github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2686] Protect firejailed program from "the outside" using a dedicated user #1692

New issue

Open

opened 2026-05-05 08:20:25 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:20:25 -06:00

Owner

Originally created by @Hocuri on GitHub (May 10, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2686

I know it sounds weird that a sandbox should protect sandboxed programs from un-sandboxed programs but maybe it is worth it?

Like this:

Create a user firejail and create /home/firejail on installation

Then:
tom@host ~ $ firejail --private-firejail-user firefox

Switches to user firejail
creates /home/firejail/tom/firefox if it does not exist
sets PATH to something like /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin to make sure that we are actually executing the right firefox and not something like ~/.local/bin/firefox
does firejail --private=/home/firejail/tom/firefox

What do you think?

Originally created by @Hocuri on GitHub (May 10, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2686 I know it sounds weird that a sandbox should protect sandboxed programs from un-sandboxed programs but maybe it is worth it? Like this: * Create a user `firejail` and create `/home/firejail` on installation Then: `tom@host ~ $` `firejail --private-firejail-user firefox` * Switches to user firejail * creates `/home/firejail/tom/firefox` if it does not exist * sets PATH to something like `/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin` to make sure that we are actually executing the right firefox and not something like `~/.local/bin/firefox` * does `firejail --private=/home/firejail/tom/firefox` What do you think?

gitea-mirror added the

enhancement

label 2026-05-05 08:20:25 -06:00

gitea-mirror commented

2026-05-05 08:20:26 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 10, 2019):

Protect from what? Existing malware? Other malicious users?

to make sure that we are actually executing the right firefox and not something like

What prevents a program in your path already faking firejail?

If you want isolation like that Qubes OS is probably more suitable.

@SkewedZeppelin commented on GitHub (May 10, 2019): Protect from what? Existing malware? Other malicious users? > to make sure that we are actually executing the right firefox and not something like What prevents a program in your path already faking firejail? If you want isolation like that Qubes OS is probably more suitable.

gitea-mirror commented

2026-05-05 08:20:27 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 10, 2019):

Firejail originally could run commands as arbitrary users but it was disabled for security reason IIRC.

Isn't sudo --user=firejail firejail firefox do what you want?

@Vincent43 commented on GitHub (May 10, 2019): Firejail originally could run commands as arbitrary users but it was disabled for security reason IIRC. Isn't `sudo --user=firejail firejail firefox` do what you want?

gitea-mirror commented

2026-05-05 08:20:28 -06:00

Author

Owner

@Hocuri commented on GitHub (May 10, 2019):

What prevents a program in your path already faking firejail?

That program won't be able to read /home/firejail, so if I use the built-in Firefox password manager (or another password manager) the passwords already saved there are safe.

sudo --user=firejail firejail firefox

IIRC this won't work together with wayland.

@Hocuri commented on GitHub (May 10, 2019): > What prevents a program in your path already faking firejail? That program won't be able to read /home/firejail, so if I use the built-in Firefox password manager (or another password manager) the passwords already saved there are safe. > sudo --user=firejail firejail firefox IIRC this won't work together with wayland.

gitea-mirror commented

2026-05-05 08:20:29 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 10, 2019):

IIRC this won't work together with wayland.

Then your proposal neither. You can play with xhost/xauth to fix that.

@Vincent43 commented on GitHub (May 10, 2019): > IIRC this won't work together with wayland. Then your proposal neither. You can play with xhost/xauth to fix that.

gitea-mirror commented

2026-05-05 08:20:31 -06:00

Author

Owner

@Hocuri commented on GitHub (May 11, 2019):

Then your proposal neither. You can play with xhost/xauth to fix that.

Well, I could probably try to fix it just for me but I do not think that would be worth the effort. (actually I can do everything that Firejail can do, it's just a program on my computer). I just thought that it might be nice to have this for ALL users of firejail. (although up to now nobody has said that they would like/use this feature)

@Hocuri commented on GitHub (May 11, 2019): > Then your proposal neither. You can play with xhost/xauth to fix that. Well, I could probably try to fix it just for me but I do not think that would be worth the effort. (actually I can do everything that Firejail can do, it's just a program on my computer). I just thought that it might be nice to have this for ALL users of firejail. (although up to now nobody has said that they would like/use this feature)

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1692

No description provided.

Rows
Columns