github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1683] Jailed node js development environment #1138

New issue
Closed
opened 2026-05-05 07:31:30 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 07:31:30 -06:00
Owner
Copy link

Originally created by @mvfcc on GitHub (Dec 18, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1683

Case:
Sandboxing untrusted node modules (npm, github and such) from harming other parts of the user space and system.

Lately I've started JS and wasm development. A lot of packages are not that popular (stars, reviews, issue trackers empty). I'm new to all this and can't review the code 'enough' to know that it will not do something evil (I'm a newbie coder). How can I sandbox node module so it will not do something like 'rm -rf /' or spy on me user data? Node and npm are by default installed as root (global).

Should I install node locally inside firejail private space? Don't know if files would be then available for editing them from outside of the jail with my IDE?

My question is how to do it right? There is no profile for node. I really don't have knowledge how should it be done. Please help.

Originally created by @mvfcc on GitHub (Dec 18, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1683 Case: Sandboxing untrusted node modules (npm, github and such) from harming other parts of the user space and system. Lately I've started JS and wasm development. A lot of packages are not that popular (stars, reviews, issue trackers empty). I'm new to all this and can't review the code 'enough' to know that it will not do something evil (I'm a newbie coder). How can I sandbox node module so it will not do something like 'rm -rf /' or spy on me user data? Node and npm are by default installed as root (global). Should I install node locally inside firejail private space? Don't know if files would be then available for editing them from outside of the jail with my IDE? My question is how to do it right? There is no profile for node. I really don't have knowledge how should it be done. Please help.
gitea-mirror 2026-05-05 07:31:30 -06:00
gitea-mirror commented 2026-05-05 07:31:35 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 18, 2017):

Firejail can sandbox your node.js program when you run it. Installing a full development environment with all sort of modules and libraries you find on the web, in my opinion you are looking for trouble. A virtual machine should be better for this sort for setup.

I didn't play too much with node.js, only simple programs to see how is working. I am on a Debian stable and I installed nodejs (sudo apt-get install nodejs) from the official Debian repository. When I run my programs I prefix them with "firejail":

$ firejail nodejs program.js
<!-- gh-comment-id:352456333 --> @netblue30 commented on GitHub (Dec 18, 2017): Firejail can sandbox your node.js program when you run it. Installing a full development environment with all sort of modules and libraries you find on the web, in my opinion you are looking for trouble. A virtual machine should be better for this sort for setup. I didn't play too much with node.js, only simple programs to see how is working. I am on a Debian stable and I installed nodejs (sudo apt-get install nodejs) from the official Debian repository. When I run my programs I prefix them with "firejail": ````` $ firejail nodejs program.js `````
gitea-mirror commented 2026-05-05 07:31:36 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Dec 18, 2017):

Or, alternatively to a VM, get full-featured container software like Docker or LXC, and set things up there.

Firejail is designed for isolation of individual applications or services, not for creating whole systems. In theory, it should work for isolating chroot environments that you've created yourself using something like the following from the root of the chroot:

firejail chroot . /bin/bash

But that will need some custom profiles to work correctly, and will be no better in terms of isolation that just running a Docker or LXC container.

<!-- gh-comment-id:352481691 --> @Ferroin commented on GitHub (Dec 18, 2017): Or, alternatively to a VM, get full-featured container software like Docker or LXC, and set things up there. Firejail is designed for isolation of individual applications or services, not for creating whole systems. In theory, it should work for isolating chroot environments that you've created yourself using something like the following from the root of the chroot: firejail chroot . /bin/bash But that will need some custom profiles to work correctly, and will be no better in terms of isolation that just running a Docker or LXC container.
gitea-mirror commented 2026-05-05 07:31:39 -06:00
Author
Owner
Copy link

@mvfcc commented on GitHub (Dec 18, 2017):

First of all, thank you for your time and you great work on firejail, guys.
Your answers pointed me into some other, also interesting directions.

So if I may get my head around the concept.

I've got an npm package ABC (ie custom bundler or task runner) that I would like to run against some source code in one of a directories. I don't trust package ABC, because it got hooks that I do not understand (maybe evil, maybe not). I'm interested in reviewing my source code after the running the hook.
If I understand it right, npm, which is the binary I would like to use, cannot be run inside firejail in a 'mode of operation' that could provide enough protection that nothing will escape that directory (ie raze my $HOME or even system root folders).
Btw, I've said that node and npm are installed (on debian/ubuntu) witth sudo but now I see it's run without it - does it change anything?

<!-- gh-comment-id:352513301 --> @mvfcc commented on GitHub (Dec 18, 2017): First of all, thank you for your time and you great work on firejail, guys. Your answers pointed me into some other, also interesting directions. So if I may get my head around the concept. I've got an npm package ABC (ie custom bundler or task runner) that I would like to run against some source code in one of a directories. I don't trust package ABC, because it got hooks that I do not understand (maybe evil, maybe not). I'm interested in reviewing my source code after the running the hook. If I understand it right, npm, which is the binary I would like to use, cannot be run inside firejail in a 'mode of operation' that could provide enough protection that nothing will escape that directory (ie raze my $HOME or even system root folders). Btw, I've said that node and npm are installed (on debian/ubuntu) witth sudo but now I see it's run without it - does it change anything?
gitea-mirror commented 2026-05-05 07:31:40 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Dec 18, 2017):

It's not quite an issue of containment provided by firejail. The issue is that you need what essentially amounts to a full system to have a proper development environment that won't stomp on the rest of your system, which means you need to provide the functional equivalent of a full system. In other words, firejail provides that level of protection, but the way that it does so means it's likely to interfere with things you would normally run in a development environment.

In your case, installing package ABC may not even work inside firejail, especially if it has hooks that mess with the main system. That said, unless you have passwordless sudo set-up for your user, you are (probably) safe from such things (because it can only touch things that your user can touch).

<!-- gh-comment-id:352520223 --> @Ferroin commented on GitHub (Dec 18, 2017): It's not quite an issue of containment provided by firejail. The issue is that you need what essentially amounts to a full system to have a proper development environment that won't stomp on the rest of your system, which means you need to provide the functional equivalent of a full system. In other words, firejail provides that level of protection, but the way that it does so means it's likely to interfere with things you would normally run in a development environment. In your case, installing package ABC may not even work inside firejail, especially if it has hooks that mess with the main system. That said, unless you have passwordless sudo set-up for your user, you are (probably) safe from such things (because it can only touch things that your user can touch).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1138
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?