github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2059] Bug: Cannot whitelist home folders correctly #1389

New issue

Closed

opened 2026-05-05 08:01:45 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:01:45 -06:00

Owner

Originally created by @t4777sd on GitHub (Jul 24, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2059

It appears there is some error prevention logic that prevents whitelisting home folders when run as root

sudo firejail --noprofile --whitelist=/home/user ls

Outputs error and says invalid whitelist path

Strangely, so does the following even though it IS the root home folder:

sudo firejail --noprofile --whitelist=/root ls

This command will succeed even though it is NOT the root home folder and does not even exist:

sudo firejail --noprofile --whitelist=/home/root ls

This command will also fail even though it explictly sets the homefolder of root to another:

sudo (
export HOME="/home/user"
firejail --noprofile --whitelist=/home/user ls
)

the last one was put in a bash script and the script called with sudo to guarantee that HOME exports correctly

None of these cases should really be failing. If there is some strange error correction going on, then the last one where the HOME is set should work.

Originally created by @t4777sd on GitHub (Jul 24, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2059 It appears there is some error prevention logic that prevents whitelisting home folders when run as root sudo firejail --noprofile --whitelist=/home/user ls Outputs error and says invalid whitelist path Strangely, so does the following even though it IS the root home folder: sudo firejail --noprofile --whitelist=/root ls This command will succeed even though it is NOT the root home folder and does not even exist: sudo firejail --noprofile --whitelist=/home/root ls This command will also fail even though it explictly sets the homefolder of root to another: sudo ( export HOME="/home/user" firejail --noprofile --whitelist=/home/user ls ) * the last one was put in a bash script and the script called with sudo to guarantee that HOME exports correctly None of these cases should really be failing. If there is some strange error correction going on, then the last one where the HOME is set should work.

gitea-mirror

2026-05-05 08:01:45 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:01:51 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

Looking at the docs (man firejail), it says the following about --whitelist:

       --whitelist=dirname_or_filename
              Whitelist  directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded
              inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The  top  di‐
              rectory could be user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.

              Symbolic link handling: with the exception of user home, both the link and the real file should be in the same top directory. For
              user home, both the link and the real file should be owned by the user.

              Example:
              $ firejail --noprofile --whitelist=~/.mozilla
              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
              $ firejail "--whitelist=/home/username/My Virtual Machines"

@chiraag-nataraj commented on GitHub (Jul 24, 2018): Looking at the docs (`man firejail`), it says the following about `--whitelist`: ``` --whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The top di‐ rectory could be user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp. Symbolic link handling: with the exception of user home, both the link and the real file should be in the same top directory. For user home, both the link and the real file should be owned by the user. Example: $ firejail --noprofile --whitelist=~/.mozilla $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null $ firejail "--whitelist=/home/username/My Virtual Machines" ```

gitea-mirror commented

2026-05-05 08:01:52 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

I'm going to close this as discussion should probably move over to #2041.

@chiraag-nataraj commented on GitHub (Jul 24, 2018): I'm going to close this as discussion should probably move over to #2041.

gitea-mirror referenced this issue

2026-05-05 10:10:43 -06:00

[PR #1389] [CLOSED] Fix wget breaking rkhunter #3937

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1389

No description provided.

Rows
Columns