[GH-ISSUE #1782] Make ~/.bashrc read only?

gitea-mirror commented

2026-05-05 07:39:07 -06:00

Owner

Originally created by @tehpenguin on GitHub (Feb 21, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1782

I am trying to make bashrc read only to prevent attacks from the bashbunny sudo grabber script. I edited /etc/firejail/firejail.config and added "read-only ~/.bashrc" to the end of the file. I am unable to open any applications and it gives an error code at that line. What is the best way to go about making bashrc and .config read only?

Originally created by @tehpenguin on GitHub (Feb 21, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1782 I am trying to make bashrc read only to prevent attacks from the bashbunny sudo grabber script. I edited /etc/firejail/firejail.config and added "read-only ~/.bashrc" to the end of the file. I am unable to open any applications and it gives an error code at that line. What is the best way to go about making bashrc and .config read only?

gitea-mirror

2026-05-05 07:39:07 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:39:12 -06:00

Author

Owner

@Vincent43 commented on GitHub (Feb 21, 2018):

/etc/firejail/firejail.config is used to configure firejail itself. You can only change options which are already listed there. Don't add anything which isn't listed.

To configure running apps you can create/modify /etc/firejail/<app-name>.profile , /etc/firejail/<app-name>.local or ~/.config/firejail/<app-name>.profile. So put read-only ~/.bashrc into one of those locations.

Also read-only ~/.bashrc is already covered in /etc/disable-common.inc. So you can add line:
include /etc/disable-common.inc to your app profile instead.

Alternatively you can run it from the commandline directly:
firejail <app-name> - it will use default.profile which has include /etc/disable-common.inc option already covered (among others) or: firejail --noprofile --read-only=~/.bashrc <app-name>.

@Vincent43 commented on GitHub (Feb 21, 2018): `/etc/firejail/firejail.config` is used to configure firejail itself. You can only change options which are already listed there. Don't add anything which isn't listed. To configure running apps you can create/modify `/etc/firejail/<app-name>.profile` , `/etc/firejail/<app-name>.local` or `~/.config/firejail/<app-name>.profile`. So put `read-only ~/.bashrc` into one of those locations. Also `read-only ~/.bashrc` is already covered in [/etc/disable-common.inc](https://github.com/netblue30/firejail/blob/master/etc/disable-common.inc#L192). So you can add line: `include /etc/disable-common.inc` to your app profile instead. Alternatively you can run it from the commandline directly: `firejail <app-name>` - it will use [default.profile](https://github.com/netblue30/firejail/blob/master/etc/default.profile) which has `include /etc/disable-common.inc` option already covered (among others) or: `firejail --noprofile --read-only=~/.bashrc <app-name>`.

gitea-mirror commented

2026-05-05 07:39:14 -06:00

Author

Owner

@tehpenguin commented on GitHub (Feb 21, 2018):

Thank you Vincent43, this is exactly what I was looking for! A few more questions if you dont mind. Whats the difference between using /etc/firejail/.profile , /etc/firejail/.local or ~/.config/firejail/.profile? Will they all work the same? Also, do I have to add that for every app or is there a way to apply disable-common.inc to everything?

@tehpenguin commented on GitHub (Feb 21, 2018): Thank you Vincent43, this is exactly what I was looking for! A few more questions if you dont mind. Whats the difference between using /etc/firejail/<app-name>.profile , /etc/firejail/<app-name>.local or ~/.config/firejail/<app-name>.profile? Will they all work the same? Also, do I have to add that for every app or is there a way to apply disable-common.inc to everything?

gitea-mirror commented

2026-05-05 07:39:15 -06:00

Author

Owner

@Vincent43 commented on GitHub (Feb 21, 2018):

/etc/firejail/<app-name>.profile files are officially provided by firejail package and maintained here at github. They will be overwritten at every firejail update so it isn't advised to modify them.

