[GH-ISSUE #1817] Error running ssh commands with arguments #1236

New issue

Closed

opened 2026-05-05 07:42:03 -06:00 by gitea-mirror · 22 comments

gitea-mirror commented 2026-05-05 07:42:03 -06:00

Owner

Copy link

Originally created by @chtaylo2 on GitHub (Mar 16, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1817

This might have been on the radar a couple years back: https://github.com/netblue30/firejail/issues/719

I'm trying to allow ssh login w/ a firejail shell and run commands with arguments.
ie.: mkdir -p /var/crash

Both of these are not working:
ssh test@0 "mkdir -p /var/crash"
firejail -c "mkdir -p /var/crash"

[root@centos users]# firejail --version
firejail version 0.9.44.10
[root@netdump-poc-01 users]# firejail -c "mkdir -p /var/crash"
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable server.profile **

/bin/bash: mkdir -p /var/crash: No such file or directory

Is there any suggested work arounds for this?

Originally created by @chtaylo2 on GitHub (Mar 16, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1817 This might have been on the radar a couple years back: https://github.com/netblue30/firejail/issues/719 I'm trying to allow ssh login w/ a firejail shell and run commands with arguments. ie.: mkdir -p /var/crash Both of these are not working: ssh test@0 "mkdir -p /var/crash" firejail -c "mkdir -p /var/crash" ``` [root@centos users]# firejail --version firejail version 0.9.44.10 [root@netdump-poc-01 users]# firejail -c "mkdir -p /var/crash" Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable server.profile ** /bin/bash: mkdir -p /var/crash: No such file or directory ``` Is there any suggested work arounds for this?

gitea-mirror 2026-05-05 07:42:03 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 07:42:08 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Mar 25, 2018):

Just to understand the problem. I have user test set with /usr/bin/firejail shell in /etc/passwd. I try to:

$ ssh test@0 "mkdir -p ~/crash"

In my case it does nothing after login, just sits there. Is this your setup?

<!-- gh-comment-id:375966434 --> @netblue30 commented on GitHub (Mar 25, 2018): Just to understand the problem. I have user test set with /usr/bin/firejail shell in /etc/passwd. I try to: ````` $ ssh test@0 "mkdir -p ~/crash" ````` In my case it does nothing after login, just sits there. Is this your setup?

gitea-mirror commented 2026-05-05 07:42:09 -06:00

Author

Owner

Copy link

@chtaylo2 commented on GitHub (Mar 26, 2018):

I have the same setup with /usr/bin/firejail as the shell in /etc/passwd. However, on ssh login, I get:

"/bin/bash: mkdir -p ~/crash: No such file or directory"

If i run something like "uname" I get a valid response. It's only running commands with arguments.

<!-- gh-comment-id:376183952 --> @chtaylo2 commented on GitHub (Mar 26, 2018): I have the same setup with /usr/bin/firejail as the shell in /etc/passwd. However, on ssh login, I get: "/bin/bash: mkdir -p ~/crash: No such file or directory" If i run something like "uname" I get a valid response. It's only running commands with arguments.

gitea-mirror commented 2026-05-05 07:42:10 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Mar 29, 2018):

Try without the quotes. firejail -c mkdir -p ~/crash worked just fine for me right here (note that firejail -c mkdir -p /var/crash gave me mkdir: cannot create directory ‘/var/crash’: Read-only file system as expected).

<!-- gh-comment-id:377372101 --> @chiraag-nataraj commented on GitHub (Mar 29, 2018): Try without the quotes. `firejail -c mkdir -p ~/crash` worked just fine for me right here (note that `firejail -c mkdir -p /var/crash` gave me `mkdir: cannot create directory ‘/var/crash’: Read-only file system` as expected).

gitea-mirror commented 2026-05-05 07:42:12 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Mar 29, 2018):

If there is a potential ambiguity, you can use firejail -c -- program [args] to ensure all other arguments are passed to the program.

