[GH-ISSUE #1729] Frequent permission errors with firejail #1169

New issue

Closed

opened 2026-05-05 07:34:52 -06:00 by gitea-mirror · 20 comments

gitea-mirror commented 2026-05-05 07:34:52 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Jan 13, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1729

While working with firejail I often see my apps(steam, wine stuff) to crash due to permission errors. From the outside I own the files but when I enter the sandbox with bash I can see that a lot of files and folders randomly are owned by 'root' or 'nobody'. I've never ran firejail with root or changed the owner of these containers. This is a fatal error because I can't change the owner from the inside so, I need to delete the files.
I've seen the errors happening from 0.9.44 to 0.9.52 on arch and manjaro too.

Originally created by @ghost on GitHub (Jan 13, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1729 While working with firejail I often see my apps(steam, wine stuff) to crash due to permission errors. From the outside I own the files but when I enter the sandbox with bash I can see that a lot of files and folders randomly are owned by 'root' or 'nobody'. I've never ran firejail with root or changed the owner of these containers. This is a fatal error because I can't change the owner from the inside so, I need to delete the files. I've seen the errors happening from 0.9.44 to 0.9.52 on arch and manjaro too.

gitea-mirror closed this issue 2026-05-05 07:34:53 -06:00

gitea-mirror commented 2026-05-05 07:34:56 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jan 13, 2018):

Can you give a minimum working example? When I try firejail bash, I get put back in my home directory with all of the files owned by me. When I try firejail --private-home=Downloads (as an example), I get back a new home directory with all of the files owned by me.

What profile(s) do you see this with? Maybe there's something in common with all of them that will help us figure out what's going on.

<!-- gh-comment-id:357451800 --> @chiraag-nataraj commented on GitHub (Jan 13, 2018): Can you give a minimum working example? When I try `firejail bash`, I get put back in my home directory with all of the files owned by me. When I try `firejail --private-home=Downloads` (as an example), I get back a new home directory with all of the files owned by me. What profile(s) do you see this with? Maybe there's something in common with all of them that will help us figure out what's going on.

gitea-mirror commented 2026-05-05 07:34:58 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

This won't happen on first try! firejail does work properly for me most of the time. I'm using steam and steam+wine in firejail and this is a once-in-a-month issue. I don't know what triggers it.

<!-- gh-comment-id:357452012 --> @ghost commented on GitHub (Jan 13, 2018): This won't happen on first try! firejail does work properly for me most of the time. I'm using steam and steam+wine in firejail and this is a once-in-a-month issue. I don't know what triggers it.

gitea-mirror commented 2026-05-05 07:34:59 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jan 13, 2018):

Hmm, darn. And you only see this in one profile? Or is that the only profile you (regularly) use?

<!-- gh-comment-id:357452117 --> @chiraag-nataraj commented on GitHub (Jan 13, 2018): Hmm, darn. And you only see this in one profile? Or is that the only profile you (regularly) use?

gitea-mirror commented 2026-05-05 07:35:00 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

No, I've had this happen with multiple profiles(folders) with the steam and wine profiles. I usually need to delete most of the files because I can't use them anyway.

<!-- gh-comment-id:357452246 --> @ghost commented on GitHub (Jan 13, 2018): No, I've had this happen with multiple profiles(folders) with the steam and wine profiles. I usually need to delete most of the files because I can't use them anyway.

gitea-mirror commented 2026-05-05 07:35:02 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jan 13, 2018):

No, I've had this happen with multiple profiles(folders) with the steam and wine profiles.

I see. To clarify, the first "profiles" ("multiple profiles") refers to Steam profiles, right? (I don't really use Steam, so I have no idea how the terminology works).

I usually need to delete most of the files because I can't use them anyway.

What do you mean? Which files? The profiles firejail installs?

<!-- gh-comment-id:357452663 --> @chiraag-nataraj commented on GitHub (Jan 13, 2018): > No, I've had this happen with multiple profiles(folders) with the steam and wine profiles. I see. To clarify, the first "profiles" ("multiple profiles") refers to _Steam_ profiles, right? (I don't really use Steam, so I have no idea how the terminology works). > I usually need to delete most of the files because I can't use them anyway. What do you mean? Which files? The profiles firejail installs?

gitea-mirror commented 2026-05-05 07:35:04 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

This won't happen on first try! firejail does work properly for me most of the time. I'm using steam and steam+wine in firejail and this is a once-in-a-month issue. I don't know what triggers it.

<!-- gh-comment-id:357452681 --> @ghost commented on GitHub (Jan 13, 2018): This won't happen on first try! firejail does work properly for me most of the time. I'm using steam and steam+wine in firejail and this is a once-in-a-month issue. I don't know what triggers it.

gitea-mirror commented 2026-05-05 07:35:05 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jan 13, 2018):

Do you ever do something like sudo steam or sudo wine? (Or sudo firejail steam or sudo firejail wine, for that matter?)

