github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2380] firejail 0.9.58 breaks many programs (execute permission denied) #1588

New issue

Closed

opened 2026-05-05 08:14:37 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 08:14:37 -06:00

Owner

Originally created by @odiferousmint on GitHub (Jan 29, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2380

I have no idea why, but I get:

Error: execute permission denied [...]
Error: no suitable X executable found

for many programs. 0.9.56 is the last version that works.

I have the directory whitelisted, so I have no idea why it would not work whereas 0.9.56 works just fine.

The programs in question are wire and vivaldi. Probably breaks many other programs which I have not tried yet.

Any ideas? What am I missing? Do I need to add something to my local profile to be able to run an executable inside ${HOME}?

Edit: it seems like it runs if I get rid of noexec ${HOME}. How come that it works in 0.9.56 but not in 0.9.58 with noexec ${HOME} present?

In the meantime I think I found a bug. If I include disable-programs.inc that blacklists 2 paths, I will get a permission denied error even after I have manually whitelisted and noblacklisted them at the end of the profile file. It seems like as if that noblacklist and whitelist does not overwrite the previous blacklist. This is a bug, right?

Originally created by @odiferousmint on GitHub (Jan 29, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2380 I have no idea why, but I get: ``` Error: execute permission denied [...] Error: no suitable X executable found ``` for many programs. 0.9.56 is the last version that works. I have the directory whitelisted, so I have no idea why it would not work whereas 0.9.56 works just fine. The programs in question are wire and vivaldi. Probably breaks many other programs which I have not tried yet. Any ideas? What am I missing? Do I need to add something to my local profile to be able to run an executable inside ${HOME}? Edit: it seems like it runs if I get rid of `noexec ${HOME}`. How come that it works in 0.9.56 but not in 0.9.58 with `noexec ${HOME}` present? In the meantime I think I found a bug. If I include `disable-programs.inc` that blacklists 2 paths, I will get a permission denied error *even* after I have manually whitelisted and noblacklisted them at the end of the profile file. It seems like as if that `noblacklist` and `whitelist` does not overwrite the previous `blacklist`. This is a bug, right?

gitea-mirror

2026-05-05 08:14:37 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:14:40 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 29, 2019):

See https://github.com/netblue30/firejail/issues/2375#issuecomment-458379200

also noblacklist must always come before a blacklist

@SkewedZeppelin commented on GitHub (Jan 29, 2019): See https://github.com/netblue30/firejail/issues/2375#issuecomment-458379200 also noblacklist must always come before a blacklist

gitea-mirror commented

2026-05-05 08:14:41 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 1, 2019):

for many programs.

@odiferousmint what programs are you having problems with noexec home? So far we figured out the browsers, but there could be more.

@netblue30 commented on GitHub (Feb 1, 2019): > for many programs. @odiferousmint what programs are you having problems with noexec home? So far we figured out the browsers, but there could be more.

gitea-mirror commented

2026-05-05 08:14:43 -06:00

Author

Owner

@ghost commented on GitHub (Feb 3, 2019):

help something must be wrong with latest updates

if i use
sudo firecfg -> reboot -> my script is broken -> sudo firecfg --clean -> my screen is still broken, -> reboot -> my script works -> sudo firecfg -> my script work -> reboot -> my script is broken.

i'm getting many errors including some about python can't be found even if i don't use a firejail for the app!
nyx
/bin/bash: /usr/bin/nyx: /usr/bin/python: bad interpreter: Permission denied

chromium
[1285:1285:0203/081649.144751:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.

mpv

[ytdl_hook] youtube-dl failed: not found or not enough permissions 
[cplayer] finished playback, unrecognized file format (reason 4)
[cplayer] Failed to recognize file format.
[cplayer] 
[cplayer] 
[cplayer] Exiting... (Errors when loading file)

#!/bin/sh

OPTIONS="--no-border --no-stop-screensaver -v"
VO="--vo=vaapi"
YT='--ytdl-format="bestvideo[height<=480]+bestaudio/best[height<=480]"'
GREPEX="konsole|firejail|grep"

konsole --hold --new-tab -geometry 1322x705+1262+433 -e $SHELL -c '
echo -ne "\033]30;mpv 24\007"
while true
do
if [ ! `ps aux | grep "hPdg" | grep -vE "'"$GREPEX"'"` ] ; then
mpv '"$VO"' '"$OPTIONS"' [REDACTED] '"$YT"' --geometry=768x432+0+1 --volume=100 --mute=yes
fi
sleep 5
done
' &
P1=$!
sleep 0.1

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30;mpv rt\007"
while true
do
if [ ! `ps aux | grep "D7pN" | grep -vE "'"$GREPEX"'"` ] ; then
mpv '"$VO"' '"$OPTIONS"' [REDACTED] '"$YT"' --geometry=768x432+768+1 --volume=70 --mute=yes
fi
sleep 5
done
' &
P2=$!

