[GH-ISSUE #2623] /dev/null created with wrong permissions #1664

New issue

Closed

opened 2026-05-05 08:18:41 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 08:18:41 -06:00

Owner

Copy link

Originally created by @viq on GitHub (Mar 28, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2623

Noticed when trying to start calibre:

$ calibre
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 30619, child pid 30620
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 92.58 ms
Traceback (most recent call last):
  File "/usr/bin/calibre", line 20, in <module>
    sys.exit(calibre())
  File "/usr/lib/calibre/calibre/gui_launch.py", line 74, in calibre
    main(args)
  File "/usr/lib/calibre/calibre/gui2/main.py", line 556, in main
    gui_debug=gui_debug)
  File "/usr/lib/calibre/calibre/gui2/main.py", line 380, in run_gui
    app.load_builtin_fonts(scan_for_fonts=True)
  File "/usr/lib/calibre/calibre/gui2/__init__.py", line 948, in load_builtin_fonts
    from calibre.utils.fonts.scanner import font_scanner
  File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 400, in <module>
    font_scanner = FontScanner()
  File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 199, in __init__
    self.folders = folders + font_dirs() + [os.path.join(config_dir, 'fonts'),
  File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 119, in font_dirs
    return fc_list()
  File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 41, in fc_list
    lib = find_library('fontconfig')
  File "/usr/lib/python2.7/ctypes/util.py", line 274, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python2.7/ctypes/util.py", line 258, in _findSoname_ldconfig
    null = open(os.devnull, 'wb')
IOError: [Errno 13] Permission denied: '/dev/null'

Parent is shutting down, bye...

and indeed:

firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/'
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14180, child pid 14181
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 132.88 ms
total 0
crw-rw-rw- 1 nobody nobody 1, 7 03-28 13:31 full
srw-rw-rw- 1 nobody nobody    0 03-28 11:33 log
-r-------- 1 nobody nobody    0 03-28 11:34 null
lrwxrwxrwx 1 nobody nobody   13 03-28 13:31 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nobody    0 03-28 13:31 pts
crw-rw-rw- 1 nobody nobody 1, 8 03-28 13:31 random
drwxrwxrwt 2 nobody nobody   40 03-28 13:31 shm
crw-rw-rw- 1 nobody nobody 5, 0 03-28 13:31 tty
crw-rw-rw- 1 nobody nobody 1, 9 03-28 13:31 urandom
crw-rw-rw- 1 nobody nobody 1, 5 03-28 13:31 zero

Parent is shutting down, bye...

Archlinux, firejail 0.9.58.2-1,

firejail --version
firejail version 0.9.58.2

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Originally created by @viq on GitHub (Mar 28, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2623 Noticed when trying to start calibre: ``` $ calibre Reading profile /etc/firejail/calibre.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 30619, child pid 30620 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 92.58 ms Traceback (most recent call last): File "/usr/bin/calibre", line 20, in <module> sys.exit(calibre()) File "/usr/lib/calibre/calibre/gui_launch.py", line 74, in calibre main(args) File "/usr/lib/calibre/calibre/gui2/main.py", line 556, in main gui_debug=gui_debug) File "/usr/lib/calibre/calibre/gui2/main.py", line 380, in run_gui app.load_builtin_fonts(scan_for_fonts=True) File "/usr/lib/calibre/calibre/gui2/__init__.py", line 948, in load_builtin_fonts from calibre.utils.fonts.scanner import font_scanner File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 400, in <module> font_scanner = FontScanner() File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 199, in __init__ self.folders = folders + font_dirs() + [os.path.join(config_dir, 'fonts'), File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 119, in font_dirs return fc_list() File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 41, in fc_list lib = find_library('fontconfig') File "/usr/lib/python2.7/ctypes/util.py", line 274, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) File "/usr/lib/python2.7/ctypes/util.py", line 258, in _findSoname_ldconfig null = open(os.devnull, 'wb') IOError: [Errno 13] Permission denied: '/dev/null' Parent is shutting down, bye... ``` and indeed: ``` firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/' Reading profile /etc/firejail/calibre.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 14180, child pid 14181 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 132.88 ms total 0 crw-rw-rw- 1 nobody nobody 1, 7 03-28 13:31 full srw-rw-rw- 1 nobody nobody 0 03-28 11:33 log -r-------- 1 nobody nobody 0 03-28 11:34 null lrwxrwxrwx 1 nobody nobody 13 03-28 13:31 ptmx -> /dev/pts/ptmx drwxr-xr-x 2 nobody nobody 0 03-28 13:31 pts crw-rw-rw- 1 nobody nobody 1, 8 03-28 13:31 random drwxrwxrwt 2 nobody nobody 40 03-28 13:31 shm crw-rw-rw- 1 nobody nobody 5, 0 03-28 13:31 tty crw-rw-rw- 1 nobody nobody 1, 9 03-28 13:31 urandom crw-rw-rw- 1 nobody nobody 1, 5 03-28 13:31 zero Parent is shutting down, bye... ``` Archlinux, `firejail 0.9.58.2-1`, ``` firejail --version firejail version 0.9.58.2 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror closed this issue 2026-05-05 08:18:41 -06:00

gitea-mirror commented 2026-05-05 08:18:43 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Mar 29, 2019):