<!-- gh-comment-id:357452822 --> @Fred-Barclay commented on GitHub (Jan 13, 2018): Do you ever do something like `sudo steam` or `sudo wine`? (Or `sudo firejail steam` or `sudo firejail wine`, for that matter?)

gitea-mirror commented 2026-05-05 07:35:06 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

@chiraag-nataraj by profile folder I mean I use steam like this: firejail --private=~/.apps/Steam steam and wine+steam like this: firejail --private=~/.apps/Wine wine ".wine/dosdevices/c:/Program Files/Steam/Steam.exe". So the profiles are folders containing 'faked' home folders.

<!-- gh-comment-id:357452862 --> @ghost commented on GitHub (Jan 13, 2018): @chiraag-nataraj by profile folder I mean I use steam like this: `firejail --private=~/.apps/Steam steam` and wine+steam like this: `firejail --private=~/.apps/Wine wine ".wine/dosdevices/c:/Program Files/Steam/Steam.exe"`. So the profiles are folders containing 'faked' home folders.

gitea-mirror commented 2026-05-05 07:35:07 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jan 13, 2018):

@trialism Ah okay, that makes more sense. Which files get weird permissions? The files in those folders? Other random files?

<!-- gh-comment-id:357452919 --> @chiraag-nataraj commented on GitHub (Jan 13, 2018): @trialism Ah okay, that makes more sense. Which files get weird permissions? The files in those folders? Other random files?

gitea-mirror commented 2026-05-05 07:35:08 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

@Fred-Barclay never, I don't use sudo and I only use the root account with pacman and to edit files which require a privilege. I always run firejail with the desktop icons, unless it doesn't start then I start a new terminal for debugging.

<!-- gh-comment-id:357452983 --> @ghost commented on GitHub (Jan 13, 2018): @Fred-Barclay never, I don't use sudo and I only use the root account with pacman and to edit files which require a privilege. I always run firejail with the desktop icons, unless it doesn't start then I start a new terminal for debugging.

gitea-mirror commented 2026-05-05 07:35:09 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 13, 2018):

@chiraag-nataraj it's random I guess. For example with this case: .bash_history, .nv, .wine and the parent dir .. are owned by 'nobody' and the rest is on my user.

<!-- gh-comment-id:357453133 --> @ghost commented on GitHub (Jan 13, 2018): @chiraag-nataraj it's random I guess. For example with this case: `.bash_history`, `.nv`, `.wine` and the parent dir `..` are owned by 'nobody' and the rest is on my user.

gitea-mirror commented 2026-05-05 07:35:10 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jan 13, 2018):

So the parent dir being owned by 'nobody' makes sense. But the rest does not. @netblue30, any idea why this might happen?

<!-- gh-comment-id:357453409 --> @chiraag-nataraj commented on GitHub (Jan 13, 2018): So the parent dir being owned by 'nobody' makes sense. But the rest does not. @netblue30, any idea why this might happen?

gitea-mirror commented 2026-05-05 07:35:10 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Sep 28, 2018):

@trialism Is this still an issue for you?

<!-- gh-comment-id:425567141 --> @chiraag-nataraj commented on GitHub (Sep 28, 2018): @trialism Is this still an issue for you?

gitea-mirror commented 2026-05-05 07:35:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Oct 4, 2018):

@chiraag-nataraj I don't use firejail anymore.

<!-- gh-comment-id:427002735 --> @ghost commented on GitHub (Oct 4, 2018): @chiraag-nataraj I don't use firejail anymore.

gitea-mirror commented 2026-05-05 07:35:12 -06:00

Author

Owner

Copy link

@jcaesar commented on GitHub (Apr 14, 2019):

It's still an issue for me. I can reproduce it by running firejail --private=$HOME/.bla, then running weechat in there, exiting weechat and the shell in the jail, and then entering the jail again.

@chiraag-nataraj Can I ask you to reopen this?

([Edit:] It is possible that my problem is a different one / lack of understanding of the docs. I've moved the .weechat directory in the private directory to a different name and the permission was fixed.)

