[GH-ISSUE #183] Pentadactylrc file is emptied #128

New issue

Closed

opened 2026-05-05 05:07:39 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 05:07:39 -06:00

Owner

Copy link

Originally created by @timokau on GitHub (Dec 4, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/183

Whenever I launch firejail with the firefox profile, my ~/.pentadacylrc file gets emptied (even if I just launch a shell instead of firefox). So for example:

echo "test" > ~/.pentadactylrc
firejail --profile=~/.config/firejail/firefox.profile
# in another shell (or after exiting firejail):
cat ~/.pentadactylrc # returns nothing, as the file is now empty

As far as I can tell this happens only with the pentadactylrc file. If I create a file called ~/testfile with some text in it and include it in the whitelist of the profile, that file doesn't get emptied.
I know this probably isn't enough info to tell what's causing this, but this is such a weired behaviour and I don't know what else might be helpful.

Originally created by @timokau on GitHub (Dec 4, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/183 Whenever I launch firejail with the firefox profile, my ~/.pentadacylrc file gets emptied (even if I just launch a shell instead of firefox). So for example: ``` echo "test" > ~/.pentadactylrc firejail --profile=~/.config/firejail/firefox.profile # in another shell (or after exiting firejail): cat ~/.pentadactylrc # returns nothing, as the file is now empty ``` As far as I can tell this happens only with the pentadactylrc file. If I create a file called ~/testfile with some text in it and include it in the whitelist of the profile, that file doesn't get emptied. I know this probably isn't enough info to tell what's causing this, but this is such a weired behaviour and I don't know what else might be helpful.

gitea-mirror 2026-05-05 05:07:39 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 05:07:44 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 4, 2015):

I think I have it fixed on the master branch. You need to add the following two lines to your firefox.profile file:

whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl

<!-- gh-comment-id:162083768 --> @netblue30 commented on GitHub (Dec 4, 2015): I think I have it fixed on the master branch. You need to add the following two lines to your firefox.profile file: ``` whitelist ~/.pentadactylrc whitelist ~/.pentadactyl ```

gitea-mirror commented 2026-05-05 05:07:46 -06:00

Author

Owner

Copy link

@timokau commented on GitHub (Dec 4, 2015):

Those lines are already there. Here's the complete profile (it should be pretty much identical with the default one):

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot
whitelist ~/.mozilla
#whitelist ~/Downloads
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/testfile
whitelist ~/.pentadactyl

# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d

I haven't testet it withe the version from the master branch yet though (I'm running version 0.9.34). I'll do that tomorrow.

<!-- gh-comment-id:162091294 --> @timokau commented on GitHub (Dec 4, 2015): Those lines are already there. Here's the complete profile (it should be pretty much identical with the default one): ``` # Firejail profile for Mozilla Firefox (Iceweasel in Debian) noblacklist ${HOME}/.mozilla include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 netfilter noroot whitelist ~/.mozilla #whitelist ~/Downloads whitelist ~/.gtkrc-2.0 whitelist ~/.vimperatorrc whitelist ~/.vimperator whitelist ~/.pentadactylrc whitelist ~/testfile whitelist ~/.pentadactyl # common whitelist ~/.fonts whitelist ~/.fonts.d whitelist ~/.fontconfig whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d ``` I haven't testet it withe the version from the master branch yet though (I'm running version 0.9.34). I'll do that tomorrow.

gitea-mirror commented 2026-05-05 05:07:49 -06:00

Author

Owner

Copy link

@timokau commented on GitHub (Dec 5, 2015):

It still happens on the latest git version. The same profile, the same pentadactylrc, still empty.

<!-- gh-comment-id:162159848 --> @timokau commented on GitHub (Dec 5, 2015): It still happens on the latest git version. The same profile, the same pentadactylrc, still empty.

gitea-mirror commented 2026-05-05 05:07:52 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 6, 2015):

I am not able to reproduce it:

$ echo "test" > ~/.pentadactylrc
$ firejail --profile=/etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3791, child pid 3792
Child process initialized
$ cat ~/.pentadactylrc
test
$ exit
exit

parent is shutting down, bye...
$ cat ~/.pentadactylrc
test
$ 

<!-- gh-comment-id:162313906 --> @netblue30 commented on GitHub (Dec 6, 2015): I am not able to reproduce it: ``` $ echo "test" > ~/.pentadactylrc $ firejail --profile=/etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 3791, child pid 3792 Child process initialized $ cat ~/.pentadactylrc test $ exit exit parent is shutting down, bye... $ cat ~/.pentadactylrc test $ ```

gitea-mirror commented 2026-05-05 05:07:54 -06:00

Author

Owner

Copy link

@timokau commented on GitHub (Dec 8, 2015):

For me, nothing has changed. I tried using the default firefox profile (the only thing I had changed was commenting out the Downloads directory, because it is symlinked to another hdd and firejail complains), but that gives the same results. Executing the exact same commands as you do after a fresh git build (firejail-git from the AUR):

$ echo "test" > ~/.pentadactylrc
$ firejail --profile=/etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Warning: user namespaces not available in the current kernel.
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30144, child pid 30145
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized
$ cat ~/.pentadactylrc
$ exit
exit

parent is shutting down, bye...
$ cat ~/.pentadactylrc
$ 

Interestingly, even if I write something in the pentadactylrc file when in the firejail, it stays empty: (See the edit below)

$ firejail --profile=/etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Warning: user namespaces not available in the current kernel.
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30144, child pid 30145
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized
$ echo "test" > ~/.pentadactylrc
$ cat ~/.pentadactylrc

EDIT: Forget that, I must've made a typo. When trying to reproduce, changes made inside the firejail DO persists:

$firejail --profile=/etc/firejail/firefox.profile
...
$echo "test" > ~/.pentadactylrc
$cat ~/.pentadactylrc
test
$ exit
exit

parent is shutting down, bye...
$ cat ~/.pentadactylrc
test

Is there anything else I can do to clarify the problem?