<!-- gh-comment-id:377372391 --> @chiraag-nataraj commented on GitHub (Mar 29, 2018): If there is a potential ambiguity, you can use `firejail -c -- program [args]` to ensure all other arguments are passed to the program.

gitea-mirror commented 2026-05-05 07:42:13 -06:00

Author

Owner

Copy link

@chtaylo2 commented on GitHub (Mar 30, 2018):

You're correct on the quotes with -c. It works once you remove the quotes.

[root@netdump-poc-01 ~]# firejail --profile=/etc/firejail/default.profile -c touch ~/LOCAL_FILE
[root@netdump-poc-01 ~]# ls -al ~/LOCAL_FILE
-rw-r--r-- 1 root root 0 Mar 30 17:53 /root/LOCAL_FILE

However, doing this through an SSH session it does fail. Below is a snippet:

[root@vm-client ~]# ssh -qv netdump@netdump-poc-01 -i /etc/kdump_id_rsa touch /tmp/FROM_REMOTE
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
.....
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: touch /tmp/FROM_REMOTE
/bin/bash: touch /tmp/FROM_REMOTE: No such file or directory
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2880, received 3756 bytes, in 0.1 seconds
Bytes per second: sent 36638.8, received 47783.1
debug1: Exit status 127
[root@vm-client ~]#

<!-- gh-comment-id:377584030 --> @chtaylo2 commented on GitHub (Mar 30, 2018): You're correct on the quotes with -c. It works once you remove the quotes. ``` [root@netdump-poc-01 ~]# firejail --profile=/etc/firejail/default.profile -c touch ~/LOCAL_FILE [root@netdump-poc-01 ~]# ls -al ~/LOCAL_FILE -rw-r--r-- 1 root root 0 Mar 30 17:53 /root/LOCAL_FILE ``` However, doing this through an SSH session it does fail. Below is a snippet: ``` [root@vm-client ~]# ssh -qv netdump@netdump-poc-01 -i /etc/kdump_id_rsa touch /tmp/FROM_REMOTE OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 ..... debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending command: touch /tmp/FROM_REMOTE /bin/bash: touch /tmp/FROM_REMOTE: No such file or directory debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2880, received 3756 bytes, in 0.1 seconds Bytes per second: sent 36638.8, received 47783.1 debug1: Exit status 127 [root@vm-client ~]# ```

gitea-mirror commented 2026-05-05 07:42:14 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Mar 30, 2018):

Hmmm...I tried running
*chiraag@chiraag@14:05:+31%:~ $ ssh -qv localhost /usr/bin/firejail touch /tmp/test
and it worked:

...
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: /usr/bin/firejail touch /tmp/test
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2248, received 2292 bytes, in 0.2 seconds
Bytes per second: sent 12132.4, received 12369.9
debug1: Exit status 0
*chiraag@chiraag@14:05:+31%:~ $ ls -la /tmp/test 
-rw-r--r-- 1 chiraag chiraag 0 Mar 30 14:05 /tmp/test

I didn't directly test the case where firejail is my shell, but wouldn't this effectively be what it runs? If not, this should hopefully help bisect the problem.

<!-- gh-comment-id:377586174 --> @chiraag-nataraj commented on GitHub (Mar 30, 2018): Hmmm...I tried running `*chiraag@chiraag@14:05:+31%:~ $ ssh -qv localhost /usr/bin/firejail touch /tmp/test` and it worked: ``` ... debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending command: /usr/bin/firejail touch /tmp/test debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2248, received 2292 bytes, in 0.2 seconds Bytes per second: sent 12132.4, received 12369.9 debug1: Exit status 0 *chiraag@chiraag@14:05:+31%:~ $ ls -la /tmp/test -rw-r--r-- 1 chiraag chiraag 0 Mar 30 14:05 /tmp/test ``` I didn't directly test the case where firejail is my shell, but wouldn't this effectively be what it runs? If not, this should hopefully help bisect the problem.

gitea-mirror commented 2026-05-05 07:42:15 -06:00

Author

Owner

Copy link

@chtaylo2 commented on GitHub (Mar 30, 2018):

Agreed. I just ran with a different user, with /bin/bash as the shell and it worked.

ssh -qv netdump3@netdump-poc-01 -i /etc/kdump_id_rsa /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3
.....
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2952, received 3672 bytes, in 0.1 seconds
Bytes per second: sent 31848.4, received 39616.3
debug1: Exit status 0

So looks to be something with how it interprets commands passed over SSH.