<!-- gh-comment-id:482986960 --> @jcaesar commented on GitHub (Apr 14, 2019): It's still an issue for me. I can reproduce it by running `firejail --private=$HOME/.bla`, then running weechat in there, exiting weechat and the shell in the jail, and then entering the jail again. @chiraag-nataraj Can I ask you to reopen this? ([Edit:] It is possible that my problem is a different one / lack of understanding of the docs. I've moved the .weechat directory in the private directory to a different name and the permission was fixed.)

gitea-mirror commented 2026-05-05 07:35:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 14, 2019):

Can reproduce with e.g ghostwriter.
$ normal shell
% shell in FJ

$ mkdir t
$ firejail --private=$HOME/t
% ghostwriter
% ls -l .config
drwxr-xr-x MYUSER … ghostwriter
$ ls -l .config
drwxr-xr-x MYUSER … ghostwriter
$ firejail --private=$HOME/t
% ls -l .config
dr-------- nobody  nobody  … ghostwriter
$ firejail --private=$HOME/t --noprofile
% ls -l .config
drwxr-xr-x MYUSER … ghostwriter
$ firejail --private=$HOME/t --profile=/etc/firejail/disable-programs.inc
% ls -l .config
dr-------- root  root … ghostwriter

@jcaesar also with firejail --private=$HOME/.bla --noprofile?

It looks like only files that have been blacklisted (in disable-common.inc or disable-programs.inc) are affected. To fix, use --noblacklist or for example with weechat firejail --private=$HOME/.bla --profile=/etc/firejail/weechat.profile.

<!-- gh-comment-id:482992311 --> @rusty-snake commented on GitHub (Apr 14, 2019): Can reproduce with e.g ghostwriter. $ normal shell % shell in FJ ``` $ mkdir t $ firejail --private=$HOME/t % ghostwriter % ls -l .config drwxr-xr-x MYUSER … ghostwriter $ ls -l .config drwxr-xr-x MYUSER … ghostwriter $ firejail --private=$HOME/t % ls -l .config dr-------- nobody nobody … ghostwriter $ firejail --private=$HOME/t --noprofile % ls -l .config drwxr-xr-x MYUSER … ghostwriter $ firejail --private=$HOME/t --profile=/etc/firejail/disable-programs.inc % ls -l .config dr-------- root root … ghostwriter ``` @jcaesar also with `firejail --private=$HOME/.bla --noprofile`? It looks like only files that have been blacklisted (in `disable-common.inc` or `disable-programs.inc`) are affected. To fix, use `--noblacklist` or for example with weechat `firejail --private=$HOME/.bla --profile=/etc/firejail/weechat.profile`.

gitea-mirror commented 2026-05-05 07:35:13 -06:00

Author

Owner

Copy link

@jcaesar commented on GitHub (Apr 14, 2019):

@rusty-snake Using the weechat profile indeed fixes the permission. (My firejail has no --noblacklist.) So maybe it's a different bug than the one @trialism saw.

<!-- gh-comment-id:482993084 --> @jcaesar commented on GitHub (Apr 14, 2019): @rusty-snake Using the weechat profile indeed fixes the permission. (My firejail has no `--noblacklist`.) So maybe it's a different bug than the one @trialism saw.

gitea-mirror commented 2026-05-05 07:35:14 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 14, 2019):

@jcaesar I think your FJ has --noblacklist, but maybe we'll just talk a little bit past it, I meant that you --noblacklist=PATH (where PATH are the files with permission error / See man firejail for --noblacklist).

<!-- gh-comment-id:482995352 --> @rusty-snake commented on GitHub (Apr 14, 2019): @jcaesar I think your FJ has `--noblacklist`, but maybe we'll just talk a little bit past it, I meant that you `--noblacklist=PATH` (where PATH are the files with permission error / See man firejail for --noblacklist).

gitea-mirror commented 2026-05-05 07:35:15 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 14, 2019):

So maybe it's a different bug than the one @trialism saw.

Because of the nobody and root this sound for me it sounds like blacklisting to me.
@jcaesar if it was only that :) I would close again.

<!-- gh-comment-id:482999475 --> @rusty-snake commented on GitHub (Apr 14, 2019): > So maybe it's a different bug than the one @trialism saw. Because of the `nobody` and `root` this sound for me it sounds like blacklisting to me. @jcaesar if it was only that :) I would close again.

gitea-mirror commented 2026-05-05 07:35:16 -06:00

Author

Owner

Copy link

@jcaesar commented on GitHub (Apr 15, 2019):

I think your FJ has --noblacklist

Ah, the error message confused me.

$ firejail --noblacklist
Error: invalid --noblacklist command line option
$ firejail --thisreallydoesntexist
Error: invalid --thisreallydoesntexist command line option

So yeah, please close.

<!-- gh-comment-id:483100763 --> @jcaesar commented on GitHub (Apr 15, 2019): >I think your FJ has --noblacklist Ah, the error message confused me. ``` $ firejail --noblacklist Error: invalid --noblacklist command line option $ firejail --thisreallydoesntexist Error: invalid --thisreallydoesntexist command line option ``` So yeah, please close.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1169

No description provided.