github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2413] Warnings in firejail #1609

New issue
Closed
opened 2026-05-05 08:16:02 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 08:16:02 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Feb 17, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2413

Hi I have 3 warnings when running firejail and was wondering if someone here got the info about them and how to resolv them.
I have arch linux with linux-hardened kernel

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Warning: cannot create a new user namespace, going forward without it...

I read that user namespaces are disabled/restricted on arch linux but I also read that firejail should be able to use it anyway?

Thank you for taking your time! =)

Originally created by @ghost on GitHub (Feb 17, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2413 Hi I have 3 warnings when running firejail and was wondering if someone here got the info about them and how to resolv them. I have arch linux with linux-hardened kernel Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cannot create a new user namespace, going forward without it... I read that user namespaces are disabled/restricted on arch linux but I also read that firejail should be able to use it anyway? Thank you for taking your time! =)
gitea-mirror commented 2026-05-05 08:16:05 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 17, 2019):

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Those are ok. In Arch they're symlinks to /usr/bin and can't be blacklisted.

Warning: cannot create a new user namespace, going forward without it...

I can't reproduce this one.

<!-- gh-comment-id:464452762 --> @Vincent43 commented on GitHub (Feb 17, 2019): > Warning: /sbin directory link was not blacklisted > Warning: /usr/sbin directory link was not blacklisted Those are ok. In Arch they're symlinks to `/usr/bin` and can't be blacklisted. > Warning: cannot create a new user namespace, going forward without it... I can't reproduce this one.
gitea-mirror commented 2026-05-05 08:16:06 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Feb 17, 2019):

Warning: cannot create a new user namespace, going forward without it...

relevant?
541891558d

<!-- gh-comment-id:464502178 --> @SkewedZeppelin commented on GitHub (Feb 17, 2019): > Warning: cannot create a new user namespace, going forward without it... relevant? https://github.com/anthraxx/linux-hardened/commit/541891558d4f4bcce4efd2489d1b447a4b44bee8
gitea-mirror commented 2026-05-05 08:16:07 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 17, 2019):

I read that user namespaces are disabled/restricted on arch linux but I also read that firejail should be able to use it anyway?

All Arch Linux kernels have support for CONFIG_USER_NS. However, due to more general security concerns, the default Arch kernel does ship with User Namespaces enabled only for the root user. Additional setup is required to use unprivileged containers as normal user.

<!-- gh-comment-id:464505718 --> @ghost commented on GitHub (Feb 17, 2019): > I read that user namespaces are disabled/restricted on arch linux but I also read that firejail should be able to use it anyway? All Arch Linux kernels have support for CONFIG_USER_NS. However, due to more general security concerns, the default Arch kernel does ship with User Namespaces enabled only for the `root` user. [Additional setup](https://wiki.archlinux.org/index.php/Linux_Containers) is required to use unprivileged containers as `normal` user.
gitea-mirror commented 2026-05-05 08:16:07 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 17, 2019):

firejail runs as root so that restriction shouldn't apply to it (and it doesn't on my system). @anteg did you added some additional security options in system like user.max_user_namespaces = 0 sysctl?

<!-- gh-comment-id:464513249 --> @Vincent43 commented on GitHub (Feb 17, 2019): firejail runs as `root` so that restriction shouldn't apply to it (and it doesn't on my system). @anteg did you added some additional security options in system like `user.max_user_namespaces = 0` sysctl?
gitea-mirror commented 2026-05-05 08:16:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 17, 2019):

@Vincent43 No, its set to = 0. Could it be some issues with the permissions? Since it is root that is the user that soulndnt be the case?

<!-- gh-comment-id:464527243 --> @ghost commented on GitHub (Feb 17, 2019): @Vincent43 No, its set to = 0. Could it be some issues with the permissions? Since it is root that is the user that soulndnt be the case?
gitea-mirror commented 2026-05-05 08:16:09 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 18, 2019):

@anteg Wait, are you confirming user.max_user_namespaces = 0 while running linux-hardened? Just so we're all on the same page as to your exact issue, would you paste the output of the following commands here please?

$ sysctl user.max_user_namespaces
$ grep userns /etc/firejail/firejail.config

Also, are you seeing the same firejail behavior when running the linux and/or linux-lts kernels on Arch Linux?

