretch, the /etc/resolv.conf file is a symlink pointing to /etc/resolvconf/run/resolv.conf and /etc/resolvconf/run is a symlink pointing to the /run/resolvconf directory. In short, the real resolv.conf file
is a dynamic (volatile) file which real path is /run/resolvconf/resolv.conf:

root@stretch:~# ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 31 nov.   9 16:39 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
root@stretch:~# ls -la /etc/resolvconf/run
lrwxrwxrwx 1 root root 15 nov.   9 16:39 /etc/resolvconf/run -> /run/resolvconf
root@stretch:~# ls -la /run/resolvconf/resolv.conf 
-rw-r--r-- 1 root root 172 nov.   9 16:45 /run/resolvconf/resolv.conf
root@stretch:~# realpath /etc/resolv.conf 
/run/resolvconf/resolv.conf
root@stretch:~#

For our project, we are creating a chroot and of course, our chroot is containing identical layout for the resolv.conf file:

root@stretch:/var/chroot/InstantSSH/shared_jail# chroot .
root@stretch:/# ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 31 nov.   9 17:12 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
root@stretch:/# ls -la /etc/resolvconf/run
lrwxrwxrwx 1 root root 15 nov.   9 17:12 /etc/resolvconf/run -> /run/resolvconf
root@stretch:/# ls -la /run/resolvconf
total 12
drwxr-xr-x 2 root root 4096 nov.   9 17:12 .
drwxr-xr-x 6 root root 4096 nov.   9 17:12 ..
-rw-r--r-- 1 root root  172 nov.   9 16:45 resolv.conf
root@stretch:/#

Problem is that firejail reject the /etc/resolv.conf file:

nuxwin@dev:~$ ssh imscp_nuxwin@192.168.1.133

  ___           _              _      ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_   / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __|  \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_    ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__|  |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v6.0.0
Copyright (c) 2014-2017 Laurent Declercq <l.declercq@nuxwin.com>

Last login: Thu Nov  9 17:13:33 2017 from 192.168.1.100
Error: invalid /var/chroot/InstantSSH/shared_jail/etc/resolv.conf file
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

Well, this is due to the following check in fs.c file

	if (is_link(name)) {
		fprintf(stderr, "Error: invalid %s file\n", name);
		exit(1);
	}

Environment

root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.1 (stretch)
Release:	9.1
Codename:	stretch

root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C aptitude show resolvconf
Package: resolvconf                      
Version: 1.79
State: installed
Automatically installed: no
Priority: optional
Section: net
Maintainer: resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>
Architecture: all
Uncompressed Size: 196 k
Depends: ifupdown, lsb-base (>= 4.1+Debian3), debconf (>= 0.5) | debconf-2.0, init-system-helpers (>= 1.18~)
Breaks: dhcp3-client (< 4.1.1-P1-15+squeeze1), dnscache-run, sysv-rc (< 2.88dsf-42)
Enhances: dhcpcd, dnsmasq, ifupdown, isc-dhcp-client, libc6, network-manager, nscd, pdnsd, ppp, pump, udhcpc
Provided by: openresolv (3.8.0-1)
Description: name server information handler
 Resolvconf is a framework for keeping up to date the system's information about name servers. It sets itself up as the intermediary between programs that supply this information (such as ifup and ifdown, DHCP
 clients, the PPP daemon and local name servers) and programs that use this information (such as DNS caches and resolver libraries). 
 
 This package may require some manual configuration. Please read the README file for detailed instructions.
Homepage: http://alioth.debian.org/projects/resolvconf/
Tags: admin::configuring, interface::commandline, network::configuration, protocol::dns, role::program, use::configuring

root@stretch:/var/chroot/InstantSSH/shared_jail# firejail --version
firejail version 0.9.50.1