<!-- gh-comment-id:162866013 --> @timokau commented on GitHub (Dec 8, 2015): For me, nothing has changed. I tried using the default firefox profile (the only thing I had changed was commenting out the Downloads directory, because it is symlinked to another hdd and firejail complains), but that gives the same results. Executing the exact same commands as you do after a fresh git build (firejail-git from the AUR): ``` $ echo "test" > ~/.pentadactylrc $ firejail --profile=/etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Warning: user namespaces not available in the current kernel. Reading profile /etc/firejail/whitelist-common.inc Parent pid 30144, child pid 30145 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized $ cat ~/.pentadactylrc $ exit exit parent is shutting down, bye... $ cat ~/.pentadactylrc $ ``` ~~Interestingly, even if I write something in the pentadactylrc file when in the firejail, it stays empty:~~ (See the edit below) ``` $ firejail --profile=/etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Warning: user namespaces not available in the current kernel. Reading profile /etc/firejail/whitelist-common.inc Parent pid 30144, child pid 30145 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized $ echo "test" > ~/.pentadactylrc $ cat ~/.pentadactylrc ``` EDIT: Forget that, I must've made a typo. When trying to reproduce, changes made inside the firejail DO persists: ``` $firejail --profile=/etc/firejail/firefox.profile ... $echo "test" > ~/.pentadactylrc $cat ~/.pentadactylrc test $ exit exit parent is shutting down, bye... $ cat ~/.pentadactylrc test ``` Is there anything else I can do to clarify the problem?

gitea-mirror commented 2026-05-05 05:07:56 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 8, 2015):

If ~/.pentadactylrc does not exist before you start the sandbox, the file will not get whitelisted. Files not whitelisted, or files in directories not whitelisted will be discarded when you exit the sandbox. I would say run firefox without the sandbox, so it will create ~/.pentadactylrc, and next time when you start the sandbox the file will be preserved.

<!-- gh-comment-id:163024137 --> @netblue30 commented on GitHub (Dec 8, 2015): If ~/.pentadactylrc does not exist before you start the sandbox, the file will not get whitelisted. Files not whitelisted, or files in directories not whitelisted will be discarded when you exit the sandbox. I would say run firefox without the sandbox, so it will create ~/.pentadactylrc, and next time when you start the sandbox the file will be preserved.

gitea-mirror commented 2026-05-05 05:07:59 -06:00

Author

Owner

Copy link

@timokau commented on GitHub (Dec 9, 2015):

But the file does exists. I'm typing this in firefox with pentadactyl. And as I wrote in my previous posts, I even tried creating a dummy pentadactylrc (echo test > ~/.pentdadactylrc) before starting the sandbox (because I thought my pentadactylrc being symlinked might be the problem, which it apparently is not).

<!-- gh-comment-id:163135004 --> @timokau commented on GitHub (Dec 9, 2015): But the file does exists. I'm typing this in firefox with pentadactyl. And as I wrote in my previous posts, I even tried creating a dummy pentadactylrc (`echo test > ~/.pentdadactylrc`) before starting the sandbox (because I thought my pentadactylrc being symlinked might be the problem, which it apparently is not).

gitea-mirror commented 2026-05-05 05:08:01 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 10, 2015):

I'll have to look into it, so far I couldn't reproduce it. Thanks.

<!-- gh-comment-id:163611159 --> @netblue30 commented on GitHub (Dec 10, 2015): I'll have to look into it, so far I couldn't reproduce it. Thanks.

gitea-mirror commented 2026-05-05 05:08:03 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 29, 2015):

Can you please retest it on version 0.9.36. Thanks!

<!-- gh-comment-id:167847635 --> @netblue30 commented on GitHub (Dec 29, 2015): Can you please retest it on version 0.9.36. Thanks!

gitea-mirror commented 2026-05-05 05:08:05 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 29, 2015):

I'll reopen the bug if necessary.

<!-- gh-comment-id:167847758 --> @netblue30 commented on GitHub (Dec 29, 2015): I'll reopen the bug if necessary.

gitea-mirror commented 2026-05-05 05:08:07 -06:00

Author

Owner

Copy link

@timokau commented on GitHub (Dec 30, 2015):

The first frew tries didn't work. But I can't reproduce that so I guess I must have made a mistake.
But now it works fine, thank you :)

The remaining problem (its not really a problem for me, but I guess it isn't intentional) is:
When I symlink my .pentadactylrc to another file symlink and whitelist both files, the pentadactylrc still gets emptied. However when I just whitelist one of the files it works.
Thats not the same problem as before, because before it didn't work at all (even without symlinks).

Also not sure if it is intended but I think its a bit odd that symlinks inside whitelisted directories have to be whitelisted sperately in order to work. But that could as well be intended, I just wanted to point that out in case it isn't.

Thanks for your work!

<!-- gh-comment-id:167989750 --> @timokau commented on GitHub (Dec 30, 2015): The first frew tries didn't work. But I can't reproduce that so I guess I must have made a mistake. But now it works fine, thank you :) The remaining problem (its not really a problem for me, but I guess it isn't intentional) is: When I symlink my `.pentadactylrc` to another file `symlink` and whitelist _both_ files, the pentadactylrc still gets emptied. However when I just whitelist one of the files it works. Thats not the same problem as before, because before it didn't work at all (even without symlinks). Also not sure if it is intended but I think its a bit odd that symlinks inside whitelisted directories have to be whitelisted sperately in order to work. But that could as well be intended, I just wanted to point that out in case it isn't. Thanks for your work!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#128

No description provided.