<!-- gh-comment-id:377587779 --> @chtaylo2 commented on GitHub (Mar 30, 2018): Agreed. I just ran with a different user, with /bin/bash as the shell and it worked. ``` ssh -qv netdump3@netdump-poc-01 -i /etc/kdump_id_rsa /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3 ..... debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending command: /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2952, received 3672 bytes, in 0.1 seconds Bytes per second: sent 31848.4, received 39616.3 debug1: Exit status 0 ``` So looks to be something with how it interprets commands passed over SSH.

gitea-mirror commented 2026-05-05 07:42:17 -06:00

Author

Owner

Copy link

@dmio commented on GitHub (May 21, 2018):

It's similar to https://github.com/netblue30/firejail/issues/887

<!-- gh-comment-id:390733507 --> @dmio commented on GitHub (May 21, 2018): It's similar to https://github.com/netblue30/firejail/issues/887

gitea-mirror commented 2026-05-05 07:42:17 -06:00

Author

Owner

Copy link

@chtaylo2 commented on GitHub (Aug 9, 2018):

Any chance on getting this fixed?

<!-- gh-comment-id:411620731 --> @chtaylo2 commented on GitHub (Aug 9, 2018): Any chance on getting this fixed?

gitea-mirror commented 2026-05-05 07:42:18 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 12, 2018):

I'm going to mess around with my Debian VM to figure out what's going on and if I can replicate.

<!-- gh-comment-id:412350338 --> @chiraag-nataraj commented on GitHub (Aug 12, 2018): I'm going to mess around with my Debian VM to figure out what's going on and if I can replicate.

gitea-mirror commented 2026-05-05 07:42:19 -06:00

Author

Owner

Copy link

@Gimly86 commented on GitHub (Aug 22, 2018):

Hello,

Same problem here, in remote SSH access or in local access the arguments not working :

seccomp filter configured
noroot user namespace installed
Dropping all capabilities
Drop privileges: pid 1, uid 1002, gid 1002, nogroups 0
starting application
LD_PRELOAD=(null)
Running 'ls -alh'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'ls -alh' 
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
/bin/bash: ls -alh : command not found
monitoring pid 113

Firejail version : 0.9.56~rc1-1
O/S : Debian 9.4
Kernel : 4.9.0-6-amd64 (Debian)

Thanks in advance for your next fix !

<!-- gh-comment-id:414961695 --> @Gimly86 commented on GitHub (Aug 22, 2018): Hello, Same problem here, in remote SSH access or in local access the arguments not working : ``` seccomp filter configured noroot user namespace installed Dropping all capabilities Drop privileges: pid 1, uid 1002, gid 1002, nogroups 0 starting application LD_PRELOAD=(null) Running 'ls -alh' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'ls -alh' Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.32 seccomp filter /bin/bash: ls -alh : command not found monitoring pid 113 ``` Firejail version : 0.9.56~rc1-1 O/S : Debian 9.4 Kernel : 4.9.0-6-amd64 (Debian) Thanks in advance for your next fix !

gitea-mirror commented 2026-05-05 07:42:20 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

Yeah, this is definitely a bug (I just replicated in my VM). Probably related to #1644 as well.

<!-- gh-comment-id:415000161 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): Yeah, this is definitely a bug (I just replicated in my VM). Probably related to #1644 as well.

gitea-mirror commented 2026-05-05 07:42:21 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

I'm actually getting a hang when I try to actually run a program, and --debug isn't working as an argument. There's something really wrong going on with argument parsing when firejail is used as the shell.