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is disabled

root@stretch:/var/chroot/InstantSSH/shared_jail#

Originally created by @nuxwin on GitHub (Nov 9, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1639 @netblue30 Tested with version 0.9.50.1 from the 0.9.50-bugfixes branch. When installing the resolvconf package under Debian 9/Stretch, the **/etc/resolv.conf** file is a symlink pointing to **/etc/resolvconf/run/resolv.conf** and **/etc/resolvconf/run** is a symlink pointing to the **/run/resolvconf** directory. In short, the real **resolv.conf** file is a dynamic (volatile) file which real path is **/run/resolvconf/resolv.conf**: ```shell root@stretch:~# ls -la /etc/resolv.conf lrwxrwxrwx 1 root root 31 nov. 9 16:39 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf root@stretch:~# ls -la /etc/resolvconf/run lrwxrwxrwx 1 root root 15 nov. 9 16:39 /etc/resolvconf/run -> /run/resolvconf root@stretch:~# ls -la /run/resolvconf/resolv.conf -rw-r--r-- 1 root root 172 nov. 9 16:45 /run/resolvconf/resolv.conf root@stretch:~# realpath /etc/resolv.conf /run/resolvconf/resolv.conf root@stretch:~# ``` For our project, we are creating a chroot and of course, our chroot is containing identical layout for the resolv.conf file: ```shell root@stretch:/var/chroot/InstantSSH/shared_jail# chroot . root@stretch:/# ls -la /etc/resolv.conf lrwxrwxrwx 1 root root 31 nov. 9 17:12 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf root@stretch:/# ls -la /etc/resolvconf/run lrwxrwxrwx 1 root root 15 nov. 9 17:12 /etc/resolvconf/run -> /run/resolvconf root@stretch:/# ls -la /run/resolvconf total 12 drwxr-xr-x 2 root root 4096 nov. 9 17:12 . drwxr-xr-x 6 root root 4096 nov. 9 17:12 .. -rw-r--r-- 1 root root 172 nov. 9 16:45 resolv.conf root@stretch:/# ``` Problem is that firejail reject the /etc/resolv.conf file: ```shell nuxwin@dev:~$ ssh imscp_nuxwin@192.168.1.133 ___ _ _ ____ ____ _ _ |_ _|_ __ ___| |_ __ _ _ __ | |_ / ___/ ___|| | | | | || '_ \/ __| __/ _` | '_ \| __| \___ \___ \| |_| | | || | | \__ \ || (_| | | | | |_ ___) |__) | _ | |___|_| |_|___/\__\__,_|_| |_|\__| |____/____/|_| |_| Welcome to your shell. If you need a specific command, get in contact with your reseller. i-MSCP InstantSSH plugin v6.0.0 Copyright (c) 2014-2017 Laurent Declercq <l.declercq@nuxwin.com> Last login: Thu Nov 9 17:13:33 2017 from 192.168.1.100 Error: invalid /var/chroot/InstantSSH/shared_jail/etc/resolv.conf file Connection to 192.168.1.133 closed. nuxwin@dev:~$ ``` Well, this is due to the following check in [fs.c](https://github.com/netblue30/firejail/blob/0.9.50-bugfixes/src/firejail/fs.c#L1112) file ```c if (is_link(name)) { fprintf(stderr, "Error: invalid %s file\n", name); exit(1); } ``` **Environment** ```shell root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.1 (stretch) Release: 9.1 Codename: stretch ``` ```shell root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C aptitude show resolvconf Package: resolvconf Version: 1.79 State: installed Automatically installed: no Priority: optional Section: net Maintainer: resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org> Architecture: all Uncompressed Size: 196 k Depends: ifupdown, lsb-base (>= 4.1+Debian3), debconf (>= 0.5) | debconf-2.0, init-system-helpers (>= 1.18~) Breaks: dhcp3-client (< 4.1.1-P1-15+squeeze1), dnscache-run, sysv-rc (< 2.88dsf-42) Enhances: dhcpcd, dnsmasq, ifupdown, isc-dhcp-client, libc6, network-manager, nscd, pdnsd, ppp, pump, udhcpc Provided by: openresolv (3.8.0-1) Description: name server information handler Resolvconf is a framework for keeping up to date the system's information about name servers. It sets itself up as the intermediary between programs that supply this information (such as ifup and ifdown, DHCP clients, the PPP daemon and local name servers) and programs that use this information (such as DNS caches and resolver libraries). This package may require some manual configuration. Please read the README file for detailed instructions. Homepage: http://alioth.debian.org/projects/resolvconf/ Tags: admin::configuring, interface::commandline, network::configuration, protocol::dns, role::program, use::configuring ``` ```shell root@stretch:/var/chroot/InstantSSH/shared_jail# firejail --version firejail version 0.9.50.1 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is disabled root@stretch:/var/chroot/InstantSSH/shared_jail# ```

gitea-mirror

2026-05-05 07:27:31 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:27:35 -06:00

Author

Owner

@nuxwin commented on GitHub (Nov 9, 2017):

@netblue30

Also, with dev-master, another error is raised in place:

nuxwin@dev:~$ ssh imscp_nuxwin@192.168.1.133

  ___           _              _      ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_   / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __|  \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_    ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__|  |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v6.0.0
Copyright (c) 2014-2017 Laurent Declercq <l.declercq@nuxwin.com>

Last login: Thu Nov  9 17:17:56 2017 from 192.168.1.100
Error: chroot /etc/resolv.conf is pointing outside chroot
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

I saw that you added some fixes lately regarding the /etc/resolv.conf file but now we end with an false error:

Error: chroot /etc/resolv.conf is pointing outside chroot

As you can see in my quotes above, that is totally false. I'm wonder why you're doing so many checks on the resolv.conf file. All that checks make your life harder and instead of improving security, you're breaking the whole chroot feature. A check on file owner and permission (not world-writable) should be sufficient here. The /etc/resolv.conf file can be dynamic (that is far most case now) and therefore is a symlink in most cases.

