github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1902] firecfg and user restrictions #1279

New issue
Closed
opened 2026-05-05 07:46:54 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 07:46:54 -06:00
Owner
Copy link

Originally created by @reinerh on GitHub (Apr 22, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1902

Installing firejail symlinks in /usr/local/bin with firecfg and having user restrictions does not play well together.
/usr/local/bin is normally in the PATH of every user, so if there is a symlink to a firejailed program, this program is started through firejail.
But if also a user restriction is active and the user is not in the allowed list, the programs refuse to start.

(For example someone upgrades firejail from the previous version and already has symlinks installed and allows a single user for firejail usage, the other system users have to workaround calling firejail by removing /usr/local/bin from their PATH (which might be undesirable because of other legitimate programs in there).)

To make this more graceful, could firejail instead of denying to run the program just drop all privileges and run the program unjailed, if it's called via symlinks and the user is not in the whitelist (and maybe also print a warning that the program is run unjailed)?
Or otherwise at least print a noticable warning when running firecfg that users not in the whitelist will have issues running the symlinked programs.

Originally created by @reinerh on GitHub (Apr 22, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1902 Installing firejail symlinks in /usr/local/bin with firecfg and having user restrictions does not play well together. /usr/local/bin is normally in the PATH of every user, so if there is a symlink to a firejailed program, this program is started through firejail. But if also a user restriction is active and the user is not in the allowed list, the programs refuse to start. (For example someone upgrades firejail from the previous version and already has symlinks installed and allows a single user for firejail usage, the other system users have to workaround calling firejail by removing /usr/local/bin from their PATH (which might be undesirable because of other legitimate programs in there).) To make this more graceful, could firejail instead of denying to run the program just drop all privileges and run the program unjailed, if it's called via symlinks and the user is not in the whitelist (and maybe also print a warning that the program is run unjailed)? Or otherwise at least print a noticable warning when running firecfg that users not in the whitelist will have issues running the symlinked programs.
gitea-mirror commented 2026-05-05 07:47:05 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Apr 22, 2018):

Yes, my only concern is that a user won't notice the warning resulting in them thinking their programs are sandboxed. How would we ensure the user knows when launching through their DE and not a terminal?

<!-- gh-comment-id:383368486 --> @SkewedZeppelin commented on GitHub (Apr 22, 2018): Yes, my only concern is that a user won't notice the warning resulting in them thinking their programs are sandboxed. How would we ensure the user knows when launching through their DE and not a terminal?
gitea-mirror commented 2026-05-05 07:47:07 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Apr 22, 2018):

I agree it's not the best solution.
And now that you mention it, what about users that have private symlinks in their home directory to firejail? They might not notice that the firejail protection is suddenly no longer there.

<!-- gh-comment-id:383368731 --> @reinerh commented on GitHub (Apr 22, 2018): I agree it's not the best solution. And now that you mention it, what about users that have private symlinks in their home directory to firejail? They might not notice that the firejail protection is suddenly no longer there.
gitea-mirror commented 2026-05-05 07:47:08 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 23, 2018):

I have a fix in: 90877c63ee

It will attempt to run the program without sandboxing if the user is not in the list.

<!-- gh-comment-id:383578799 --> @netblue30 commented on GitHub (Apr 23, 2018): I have a fix in: https://github.com/netblue30/firejail/commit/90877c63eecf5e161c86df6b0c62006029e2677e It will attempt to run the program without sandboxing if the user is not in the list.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1279
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?