[GH-ISSUE #228] read-only of PATH and LD_LIBRARY_PATH is incomplete #157

New issue

Closed

opened 2026-05-05 05:11:54 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 05:11:54 -06:00

Owner

Originally created by @genodeftest on GitHub (Jan 14, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/228

etc/disable-common.inc:120

# The user ~/bin directory can override commands such as ls
read-only ${HOME}/bin

tries to disable changing files in user-controlled folders in ${PATH}. There are several issues with that:

${PATH} not only contains ~/bin, but also ~/.local/bin on some platforms (e.g. Fedora 23)
${PATH} can be changed to contain other folders
${LD_LIBRARY_PATH} is as important. Same things apply here.

I've tried changing this line to

read-only ${PATH}

and

read-only ${PATH}/

but both solutions don't work.

Originally created by @genodeftest on GitHub (Jan 14, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/228 [etc/disable-common.inc:120](https://github.com/netblue30/firejail/blob/master/etc/disable-common.inc#L120) ``` # The user ~/bin directory can override commands such as ls read-only ${HOME}/bin ``` tries to disable changing files in user-controlled folders in ${PATH}. There are several issues with that: 1. ${PATH} not only contains `~/bin`, but also `~/.local/bin` on some platforms (e.g. Fedora 23) 2. ${PATH} can be changed to contain other folders 3. ${LD_LIBRARY_PATH} is as important. Same things apply here. I've tried changing this line to ``` read-only ${PATH} ``` and ``` read-only ${PATH}/ ``` but both solutions don't work.

gitea-mirror

2026-05-05 05:11:54 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:12:00 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 17, 2016):

"read-only ${PATH}" should be working in this moment. I am using for ${PATH} the real PATH environment variable, with /bin, /sbin/, /usr/bin and /usr/sbin added in case they are missing from PATH.

I live out LD_LIBRARY_PATH for now. Probably I'll end up implementing a ${LD_LIBRARY_PATH} in profiles.

@netblue30 commented on GitHub (Feb 17, 2016): "read-only ${PATH}" should be working in this moment. I am using for ${PATH} the real PATH environment variable, with /bin, /sbin/, /usr/bin and /usr/sbin added in case they are missing from PATH. I live out LD_LIBRARY_PATH for now. Probably I'll end up implementing a ${LD_LIBRARY_PATH} in profiles.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#157

No description provided.

Rows
Columns