github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1682] Firejail doesn't pass env TMPDIR variable after update to 0.9.52 #1137

New issue
Closed
opened 2026-05-05 07:31:07 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 07:31:07 -06:00
Owner
Copy link

Originally created by @Vincent43 on GitHub (Dec 17, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1682

firejail --quiet --env=TMPDIR=/tmp bash
echo $TMPDIR

firejail --quiet --env=BLAHBLAH=/tmp bash
printenv |grep -i BLAHBLAH
BLAHBLAH=/tmp
Originally created by @Vincent43 on GitHub (Dec 17, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1682 ``` firejail --quiet --env=TMPDIR=/tmp bash echo $TMPDIR firejail --quiet --env=BLAHBLAH=/tmp bash printenv |grep -i BLAHBLAH BLAHBLAH=/tmp ```
gitea-mirror commented 2026-05-05 07:31:11 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 18, 2017):

I cannot reproduce it:

$ firejail --quiet --env=TMPDIR=/tmp bash
$ echo $TMPDIR
/tmp
$ env | grep TMPDIR
TMPDIR=/tmp
<!-- gh-comment-id:352423655 --> @netblue30 commented on GitHub (Dec 18, 2017): I cannot reproduce it: ````` $ firejail --quiet --env=TMPDIR=/tmp bash $ echo $TMPDIR /tmp $ env | grep TMPDIR TMPDIR=/tmp `````
gitea-mirror commented 2026-05-05 07:31:13 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Dec 18, 2017):

I investigated further and it seems that noroot option breaks TMPDIR:

firejail --noprofile --noroot --env=TMPDIR=/tmp bash
Parent pid 6479, child pid 6480
Child process initialized in 18.72 ms
$ echo $TMPDIR

firejail --noprofile --env=TMPDIR=/tmp bash
Parent pid 6536, child pid 6537
Child process initialized in 21.94 ms
$ echo $TMPDIR
/tmp

$ firejail --noprofile --debug --noroot --env=TMPDIR=/tmp bash
Autoselecting /usr/bin/zsh as shell
Building quoted command line: 'bash' 
Command name #bash#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 6769, child pid 6770
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/john/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Current directory: /home/john
DISPLAY=:0 parsed as 0

Seccomp files:
-rw-r--r-- 1 john users 1104 Dec 18 15:20 /run/firejail/mnt/seccomp
-rw-r--r-- 1 john users  808 Dec 18 15:20 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 john users  824 Dec 18 15:20 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 john users    0 Dec 18 15:20 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 john users    0 Dec 18 15:20 /run/firejail/mnt/seccomp.protocol

noroot user namespace installed
starting application
LD_PRELOAD=(null)
Running 'bash'  command through /usr/bin/zsh
execvp argument 0: /usr/bin/zsh
execvp argument 1: -c
execvp argument 2: 'bash' 
Child process initialized in 33.35 ms
bash-4.4$ monitoring pid 3

echo $TMPDIR


firejail --noprofile --debug --env=TMPDIR=/tmp bash
Autoselecting /usr/bin/zsh as shell
Building quoted command line: 'bash' 
Command name #bash#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 7096, child pid 7097
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/john/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Current directory: /home/john
DISPLAY=:0 parsed as 0

Seccomp files:
-rw-r--r-- 1 john users 1104 Dec 18 15:26 /run/firejail/mnt/seccomp
-rw-r--r-- 1 john users  808 Dec 18 15:26 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 john users  824 Dec 18 15:26 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 john users    0 Dec 18 15:26 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 john users    0 Dec 18 15:26 /run/firejail/mnt/seccomp.protocol

Username john, groups 100, 9, 12, 28, 76, 120, 300, 999, 988, 
starting application
LD_PRELOAD=(null)
Running 'bash'  command through /usr/bin/zsh
execvp argument 0: /usr/bin/zsh
execvp argument 1: -c
execvp argument 2: 'bash' 
Child process initialized in 32.06 ms
[john@machine ~]$ monitoring pid 3

echo $TMPDIR
/tmp
<!-- gh-comment-id:352436427 --> @Vincent43 commented on GitHub (Dec 18, 2017): I investigated further and it seems that `noroot` option breaks TMPDIR: ``` firejail --noprofile --noroot --env=TMPDIR=/tmp bash Parent pid 6479, child pid 6480 Child process initialized in 18.72 ms $ echo $TMPDIR firejail --noprofile --env=TMPDIR=/tmp bash Parent pid 6536, child pid 6537 Child process initialized in 21.94 ms $ echo $TMPDIR /tmp ``` ``` $ firejail --noprofile --debug --noroot --env=TMPDIR=/tmp bash Autoselecting /usr/bin/zsh as shell Building quoted command line: 'bash' Command name #bash# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 6769, child pid 6770 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/john/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Current directory: /home/john DISPLAY=:0 parsed as 0 Seccomp files: -rw-r--r-- 1 john users 1104 Dec 18 15:20 /run/firejail/mnt/seccomp -rw-r--r-- 1 john users 808 Dec 18 15:20 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 john users 824 Dec 18 15:20 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 john users 0 Dec 18 15:20 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 john users 0 Dec 18 15:20 /run/firejail/mnt/seccomp.protocol noroot user namespace installed starting application LD_PRELOAD=(null) Running 'bash' command through /usr/bin/zsh execvp argument 0: /usr/bin/zsh execvp argument 1: -c execvp argument 2: 'bash' Child process initialized in 33.35 ms bash-4.4$ monitoring pid 3 echo $TMPDIR ``` ``` firejail --noprofile --debug --env=TMPDIR=/tmp bash Autoselecting /usr/bin/zsh as shell Building quoted command line: 'bash' Command name #bash# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 7096, child pid 7097 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/john/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Current directory: /home/john DISPLAY=:0 parsed as 0 Seccomp files: -rw-r--r-- 1 john users 1104 Dec 18 15:26 /run/firejail/mnt/seccomp -rw-r--r-- 1 john users 808 Dec 18 15:26 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 john users 824 Dec 18 15:26 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 john users 0 Dec 18 15:26 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 john users 0 Dec 18 15:26 /run/firejail/mnt/seccomp.protocol Username john, groups 100, 9, 12, 28, 76, 120, 300, 999, 988, starting application LD_PRELOAD=(null) Running 'bash' command through /usr/bin/zsh execvp argument 0: /usr/bin/zsh execvp argument 1: -c execvp argument 2: 'bash' Child process initialized in 32.06 ms [john@machine ~]$ monitoring pid 3 echo $TMPDIR /tmp ```
gitea-mirror commented 2026-05-05 07:31:15 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 18, 2017):