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30;mpv black\007"
while true
do
if [ ! `ps aux | grep "LIBZRS" | grep -vE "'"$GREPEX"'"` ] ; then
mpv --profile=low-latency --no-ytdl '"$VO"' '"$OPTIONS"' rtsp://[REDACTED]/live0.264 --geometry=768x432+3072+1 --aid=no
fi
sleep 5
done
' &
P3=$!

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30;mpv color\007"
while true
do
if [ ! `ps aux | grep "h264" | grep -vE "'"$GREPEX"'"` ] ; then
mpv --vo=vdpau --profile=low-latency --no-ytdl '"$OPTIONS"' rtsp://[REDACTED]/0 --geometry=768x432+2304+1 --aid=no
fi
sleep 5
done
' &
P4=$!

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30;mpv bf\007"
while true
do
if [ ! `ps aux | grep "unknow" | grep -vE "'"$GREPEX"'"` ] ; then
firejail --net=enp0s51t7 --ip=192.168.1.210 --ignore=netfilter --mac=[REDACTED] --defaultgw=192.168.1.254 --dns=1.1.1.1 mpv --rtsp-transport=udp --no-ytdl '"$VO"' '"$OPTIONS"' --geometry=768x432+1536+1 /home/me/.config/mpv/playlist.m3u 
fi
sleep 5
done
' &
P5=$!

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30; gotop  \007"
konsole -e $SHELL -c 'gotop' -geometry 1262x705+0+433
' &
P6=$!

konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30; twd  \007"
exec chromium -app=[REDACTED]

' &
P7=$!

sleep 0.2
konsole --hold --new-tab -e $SHELL -c '
echo -ne "\033]30; nyx TOR  \007"
nyx
' &
P9=$!

i have tried to remove all my custom profiles and .local

nyx which don't have profile and don't run firejailed now return
/bin/bash: /usr/bin/nyx: /usr/bin/python: bad interpreter: Permission denied when launched from my script but it is working when launching by typing nyx in Konsole, same for chromium etc.

my firecfg output

Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   VirtualBox created
   akonadi_control created
   ark created
   baloo_file created
   baloo_filemetadata_temp_extractor created
   chromium created
   dig created
   display created
   dnsmasq created
   dolphin created
   enchant-2 created
   enchant-lsmod-2 created
   exiftool created
   feh created
   ffmpeg created
   firefox created
   flameshot created
   gnome-mpv created
   gradio created
   gwenview created
   img2txt created
   kaffeine created
   kate created
   kcalc created
   kdenlive created
   kget created
   konversation created
   less created
   libreoffice created
   lobase created
   localc created
   lodraw created
   loffice created
   lofromtemplate created
   loimpress created
   lomath created
   loweb created
   lowriter created
   lynx created
   mediainfo created
   mplayer created
   mpv created
   okular created
   patch created
   pdftotext created
   skanlite created
   soffice created
   ssh created
   strings created
   tracker created
   viewnior created
   virtualbox created
   vlc created
   w3m created
   wget created
   youtube-dl created

Adding user me to Firejail access database in /etc/firejail/firejail.users
User me already in the database

Fixing desktop files in /home/me/.local/share/applications
   vlc.desktop skipped: file exists
   google-earth-pro.desktop skipped: file exists
   chromium.desktop skipped: file exists
   firefox.desktop skipped: file exists

edit, i think that the programs are not launched in an sandbox anymore when launched from the script, i don't see them in firejail --top and i have this message Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features