/etc/firejail/<app-name>.local are used as local additions on top of official firejail profiles. If you want to add/remove something to official profile which is already provided by firejail you can do it here. .local files don't exist by default so you have to create them first.

~/.config/firejail/<app-name>.profile files can bu used as replacement for official profiles (they will overwrite profile config with the same name in /etc/firejail/) or for creating new profiles for apps which doesn't exist yet in firejail.

/etc/disable-common.inc is already included in most firejail profiles (if it isn't it usually means it breaks app) so you don't have to add it to official profiles. For new profiles you can add include /etc/disable-common.inc or read-only=~/.bashrc line to their .profile.

If you want to add some non-standard option to all profiles (i.e. apparmor) you can create /etc/firejail/globals.local and add your desired modifications there. All official firejail profiles have include /etc/firejail/globals.local line and they will use this modifications automatically. For new profiles add include /etc/firejail/globals.local line to their .profile.

@Vincent43 commented on GitHub (Feb 21, 2018): `/etc/firejail/<app-name>.profile` files are officially provided by firejail package and maintained here at github. They will be overwritten at every firejail update so it isn't advised to modify them. `/etc/firejail/<app-name>.local` are used as local **additions** on top of official firejail profiles. If you want to add/remove something to official profile which is already provided by firejail you can do it here. `.local` files don't exist by default so you have to create them first. `~/.config/firejail/<app-name>.profile` files can bu used as **replacement** for official profiles (they will overwrite profile config with the same name in` /etc/firejail/`) or for creating new profiles for apps which doesn't exist yet in firejail. `/etc/disable-common.inc` is already included in most firejail profiles (if it isn't it usually means it breaks app) so you don't have to add it to official profiles. For new profiles you can add `include /etc/disable-common.inc` or `read-only=~/.bashrc` line to their `.profile`. If you want to add some non-standard option to all profiles (i.e. apparmor) you can create `/etc/firejail/globals.local` and add your desired modifications there. All official firejail profiles have `include /etc/firejail/globals.local` line and they will use this modifications automatically. For new profiles add `include /etc/firejail/globals.local` line to their `.profile`.

gitea-mirror commented

2026-05-05 07:39:17 -06:00

Author

Owner

@tehpenguin commented on GitHub (Feb 22, 2018):

Oh ok that makes more sense. Thank you for your help. So i have copied /etc/firejail/default.profile to ~/.config/firejail/mate-terminal.profile and it includes /etc/disable-common.inc. However I am still able to nano ~/.bashrc. Any idea what I am doing wrong?

@tehpenguin commented on GitHub (Feb 22, 2018): Oh ok that makes more sense. Thank you for your help. So i have copied /etc/firejail/default.profile to ~/.config/firejail/mate-terminal.profile and it includes /etc/disable-common.inc. However I am still able to nano ~/.bashrc. Any idea what I am doing wrong?

gitea-mirror commented

2026-05-05 07:39:18 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 22, 2018):

@tehpenguin does nano say [ File '.bashrc' is unwritable ]? or are you actually able to save it and see the changes outside of the sandbox?

@SkewedZeppelin commented on GitHub (Feb 22, 2018): @tehpenguin does nano say `[ File '.bashrc' is unwritable ]`? or are you actually able to save it and see the changes outside of the sandbox?

gitea-mirror commented

2026-05-05 07:39:21 -06:00

Author

Owner

@tehpenguin commented on GitHub (Feb 22, 2018):

Changes are able to be saved. It will say it wrote 123 lines.

@tehpenguin commented on GitHub (Feb 22, 2018): Changes are able to be saved. It will say it wrote 123 lines.

gitea-mirror commented

2026-05-05 07:39:22 -06:00

Author

Owner

@tehpenguin commented on GitHub (Feb 22, 2018):

Which means it is still writable, even if its contained in that sandbox

@tehpenguin commented on GitHub (Feb 22, 2018): Which means it is still writable, even if its contained in that sandbox

gitea-mirror commented

2026-05-05 07:39:23 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 22, 2018):

That is odd. What distro, kernel, and version of firejail are you running? Also are you a standard user or are you root?