The problem seems to be --noprofile, without it works fine:

$ firejail --quiet --noroot --env=TMPDIR=/tmp bash
[netblue@debian nodejs]$ echo $TMPDIR
/tmp

I'll try to find out what's going on, thanks for the bug!

<!-- gh-comment-id:352458082 --> @netblue30 commented on GitHub (Dec 18, 2017): The problem seems to be --noprofile, without it works fine: ````` $ firejail --quiet --noroot --env=TMPDIR=/tmp bash [netblue@debian nodejs]$ echo $TMPDIR /tmp ````` I'll try to find out what's going on, thanks for the bug!
gitea-mirror commented 2026-05-05 07:31:17 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Dec 18, 2017):

@netblue30 : But as mentioned here the problem also exists with a profile.

<!-- gh-comment-id:352461014 --> @curiosity-seeker commented on GitHub (Dec 18, 2017): @netblue30 : But as mentioned [here](https://github.com/netblue30/firejail/issues/1594#issuecomment-352261883) the problem also exists with a profile.
gitea-mirror commented 2026-05-05 07:31:20 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Dec 18, 2017):

For me it also happens when noroot is set in profile. That's why my first report was based on default.profile which has noroot enabled.

<!-- gh-comment-id:352469734 --> @Vincent43 commented on GitHub (Dec 18, 2017): For me it also happens when `noroot` is set in profile. That's why my first report was based on default.profile which has `noroot` enabled.
gitea-mirror commented 2026-05-05 07:31:21 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Dec 18, 2017):

I'm seeing this too with --noroot:

$ firejail --quiet --noroot --noprofile --env=TMPDIR=/tmp bash
[fred@storm ~]$ echo $TMPDIR


$ firejail --quiet --noprofile --env=TMPDIR=/tmp bash
[fred@storm ~]$ echo $TMPDIR
/tmp

Arch, running firejail built from latest code on GitHub today.

<!-- gh-comment-id:352516306 --> @Fred-Barclay commented on GitHub (Dec 18, 2017): I'm seeing this too with `--noroot`: ``` $ firejail --quiet --noroot --noprofile --env=TMPDIR=/tmp bash [fred@storm ~]$ echo $TMPDIR ``` ``` $ firejail --quiet --noprofile --env=TMPDIR=/tmp bash [fred@storm ~]$ echo $TMPDIR /tmp ``` Arch, running firejail built from latest code on GitHub today.
gitea-mirror commented 2026-05-05 07:31:23 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Mar 31, 2018):

I just ran across this same issue. Do we know what's causing it?

<!-- gh-comment-id:377717058 --> @chiraag-nataraj commented on GitHub (Mar 31, 2018): I just ran across this same issue. Do we know what's causing it?
gitea-mirror commented 2026-05-05 07:31:24 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 1, 2018):

Someone would have to bisect this between 0.9.50 and 0.9.52.

<!-- gh-comment-id:377801065 --> @Vincent43 commented on GitHub (Apr 1, 2018): Someone would have to bisect this between 0.9.50 and 0.9.52.
gitea-mirror commented 2026-05-05 07:31:25 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 1, 2018):

Hmm, I tested all firejail versions since 0.9.46 and could reproduce this issue in all of them. That means it isn't related to firejail. I read that glibc blocks passing TMPDIR variable for setuid apps but then it should do it without noroot as well, which isn't the case.

This issue is reproducible on Archlinux, don't know about other distros. It could be tied to some specific config or system packages versions.

<!-- gh-comment-id:377807856 --> @Vincent43 commented on GitHub (Apr 1, 2018): Hmm, I tested all firejail versions since 0.9.46 and could reproduce this issue in all of them. That means it isn't related to firejail. I read that [glibc blocks passing TMPDIR variable for setuid apps](https://serverfault.com/questions/478741/sudo-does-not-preserve-tmpdir) but then it should do it without `noroot` as well, which isn't the case. This issue is reproducible on Archlinux, don't know about other distros. It could be tied to some specific config or system packages versions.
gitea-mirror commented 2026-05-05 07:31:27 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Apr 7, 2018):

I'm having the issue on Debian as well, so I don't think it's distro-specific. How can I further help debug this?

<!-- gh-comment-id:379490247 --> @chiraag-nataraj commented on GitHub (Apr 7, 2018): I'm having the issue on Debian as well, so I don't think it's distro-specific. How can I further help debug this?
gitea-mirror commented 2026-05-05 07:31:28 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 9, 2018):

It's fixed on my machine with bbaba69f23

<!-- gh-comment-id:379859869 --> @Vincent43 commented on GitHub (Apr 9, 2018): It's fixed on my machine with https://github.com/netblue30/firejail/commit/bbaba69f23ae9e181677044b5afb8c29b3eb83b5
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1137
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?