github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2693] Signal-desktop cannot run in chroot as user (due to some chroot magic) #1698

New issue

Closed

opened 2026-05-05 08:21:13 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 08:21:13 -06:00

Owner

Originally created by @VPNReyMan on GitHub (May 13, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2693

I created a chroot according to here: https://firejail.wordpress.com/documentation-2/basic-usage/

I then installed signal-desktop. It will run as root, but not as user. In both cases it will show the application window. However, with the user it will just be blank whereas under root it will display everything correctly.

The application is designed to be run as a user and not root, so it is better if it runs as a user. It appears the only difference between the two is that under user the following is outputted:

** Warning: dropping all Linux capabilities **

Signal is based on node webkit or electron or something as it appears to be a chromium browser that runs a webpage. I know that chromium has it's own sandbox. Perhaps it is this sandbox in chromium that causes the issue? However, I am running without a profile so theoretically it should be working in both cases, right?

For example of commands not working and working:

NOT WORKING
firejail --noprofile --debug --chroot=./debian-stretch-amd64 /opt/Signal/signal-desktop

WORKING
sudo firejail --noprofile --debug --chroot=./debian-stretch-amd64 /opt/Signal/signal-desktop

Originally created by @VPNReyMan on GitHub (May 13, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2693 I created a chroot according to here: https://firejail.wordpress.com/documentation-2/basic-usage/ I then installed signal-desktop. It will run as **root**, but not as **user**. In both cases it will show the application window. However, with the user it will just be blank whereas under root it will display everything correctly. The application is designed to be run as a user and not root, so it is better if it runs as a user. It appears the only difference between the two is that under user the following is outputted: ** Warning: dropping all Linux capabilities ** Signal is based on node webkit or electron or something as it appears to be a chromium browser that runs a webpage. I know that chromium has it's own sandbox. Perhaps it is this sandbox in chromium that causes the issue? However, I am running _without a _profile__ so theoretically it should be working in both cases, right? For example of commands not working and working: **NOT WORKING** firejail --noprofile --debug --chroot=./debian-stretch-amd64 /opt/Signal/signal-desktop **WORKING** sudo firejail --noprofile --debug --chroot=./debian-stretch-amd64 /opt/Signal/signal-desktop

gitea-mirror closed this issue

2026-05-05 08:21:14 -06:00

gitea-mirror commented

2026-05-05 08:21:16 -06:00

Author

Owner

@VPNReyMan commented on GitHub (May 13, 2019):

It looks like the app is looking in /proc/cpuinfo. I notice that with sudo firejail that /proc/* files are readable. Without running firejail with sudo, then /proc/ is an empty directory in the chroot directory.

Is there any way to make this available?

@VPNReyMan commented on GitHub (May 13, 2019): It looks like the app is looking in /proc/cpuinfo. I notice that with sudo firejail that /proc/* files are readable. Without running firejail with sudo, then /proc/ is an empty directory in the chroot directory. Is there any way to make this available?

gitea-mirror commented

2026-05-05 08:21:18 -06:00

Author

Owner

@VPNReyMan commented on GitHub (May 13, 2019):

I tried the --bind command to bind proc, but it says that requires root. Looking here: https://linux.die.net/man/8/linux-user-chroot

That has a --mount-proc and is supposedly meant to be called without root. Is there a way in linux to mount /proc without root inside a chroot?

@VPNReyMan commented on GitHub (May 13, 2019): I tried the --bind command to bind proc, but it says that requires root. Looking here: https://linux.die.net/man/8/linux-user-chroot That has a --mount-proc and is supposedly meant to be called without root. Is there a way in linux to mount /proc without root inside a chroot?

gitea-mirror commented

2026-05-05 08:21:19 -06:00

Author

Owner

@VPNReyMan commented on GitHub (May 13, 2019):

I mounted /proc to the chroot/proc directory so that a non-root user would have access to those files. Signal still did not run, but it runs under root, so it is something else the firejail sandbox is preventing even though it is running with no profile

@VPNReyMan commented on GitHub (May 13, 2019): I mounted /proc to the chroot/proc directory so that a non-root user would have access to those files. Signal still did not run, but it runs under root, so it is something else the firejail sandbox is preventing even though it is running with no profile

gitea-mirror commented

2026-05-05 08:21:20 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 13, 2019):

Why do you want a chroot? There is also an existing signal-desktop profile

just firejail /opt/Signal/signal-desktop

@SkewedZeppelin commented on GitHub (May 13, 2019): Why do you want a chroot? There is also an existing signal-desktop profile just `firejail /opt/Signal/signal-desktop`

gitea-mirror commented

2026-05-05 08:21:21 -06:00

Author

Owner

@VPNReyMan commented on GitHub (May 13, 2019):

chroot is necessary because it does not run on non-debian distributions thus it needs a debian chroot

@VPNReyMan commented on GitHub (May 13, 2019): chroot is necessary because it does not run on non-debian distributions thus it needs a debian chroot

gitea-mirror commented

2026-05-05 08:21:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 14, 2019):

@VPNReyMan wicht distro are you using?

There is an AUR packages and you can build it by your self (https://github.com/signalapp/Signal-Desktop).

You can also use flatpak flatpak install flathub org.signal.Signal or snap (https://snapcraft.io/signal-desktop).

@rusty-snake commented on GitHub (May 14, 2019): @VPNReyMan wicht distro are you using? There is an [AUR packages](https://aur.archlinux.org/packages/signal-desktop-bin/) and you can build it by your self (https://github.com/signalapp/Signal-Desktop). You can also use flatpak `flatpak install flathub org.signal.Signal` or snap (https://snapcraft.io/signal-desktop).

gitea-mirror commented

2026-05-05 08:21:23 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 20, 2019):

Pretty sure the only Debian-specific part is the installer...building from source should totally work on non-Debian distros. You certainly shouldn't need a chroot to install it!

@chiraag-nataraj commented on GitHub (May 20, 2019): Pretty sure the only Debian-specific part is the installer...building from source should totally work on non-Debian distros. You certainly shouldn't need a chroot to install it!

gitea-mirror commented

2026-05-05 08:21:24 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 29, 2019):

@VPNReyMan Did you try either of the options we gave above?

@chiraag-nataraj commented on GitHub (May 29, 2019): @VPNReyMan Did you try either of the options we gave above?

gitea-mirror commented

2026-05-05 08:21:24 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 30, 2019):

@VPNReyMan I'm going to close this for now due to inactivity. If you have a chance to try our suggestions and report back, please feel free to re-open this.

@chiraag-nataraj commented on GitHub (May 30, 2019): @VPNReyMan I'm going to close this for now due to inactivity. If you have a chance to try our suggestions and report back, please feel free to re-open this.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1698

No description provided.

Rows
Columns