github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2004] [Question] Does Firejail "sudo" commands effective in this special case ? #1350

New issue

Closed

opened 2026-05-05 07:54:51 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 07:54:51 -06:00

Owner

Originally created by @Nokia808 on GitHub (Jun 19, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2004

Hi.

Currently I'm using WineHQ according to this super secure installation guide:
https://forums.fedoraforum.org/showthread.php?313858-Risk-Free-WineHQ-Installation-amp-Usage

Please notice the following about this method:

WineHQ binaries ownership & permissions all are changed so that WineHQ are owned by a special user account (WineHQ are isolated totally in special new user account)
the special new user account is completely rootless (have no su nor sudo nor PolcyKit power).

My question case is: I like to add additional layer of security by using Firejail. Firejail certainly can never ever be installed from Wine special account because it need sudo to be installed. So, I'm only able to install Firejail from within my 1st user account which I created during fresh installation & have all root powers including su.

But to make Firejail's profile of WineHQ I need the following command:

sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine

the above command is to make WineHQ only sanbox WineHQ not other application.

So, does the above command (or "sudo firecfg" which make WineHQ sandbox all supported application not only Wine) will take effect on WineHQ ? When I run "sudo dnf remove wine" or sudo dnf upgrade wine" from my 1st user account they working. But the Firejail commands that I asking about them deal with sandbox for a package binaries owned by only special user account & not by all accounts on system (Windows application inside my 1st user account can not make use of Wine to run at all).

Best.

Originally created by @Nokia808 on GitHub (Jun 19, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2004 Hi. Currently I'm using WineHQ according to this super secure installation guide: https://forums.fedoraforum.org/showthread.php?313858-Risk-Free-WineHQ-Installation-amp-Usage Please notice the following about this method: 1) WineHQ binaries ownership & permissions all are changed so that WineHQ are owned by a special user account (WineHQ are isolated totally in special new user account) 2) the special new user account is completely rootless (have no su nor sudo nor PolcyKit power). My question case is: I like to add additional layer of security by using Firejail. Firejail certainly can never ever be installed from Wine special account because it need sudo to be installed. So, I'm only able to install Firejail from within my 1st user account which I created during fresh installation & have all root powers including su. But to make Firejail's profile of WineHQ I need the following command: sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine the above command is to make WineHQ only sanbox WineHQ not other application. So, does the above command (or "sudo firecfg" which make WineHQ sandbox all supported application not only Wine) will take effect on WineHQ ? When I run "sudo dnf remove wine" or sudo dnf upgrade wine" from my 1st user account they working. But the Firejail commands that I asking about them deal with sandbox for a package binaries owned by only special user account & not by all accounts on system (Windows application inside my 1st user account can not make use of Wine to run at all). Best.

gitea-mirror

2026-05-05 07:54:51 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:54:57 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 22, 2018):

firecfg is setting a bunch of symbolic links in /usr/local/bin. Once you run it from your regular account, it is available to all users in the system. You don't need to run it again from your special wineuser account. All you have to do is to add that user to the list in /etc/firejail/firejail.users file. Or you can run "sudo firecfg --add-users wineuser" from your regular account.

@netblue30 commented on GitHub (Jun 22, 2018): firecfg is setting a bunch of symbolic links in /usr/local/bin. Once you run it from your regular account, it is available to all users in the system. You don't need to run it again from your special wineuser account. All you have to do is to add that user to the list in /etc/firejail/firejail.users file. Or you can run "sudo firecfg --add-users wineuser" from your regular account.

gitea-mirror commented

2026-05-05 07:54:59 -06:00

Author

Owner

@Nokia808 commented on GitHub (Jun 22, 2018):

@netblue30

Thank you for response. O.K, so, "sudo firecfg --add-users wineuser"

But what about "sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine" command ? Is the same applied to this command also ? If yes, then, how it will be ? (where I have to put "--add-users wineuser" ?)

By the way, I conclude from the need to add "--add-users wineuser" to firecfg (add that user to the list in /etc/firejail/firejail.users file), that Firejail by default add only the root accounts (su & sudo accounts) after it's installation & do not include other added accounts. Is this correct or I'm wrong ?

@Nokia808 commented on GitHub (Jun 22, 2018): @netblue30 Thank you for response. O.K, so, "sudo firecfg --add-users wineuser" But what about "sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine" command ? Is the same applied to this command also ? If yes, then, how it will be ? (where I have to put "--add-users wineuser" ?) ---------------------- By the way, I conclude from the need to add "--add-users wineuser" to firecfg (add that user to the list in /etc/firejail/firejail.users file), that Firejail by default add only the root accounts (su & sudo accounts) after it's installation & do not include other added accounts. Is this correct or I'm wrong ?

gitea-mirror commented

2026-05-05 07:55:01 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 9, 2018):

But what about "sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine" command ? Is the same applied to this command also ? If yes, then, how it will be ? (where I have to put "--add-users wineuser" ?)

So if I understand you correctly, you're asking if manually symlinking one binary (rather than all as firecfg will do) will be subject to the same access restrictions as it would be under firecfg. The answer, from what I understand, should be yes. If you only want to (automatically) run wine under firejail, then do the following steps:

sudo firecfg --clean
sudo ln -s /usr/bin/firejail /usr/local/bin/wine
sudo firecfg --add-users wineuser

and you should be good to go!

@chiraag-nataraj commented on GitHub (Jul 9, 2018): > But what about "sudo firecfg --clean && sudo ln -s /usr/bin/firejail /usr/local/bin/wine" command ? Is the same applied to this command also ? If yes, then, how it will be ? (where I have to put "--add-users wineuser" ?) So if I understand you correctly, you're asking if manually symlinking one binary (rather than _all_ as `firecfg` will do) will be subject to the same access restrictions as it would be under `firecfg`. The answer, from what I understand, should be yes. If you _only_ want to (automatically) run `wine` under `firejail`, then do the following steps: 1. `sudo firecfg --clean` 2. `sudo ln -s /usr/bin/firejail /usr/local/bin/wine` 3. `sudo firecfg --add-users wineuser` and you should be good to go!

gitea-mirror commented

2026-05-05 07:55:03 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

Closing, since the question seems to be answered. @Nokia808 Please feel free to re-open if you still have questions.

@chiraag-nataraj commented on GitHub (Jul 24, 2018): Closing, since the question seems to be answered. @Nokia808 Please feel free to re-open if you still have questions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1350

No description provided.

Rows
Columns