<!-- gh-comment-id:464551125 --> @ghost commented on GitHub (Feb 18, 2019): @anteg Wait, are you confirming `user.max_user_namespaces` = 0 while running linux-hardened? Just so we're all on the same page as to your exact issue, would you paste the output of the following commands here please? $ sysctl user.max_user_namespaces $ grep userns /etc/firejail/firejail.config Also, are you seeing the same firejail behavior when running the `linux` and/or `linux-lts` kernels on Arch Linux?
gitea-mirror commented 2026-05-05 08:16:10 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 18, 2019):

@glitsj16
After running the the commands I can confirm the outputs being
user.max_user_namespaces = 0
userns yes

I will try with other kernels today and see but I posted this in the meanwhile.

Thanks for taking your time to help

<!-- gh-comment-id:464682476 --> @ghost commented on GitHub (Feb 18, 2019): @glitsj16 After running the the commands I can confirm the outputs being user.max_user_namespaces = 0 userns yes I will try with other kernels today and see but I posted this in the meanwhile. Thanks for taking your time to help
gitea-mirror commented 2026-05-05 08:16:10 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 18, 2019):

@glitsj16
I just tried to change the user.max_user_namespaces = 1 and then the warning in firejail disappeared. Is this something I want have set to 0 or other value?
This is the info text from the sysctl
Disable User Namespaces as it opens up a large attack surface to unprivileged users

I am a bit confused if I really want namespaces or not.

<!-- gh-comment-id:464689848 --> @ghost commented on GitHub (Feb 18, 2019): @glitsj16 I just tried to change the user.max_user_namespaces = 1 and then the warning in firejail disappeared. Is this something I want have set to 0 or other value? This is the info text from the sysctl **Disable User Namespaces as it opens up a large attack surface to unprivileged users** I am a bit confused if I really want namespaces or not.
gitea-mirror commented 2026-05-05 08:16:11 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 18, 2019):

@anteg Good question. Before Arch Linux added in support for CONFIG_USER_NS I was just as confused and posed a question here and added a link to it on the Arch Wiki page on firejail. Maybe those were what you refered to in your original question.

Historically there have always been arguments made pro and contra user namespaces in Linux. Either way, firejail is only issueing a warning here. It's up to you to decide whether or not you need userns support in firejail. Personally I have been running Arch Linux for a long time now with support for it enabled. Haven't seen an issue yet. Your mileage may vary.

<!-- gh-comment-id:464698515 --> @ghost commented on GitHub (Feb 18, 2019): @anteg Good question. Before Arch Linux added in support for CONFIG_USER_NS I was just as confused and posed a question [here](https://github.com/netblue30/firejail/issues/1347) and added a link to it on the [Arch Wiki page on firejail](https://wiki.archlinux.org/index.php/Firejail). Maybe those were what you refered to in your original question. Historically there have always been arguments made pro and contra user namespaces in Linux. Either way, firejail is only issueing a warning here. It's up to you to decide whether or not you need userns support in firejail. Personally I have been running Arch Linux for a long time now with support for it enabled. Haven't seen an issue yet. Your mileage may vary.
gitea-mirror commented 2026-05-05 08:16:12 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 18, 2019):

@glitsj16 Big thanks for your input!! So I have a bit of deciding if I am to use namespaces or not then =)
Thanks for your time!! Appreciate it

<!-- gh-comment-id:464699798 --> @ghost commented on GitHub (Feb 18, 2019): @glitsj16 Big thanks for your input!! So I have a bit of deciding if I am to use namespaces or not then =) Thanks for your time!! Appreciate it
gitea-mirror commented 2026-05-05 08:16:13 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 18, 2019):

@anteg

I just tried to change the user.max_user_namespaces = 1 and then the warning in firejail disappeared. Is this something I want have set to 0 or other value?

The default value on my system is 30808.

This is the info text from the sysctl
Disable User Namespaces as it opens up a large attack surface to unprivileged users

If you have a file on your system with that comment then it means you created it by yourself because this isn't part of default config in Arch. As it was mentioned above Arch already restricts USER_NS to root user and further restriction isn't needed. Getting rid of that sysctl config should be safe for you.

<!-- gh-comment-id:464815540 --> @Vincent43 commented on GitHub (Feb 18, 2019): @anteg > I just tried to change the user.max_user_namespaces = 1 and then the warning in firejail disappeared. Is this something I want have set to 0 or other value? The default value on my system is `30808`. > This is the info text from the sysctl > Disable User Namespaces as it opens up a large attack surface to unprivileged users If you have a file on your system with that comment then it means you created it by yourself because this isn't part of default config in Arch. As it was mentioned above Arch already restricts `USER_NS` to root user and further restriction isn't needed. Getting rid of that sysctl config should be safe for you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1609
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?