<!-- gh-comment-id:415000962 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): I'm actually getting a hang when I try to actually run a program, and `--debug` isn't working as an argument. There's something really wrong going on with argument parsing when `firejail` is used as the shell.

gitea-mirror commented 2026-05-05 07:42:22 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

Shit. I see what's happening. The problem seems to be that since argc != 1, login_shell is never set to 1, which breaks a ton of things.

<!-- gh-comment-id:415004526 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): Shit. I see what's happening. The problem seems to be that since `argc` != 1, login_shell is never set to `1`, which breaks a ton of things.

gitea-mirror commented 2026-05-05 07:42:22 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Sep 28, 2018):

@netblue30 We should probably look into this. firejail-as-shell seems to be pretty broken currently (unless this was fixed in 0.9.56... @chtaylo2?)

<!-- gh-comment-id:425567565 --> @chiraag-nataraj commented on GitHub (Sep 28, 2018): @netblue30 We should probably look into this. `firejail`-as-shell seems to be pretty broken currently (unless this was fixed in 0.9.56... @chtaylo2?)

gitea-mirror commented 2026-05-05 07:42:23 -06:00

Author

Owner

Copy link

@chtaylo2 commented on GitHub (Oct 16, 2018):

@chiraag-nataraj @netblue30 - Hey, I checked the new version and it doesn't fix the above issue. Same thing is happening.

Thanks

<!-- gh-comment-id:430101879 --> @chtaylo2 commented on GitHub (Oct 16, 2018): @chiraag-nataraj @netblue30 - Hey, I checked the new version and it doesn't fix the above issue. Same thing is happening. Thanks

gitea-mirror commented 2026-05-05 07:42:25 -06:00

Author

Owner

Copy link

@Gimly86 commented on GitHub (Nov 27, 2018):

Hello dev team's,

Any news for this issue ?

Thank you :)

<!-- gh-comment-id:442082664 --> @Gimly86 commented on GitHub (Nov 27, 2018): Hello dev team's, Any news for this issue ? Thank you :)

gitea-mirror commented 2026-05-05 07:42:26 -06:00

Author

Owner

Copy link

@thsharp commented on GitHub (May 1, 2019):

Even with the recent updates to the repo, I'm still seeing this issue.
Is there a plan for getting this fixed?
Thanks!

<!-- gh-comment-id:488314312 --> @thsharp commented on GitHub (May 1, 2019): Even with the recent updates to the repo, I'm still seeing this issue. Is there a plan for getting this fixed? Thanks!

gitea-mirror commented 2026-05-05 07:42:28 -06:00

Author

Owner

Copy link

@sgoundla commented on GitHub (Nov 26, 2019):

Hello... is there any update/plan this getting fixed? Thanks.

<!-- gh-comment-id:558773035 --> @sgoundla commented on GitHub (Nov 26, 2019): Hello... is there any update/plan this getting fixed? Thanks.

gitea-mirror commented 2026-05-05 07:42:29 -06:00

Author

Owner

Copy link

@hiteshrp commented on GitHub (Jul 24, 2020):

Well it's more than 6 months since last comment. Any update on this issue? When will fix be available?

<!-- gh-comment-id:663616168 --> @hiteshrp commented on GitHub (Jul 24, 2020): Well it's more than 6 months since last comment. Any update on this issue? When will fix be available?

gitea-mirror commented 2026-05-05 07:42:30 -06:00

Author

Owner

Copy link

@jsquyres commented on GitHub (Jun 2, 2021):

See #4326 for a possible solution.

<!-- gh-comment-id:853446118 --> @jsquyres commented on GitHub (Jun 2, 2021): See #4326 for a possible solution.

gitea-mirror commented 2026-05-05 07:42:32 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 10, 2021):

This issue is fixed by #4326 as I understand.

<!-- gh-comment-id:858432551 --> @rusty-snake commented on GitHub (Jun 10, 2021): This issue is fixed by #4326 as I understand.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1236

No description provided.