I'm not too sure what .bashrc has to do with a USB attack, but if your goal is to prevent USB attacks in general:

Blacklist cdc_ether, rndis_host, and usbnet modules
Use kernel.deny_new_usb sysctl in linux-hardened or USBGuard

@SkewedZeppelin commented on GitHub (Feb 22, 2018): That is odd. What distro, kernel, and version of firejail are you running? Also are you a standard user or are you root? I'm not too sure what .bashrc has to do with a USB attack, but if your goal is to prevent USB attacks in general: - Blacklist cdc_ether, rndis_host, and usbnet modules - Use kernel.deny_new_usb sysctl in [linux-hardened](https://github.com/copperhead/linux-hardened) or [USBGuard](https://usbguard.github.io/)

gitea-mirror commented

2026-05-05 07:39:24 -06:00

Author

Owner

@tehpenguin commented on GitHub (Feb 22, 2018):

I am using Parrot OS, kernel 4.14, Unsure of the firejail version (not at my computer) but its no older than december 2017. This is under a normal user

@tehpenguin commented on GitHub (Feb 22, 2018): I am using Parrot OS, kernel 4.14, Unsure of the firejail version (not at my computer) but its no older than december 2017. This is under a normal user

gitea-mirror commented

2026-05-05 07:39:25 -06:00

Author

Owner

@Vincent43 commented on GitHub (Feb 22, 2018):

Are you sure mate-terminal is started from firejail? How do you run mate-terminal? It should be: firejail mate-terminal. You can check with firejail --list (in another terminal) if it's contained. If you want to always run mate-terminal from firejail you can do:
sudo ln -s /usr/bin/firejail /usr/local/bin/mate-terminal and make sure mate-terminal is executed as mate-terminal not /usr/bin/mate-terminal

@Vincent43 commented on GitHub (Feb 22, 2018): Are you sure `mate-terminal `is started from firejail? How do you run `mate-terminal`? It should be: `firejail mate-terminal`. You can check with `firejail --list` (in another terminal) if it's contained. If you want to always run `mate-terminal` from firejail you can do: `sudo ln -s /usr/bin/firejail /usr/local/bin/mate-terminal` and make sure `mate-terminal` is executed as `mate-terminal` not `/usr/bin/mate-terminal`

gitea-mirror commented

2026-05-05 07:39:26 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 22, 2018):

I've just tested this on ParrotOS Home and am still unable to reproduce it.

I know that they maintain their own patches for Firejail, but for the most part they seem to be fairly sane and don't change that much.

@SkewedZeppelin commented on GitHub (Feb 22, 2018): I've just tested this on ParrotOS Home and am still unable to reproduce it. I know that they maintain their own patches for Firejail, but for the most part they seem to be fairly sane and don't change that much.

gitea-mirror commented

2026-05-05 07:39:27 -06:00

Author

Owner

@idnovic commented on GitHub (Mar 2, 2018):

I was thinking, if he runs "nano XYZ & disown" is it still sandboxed???
I know offtopic but parrot launches custom made scripts for most of their applicaitons.
(application start from startmenu)
Maybe the terminal is also custom launched.

@idnovic commented on GitHub (Mar 2, 2018): I was thinking, if he runs "nano XYZ & disown" is it still sandboxed??? I know offtopic but parrot launches custom made scripts for most of their applicaitons. (application start from startmenu) Maybe the terminal is also custom launched.

gitea-mirror referenced this issue

2026-05-05 10:09:36 -06:00

[PR #1205] [MERGED] Add a script to build a .deb with custom configure options #3879

gitea-mirror referenced this issue

2026-05-05 10:37:26 -06:00

[PR #5154] [MERGED] mkdeb.sh.in: pass remaining arguments to ./configure #5382

Rows
Columns

[GH-ISSUE #1782] Make ~/.bashrc read only? #1205