github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2075] Weechat /exec fails with default weechat.profile #1403

New issue

Closed

opened 2026-05-05 08:04:02 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:04:02 -06:00

Owner

Originally created by @fld on GitHub (Aug 6, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2075

The /exec command in Weechat does not function properly with default weechat.profile.

Tested on debian 9.5 64bit / Linux 4.17.12 / Weechat 2.2 / Firejail 0.9.54:

% tmpwc="$HOME/.dbgweechat"
% mkdir "$tmpwc"
% firejail --noblacklist="$tmpwc" weechat -d "$tmpwc" -r '/exec -n ls'

Weechat shows:

1 | Error with command 'ls'
  | exec: end of command 0 ("ls"), return code: 1

It seems to "Error" with any command I threw at it

To get it working, I modified /etc/firejail/weechat.profile with:
#nonewprivs
#protocol unix,inet,inet6
#seccomp
Uncommenting any of those makes /exec's fail

Originally created by @fld on GitHub (Aug 6, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2075 The /exec command in Weechat does not function properly with default weechat.profile. Tested on debian 9.5 64bit / Linux 4.17.12 / Weechat 2.2 / Firejail 0.9.54: ``` % tmpwc="$HOME/.dbgweechat" % mkdir "$tmpwc" % firejail --noblacklist="$tmpwc" weechat -d "$tmpwc" -r '/exec -n ls' ``` Weechat shows: ``` 1 | Error with command 'ls' | exec: end of command 0 ("ls"), return code: 1 ``` It seems to "Error" with any command I threw at it To get it working, I modified /etc/firejail/weechat.profile with: #nonewprivs #protocol unix,inet,inet6 #seccomp Uncommenting any of those makes /exec's fail

gitea-mirror

2026-05-05 08:04:02 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:04:04 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 6, 2018):

I don't think we should allow a chat client to execute random binaries by default. The predicates you highlight are eminently useful and prevent classes of vulnerabilities and should be enabled by default (unless they hamper the main function of weechat, which is...chatting). You are, of course, more than welcome to disable the "problematic" things in the profile.

@chiraag-nataraj commented on GitHub (Aug 6, 2018): I don't think we should allow a _chat client_ to execute random binaries by default. The predicates you highlight are eminently useful and prevent classes of vulnerabilities and should be enabled by default (unless they hamper the _main_ function of `weechat`, which is...chatting). You are, of course, more than welcome to disable the "problematic" things in the profile.

gitea-mirror commented

2026-05-05 08:04:05 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 6, 2018):

Also, you can use /etc/firejail/weechat.local with:

ignore nonewprivs
ignore protocol
ignore seccomp

to get the desired effect without modifying the files that come with firejail (which will be overwritten on update).

@chiraag-nataraj commented on GitHub (Aug 6, 2018): Also, you can use `/etc/firejail/weechat.local` with: ``` ignore nonewprivs ignore protocol ignore seccomp ``` to get the desired effect without modifying the files that come with `firejail` (which will be overwritten on update).

gitea-mirror referenced this issue

2026-05-05 10:10:51 -06:00

[PR #1403] [MERGED] Block some obsolete or unusual syscalls #3944

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1403

No description provided.

Rows
Columns