@nuxwin commented on GitHub (Nov 9, 2017): @netblue30 Also, with dev-master, another error is raised in place: ```shell nuxwin@dev:~$ ssh imscp_nuxwin@192.168.1.133 ___ _ _ ____ ____ _ _ |_ _|_ __ ___| |_ __ _ _ __ | |_ / ___/ ___|| | | | | || '_ \/ __| __/ _` | '_ \| __| \___ \___ \| |_| | | || | | \__ \ || (_| | | | | |_ ___) |__) | _ | |___|_| |_|___/\__\__,_|_| |_|\__| |____/____/|_| |_| Welcome to your shell. If you need a specific command, get in contact with your reseller. i-MSCP InstantSSH plugin v6.0.0 Copyright (c) 2014-2017 Laurent Declercq <l.declercq@nuxwin.com> Last login: Thu Nov 9 17:17:56 2017 from 192.168.1.100 Error: chroot /etc/resolv.conf is pointing outside chroot Connection to 192.168.1.133 closed. nuxwin@dev:~$ ``` I saw that you added some fixes lately regarding the **/etc/resolv.conf** file but now we end with an false error: ``` Error: chroot /etc/resolv.conf is pointing outside chroot ``` As you can see in my quotes above, that is totally false. I'm wonder why you're doing so many checks on the resolv.conf file. All that checks make your life harder and instead of improving security, you're breaking the whole chroot feature. A check on file owner and permission (not world-**writable**) should be sufficient here. The /etc/resolv.conf file can be dynamic (that is far most case now) and therefore is a symlink in most cases.

gitea-mirror commented

2026-05-05 07:27:37 -06:00

Author

Owner

@Ferroin commented on GitHub (Nov 9, 2017):

If /etc/resolv.conf isn't world readable on your system, then something is not behaving correctly. At least glibc, and I'm pretty sure uClibc and whatever musl uses for networking functions, need that file readable to resolve hostnames properly when configured to use DNS. Most other DNS resolver libraries need it too. That requirement is why it's so important. If somebody spoofs the file in some way, they have functionally full control of what systems you talk to on the network, and can potentially trick you into thinking your external hostname is something else.

That said, the file should not be world-writable, as that would make such spoofing absolutely trivial.

@Ferroin commented on GitHub (Nov 9, 2017): If `/etc/resolv.conf` isn't world **readable** on your system, then something is not behaving correctly. At least glibc, and I'm pretty sure uClibc and whatever musl uses for networking functions, need that file readable to resolve hostnames properly when configured to use DNS. Most other DNS resolver libraries need it too. That requirement is why it's so important. If somebody spoofs the file in some way, they have functionally full control of what systems you talk to on the network, and can potentially trick you into thinking your external hostname is something else. That said, the file should not be world-**writable**, as that would make such spoofing absolutely trivial.

gitea-mirror commented

2026-05-05 07:27:38 -06:00

Author

Owner

@nuxwin commented on GitHub (Nov 9, 2017):

@Ferroin

Sorry, you're right. It is world-readable and MUST be world-readable. I wanted say not world-writable ;) I'll edit my previous post.

@nuxwin commented on GitHub (Nov 9, 2017): @Ferroin Sorry, you're right. It is world-**readable** and MUST be world-**readable**. I wanted say not world-**writable** ;) I'll edit my previous post.

gitea-mirror commented

2026-05-05 07:27:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 10, 2017):

The logic is broken. There should be no checking on /etc/resolv.conf, the file is replaced anyway by firejail with the real /etc/resolv.conf. I put a fix in ac0d75f943

@netblue30 commented on GitHub (Nov 10, 2017): The logic is broken. There should be no checking on <chrootdir>/etc/resolv.conf, the file is replaced anyway by firejail with the real /etc/resolv.conf. I put a fix in https://github.com/netblue30/firejail/commit/ac0d75f9431f28e0f2aa583d073c300883197e2e

gitea-mirror commented

2026-05-05 07:27:40 -06:00

Author

Owner

@nuxwin commented on GitHub (Nov 12, 2017):

@netblue30

Thanks ;) I'll checkout and give a try soon ;)

@nuxwin commented on GitHub (Nov 12, 2017): @netblue30 Thanks ;) I'll checkout and give a try soon ;)

gitea-mirror referenced this issue

2026-05-05 10:09:02 -06:00

[PR #1103] [MERGED] Update unbound profile to block 3D acceleration. #3847

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1103

No description provided.

Rows
Columns