@ghost commented on GitHub (Feb 3, 2019): help something must be wrong with latest updates if i use sudo firecfg -> reboot -> my script is broken -> sudo firecfg --clean -> my screen is still broken, -> reboot -> my script works -> sudo firecfg -> my script work -> reboot -> my script is broken. i'm getting many errors including some about python can't be found even if i don't use a firejail for the app! nyx `/bin/bash: /usr/bin/nyx: /usr/bin/python: bad interpreter: Permission denied` chromium `[1285:1285:0203/081649.144751:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.` mpv ``` [ytdl_hook] youtube-dl failed: not found or not enough permissions [cplayer] finished playback, unrecognized file format (reason 4) [cplayer] Failed to recognize file format. [cplayer] [cplayer] [cplayer] Exiting... (Errors when loading file) ``` ``` #!/bin/sh OPTIONS="--no-border --no-stop-screensaver -v" VO="--vo=vaapi" YT='--ytdl-format="bestvideo[height<=480]+bestaudio/best[height<=480]"' GREPEX="konsole|firejail|grep" konsole --hold --new-tab -geometry 1322x705+1262+433 -e $SHELL -c ' echo -ne "\033]30;mpv 24\007" while true do if [ ! `ps aux | grep "hPdg" | grep -vE "'"$GREPEX"'"` ] ; then mpv '"$VO"' '"$OPTIONS"' [REDACTED] '"$YT"' --geometry=768x432+0+1 --volume=100 --mute=yes fi sleep 5 done ' & P1=$! sleep 0.1 konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30;mpv rt\007" while true do if [ ! `ps aux | grep "D7pN" | grep -vE "'"$GREPEX"'"` ] ; then mpv '"$VO"' '"$OPTIONS"' [REDACTED] '"$YT"' --geometry=768x432+768+1 --volume=70 --mute=yes fi sleep 5 done ' & P2=$! konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30;mpv black\007" while true do if [ ! `ps aux | grep "LIBZRS" | grep -vE "'"$GREPEX"'"` ] ; then mpv --profile=low-latency --no-ytdl '"$VO"' '"$OPTIONS"' rtsp://[REDACTED]/live0.264 --geometry=768x432+3072+1 --aid=no fi sleep 5 done ' & P3=$! konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30;mpv color\007" while true do if [ ! `ps aux | grep "h264" | grep -vE "'"$GREPEX"'"` ] ; then mpv --vo=vdpau --profile=low-latency --no-ytdl '"$OPTIONS"' rtsp://[REDACTED]/0 --geometry=768x432+2304+1 --aid=no fi sleep 5 done ' & P4=$! konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30;mpv bf\007" while true do if [ ! `ps aux | grep "unknow" | grep -vE "'"$GREPEX"'"` ] ; then firejail --net=enp0s51t7 --ip=192.168.1.210 --ignore=netfilter --mac=[REDACTED] --defaultgw=192.168.1.254 --dns=1.1.1.1 mpv --rtsp-transport=udp --no-ytdl '"$VO"' '"$OPTIONS"' --geometry=768x432+1536+1 /home/me/.config/mpv/playlist.m3u fi sleep 5 done ' & P5=$! konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30; gotop \007" konsole -e $SHELL -c 'gotop' -geometry 1262x705+0+433 ' & P6=$! konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30; twd \007" exec chromium -app=[REDACTED] ' & P7=$! sleep 0.2 konsole --hold --new-tab -e $SHELL -c ' echo -ne "\033]30; nyx TOR \007" nyx ' & P9=$! ``` i have tried to remove all my custom profiles and .local nyx which don't have profile and don't run firejailed now return `/bin/bash: /usr/bin/nyx: /usr/bin/python: bad interpreter: Permission denied` when launched from my script but it is working when launching by typing nyx in Konsole, same for chromium etc. my firecfg output ``` Removing all firejail symlinks: Configuring symlinks in /usr/local/bin based on firecfg.config VirtualBox created akonadi_control created ark created baloo_file created baloo_filemetadata_temp_extractor created chromium created dig created display created dnsmasq created dolphin created enchant-2 created enchant-lsmod-2 created exiftool created feh created ffmpeg created firefox created flameshot created gnome-mpv created gradio created gwenview created img2txt created kaffeine created kate created kcalc created kdenlive created kget created konversation created less created libreoffice created lobase created localc created lodraw created loffice created lofromtemplate created loimpress created lomath created loweb created lowriter created lynx created mediainfo created mplayer created mpv created okular created patch created pdftotext created skanlite created soffice created ssh created strings created tracker created viewnior created virtualbox created vlc created w3m created wget created youtube-dl created Adding user me to Firejail access database in /etc/firejail/firejail.users User me already in the database Fixing desktop files in /home/me/.local/share/applications vlc.desktop skipped: file exists google-earth-pro.desktop skipped: file exists chromium.desktop skipped: file exists firefox.desktop skipped: file exists ``` edit, i think that the programs are not launched in an sandbox anymore when launched from the script, i don't see them in firejail --top and i have this message **Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features**

gitea-mirror commented

2026-05-05 08:14:43 -06:00

Author

Owner

@ghost commented on GitHub (Feb 6, 2019):

everything works for me now, not sure if it's because i have updated firejail today or something else was wrong with my pc, anyways it's fixed for me. thx

@ghost commented on GitHub (Feb 6, 2019): everything works for me now, not sure if it's because i have updated firejail today or something else was wrong with my pc, anyways it's fixed for me. thx

gitea-mirror commented

2026-05-05 08:14:44 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Feb 7, 2019):

I'll go ahead and close this, as it looks like the issue has been resolved.

@chiraag-nataraj commented on GitHub (Feb 7, 2019): I'll go ahead and close this, as it looks like the issue has been resolved.

gitea-mirror commented

2026-05-05 08:14:45 -06:00

Author

Owner

@odiferousmint commented on GitHub (Feb 12, 2019):

for many programs.

@odiferousmint what programs are you having problems with noexec home? So far we figured out the browsers, but there could be more.

So far I had issues with wire-desktop and vivaldi only.

@odiferousmint commented on GitHub (Feb 12, 2019): > > for many programs. > > @odiferousmint what programs are you having problems with noexec home? So far we figured out the browsers, but there could be more. So far I had issues with `wire-desktop` and `vivaldi` only.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1588

No description provided.

Rows
Columns