Interesting, for me it is ok in latest git version:

firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/'
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8959, child pid 8960
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 94.79 ms
total 0
crw-rw-rw- 1 nobody nobody 1, 7 Mar 29 12:40 full
srw-rw-rw- 1 nobody nobody    0 Mar 29 11:35 log
crw-rw-rw- 1 nobody nobody 1, 3 Mar 29 12:40 null
lrwxrwxrwx 1 nobody nobody   13 Mar 29 12:40 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nobody    0 Mar 29 12:40 pts
crw-rw-rw- 1 nobody nobody 1, 8 Mar 29 12:40 random
drwxrwxrwt 2 nobody nobody   40 Mar 29 12:40 shm
crw-rw-rw- 1 nobody nobody 5, 0 Mar 29 12:40 tty
crw-rw-rw- 1 nobody nobody 1, 9 Mar 29 12:40 urandom
crw-rw-rw- 1 nobody nobody 1, 5 Mar 29 12:40 zero

<!-- gh-comment-id:477967097 --> @Vincent43 commented on GitHub (Mar 29, 2019): Interesting, for me it is ok in latest git version: ``` firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/' Reading profile /etc/firejail/calibre.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.local Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 8959, child pid 8960 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 94.79 ms total 0 crw-rw-rw- 1 nobody nobody 1, 7 Mar 29 12:40 full srw-rw-rw- 1 nobody nobody 0 Mar 29 11:35 log crw-rw-rw- 1 nobody nobody 1, 3 Mar 29 12:40 null lrwxrwxrwx 1 nobody nobody 13 Mar 29 12:40 ptmx -> /dev/pts/ptmx drwxr-xr-x 2 nobody nobody 0 Mar 29 12:40 pts crw-rw-rw- 1 nobody nobody 1, 8 Mar 29 12:40 random drwxrwxrwt 2 nobody nobody 40 Mar 29 12:40 shm crw-rw-rw- 1 nobody nobody 5, 0 Mar 29 12:40 tty crw-rw-rw- 1 nobody nobody 1, 9 Mar 29 12:40 urandom crw-rw-rw- 1 nobody nobody 1, 5 Mar 29 12:40 zero ```

gitea-mirror commented 2026-05-05 08:18:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2019):

@Vincent43 @viq @SkewedZeppelin Can reproduce with every profile that include disable-programs.inc

$ firejail --debug ls -l /dev/null | grep /dev/null
…
Disable /dev/null (requested /home/USER/.wget-hsts)
…
$ ls -l .wget-hsts 
lrwxrwxrwx. … … …  .wget-hsts -> /dev/null

I have symlinked .wget-hsts to /dev/null so that wget does not make hsts entries, because since 0.9.58 .wget-hsts is blacklisted, blacklisted FJ also /dev/null.

@viq have you symlinked something in your HOME to /dev/null? Try firejail --debug

<!-- gh-comment-id:478229274 --> @rusty-snake commented on GitHub (Mar 30, 2019): @Vincent43 @viq @SkewedZeppelin Can reproduce with every profile that include `disable-programs.inc` ``` $ firejail --debug ls -l /dev/null | grep /dev/null … Disable /dev/null (requested /home/USER/.wget-hsts) … $ ls -l .wget-hsts lrwxrwxrwx. … … … .wget-hsts -> /dev/null ``` I have symlinked `.wget-hsts` to `/dev/null` so that wget does not make hsts entries, because since 0.9.58 `.wget-hsts` is blacklisted, blacklisted FJ also /dev/null. @viq have you symlinked something in your HOME to /dev/null? Try `firejail --debug`

gitea-mirror commented 2026-05-05 08:18:46 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Mar 30, 2019):

@rusty-snake Yes, I remember some issues when I had something in home linked to /dev/null. As a workaround you may try making file/dir immutable with chattr +i <file> instead of linking to /dev/null.

<!-- gh-comment-id:478242253 --> @Vincent43 commented on GitHub (Mar 30, 2019): @rusty-snake Yes, I remember some issues when I had something in home linked to `/dev/null`. As a workaround you may try making file/dir immutable with `chattr +i <file>` instead of linking to `/dev/null`.

gitea-mirror commented 2026-05-05 08:18:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2019):

@Vincent43 already done ;)

<!-- gh-comment-id:478245659 --> @rusty-snake commented on GitHub (Mar 30, 2019): @Vincent43 already done ;)

gitea-mirror commented 2026-05-05 08:18:48 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 11, 2019):

@viq still an issue?

<!-- gh-comment-id:491512261 --> @rusty-snake commented on GitHub (May 11, 2019): @viq still an issue?

gitea-mirror commented 2026-05-05 08:18:49 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

Going to close due to inactivity. @viq, if this is still an issue, please feel free to re-open.

<!-- gh-comment-id:494383948 --> @chiraag-nataraj commented on GitHub (May 21, 2019): Going to close due to inactivity. @viq, if this is still an issue, please feel free to re-open.

gitea-mirror referenced this issue 2026-05-05 10:12:38 -06:00

[PR #1664] [MERGED] qtox needs libstdc++.so.6 #4037

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1664

No description provided.