[GH-ISSUE #2758] Firejail does not work with a custom hosts file

gitea-mirror commented

2026-05-05 08:24:14 -06:00

Owner

Originally created by @rmrgh on GitHub (Jun 10, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2758

When running firejail with a custom hosts file:
$ firejail --noprofile --private --hosts-file=hosts firefox -no-remote
it reports the following errors:

Parent pid 32480, child pid 32481
Error: invalid /etc/hosts file
Error: proc 32480 cannot sync with peer: unexpected EOF
Peer 32481 unexpectedly exited with status 1

My hosts file contains only:

127.0.0.1 sample.localhost

Even with an empty file, it report the same errors.

Firejail Version: 0.9.58
Linux Distribution: NixOS 19.03

Originally created by @rmrgh on GitHub (Jun 10, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2758 When running firejail with a custom hosts file: `$ firejail --noprofile --private --hosts-file=hosts firefox -no-remote` it reports the following errors: ``` Parent pid 32480, child pid 32481 Error: invalid /etc/hosts file Error: proc 32480 cannot sync with peer: unexpected EOF Peer 32481 unexpectedly exited with status 1 ``` My hosts file contains only: ``` 127.0.0.1 sample.localhost ``` Even with an empty file, it report the same errors. **Firejail Version:** 0.9.58 **Linux Distribution:** NixOS 19.03

gitea-mirror

2026-05-05 08:24:14 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:24:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 11, 2019):

Can't reproduce with firejail 0.9.61 under Fedora 29.

$ firejail --private --noprofile --hosts-file=hfile firefox-wayland -no-remote
… No Error about hosts
$ cat hfile
127.0.0.1 some.localhost

@rusty-snake commented on GitHub (Jun 11, 2019): Can't reproduce with firejail 0.9.61 under Fedora 29. ``` $ firejail --private --noprofile --hosts-file=hfile firefox-wayland -no-remote … No Error about hosts $ cat hfile 127.0.0.1 some.localhost ```

gitea-mirror commented

2026-05-05 08:24:18 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2019):

I even just tried firejail --hosts-file=/dev/null and it worked.

@chiraag-nataraj commented on GitHub (Jun 11, 2019): I even just tried `firejail --hosts-file=/dev/null` and it worked.

gitea-mirror commented

2026-05-05 08:24:19 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 11, 2019):

There could be two reasons it to fail: if the host file is a symbolic link, or if the user doesn't have read access to the file. Also, try to put a full path for the host file, something like "--host-file=/home/username/hostfile". Works fine on 0.9.58, that code didn't change in ages.

@netblue30 commented on GitHub (Jun 11, 2019): There could be two reasons it to fail: if the host file is a symbolic link, or if the user doesn't have read access to the file. Also, try to put a full path for the host file, something like "--host-file=/home/username/hostfile". Works fine on 0.9.58, that code didn't change in ages.

gitea-mirror commented

2026-05-05 08:24:20 -06:00

Author

Owner

@Nudin commented on GitHub (Mar 31, 2020):

I got the same issue on Arch with firejail 0.9.62. The file is no symlink and readable by the user.

$ touch /home/michi/empty
$ chmod 777 /home/michi/empty
$ firejail --noprofile --hosts-file=/home/michi/empty
Parent pid 87979, child pid 87980
Error: invalid /etc/hosts file
Error: proc 87979 cannot sync with peer: unexpected EOF
Peer 87980 unexpectedly exited with status 1

@Nudin commented on GitHub (Mar 31, 2020): I got the same issue on Arch with firejail 0.9.62. The file is no symlink and readable by the user. ``` $ touch /home/michi/empty $ chmod 777 /home/michi/empty $ firejail --noprofile --hosts-file=/home/michi/empty Parent pid 87979, child pid 87980 Error: invalid /etc/hosts file Error: proc 87979 cannot sync with peer: unexpected EOF Peer 87980 unexpectedly exited with status 1 ```

gitea-mirror commented

2026-05-05 08:24:21 -06:00

Author

Owner

@Enteee commented on GitHub (Mar 23, 2021):

Can confirm the same behavior as @rmrgh observed on NixOS (symlinked /etc/hosts). Firejail 0.9.64.4 does fail on firejail --hosts-file=/dev/null with:

Error: dumpable process
Remove read permission on fseccomp executable
Warning: cleaning all supplementary groups
Error: invalid /etc/hosts file
Error: proc 13962 cannot sync with peer: unexpected EOF
Peer 13963 unexpectedly exited with status 1

this is the check that fails:
2609e5cf0b/src/firejail/fs_hostname.c (L226-L227)

Removing this check seem to be simple enough, but I am not quite sure why this is there in the first place.

For those who use NixOs: I have written an overlay that removes the check by patching firejail. Running the command is working, but the /etc/hosts file is not read. Inside the jail the file /etc/hosts points to is actually changed to whatever you set as --hosts-file but it is not actually used by the system resolve. Don't really know why...

self: super: {
  firejail = (super.firejail.overrideAttrs (oldAttrs: {
    patches = [
      (
      # Fix for https://github.com/netblue30/firejail/issues/2758
      super.writeText "fix-2758" ''
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 8a3bb71e..0d318744 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -222,9 +218,6 @@ void fs_mount_hosts_file(void) {
 	struct stat s;
 	if (stat("/etc/hosts", &s) == -1)
 		goto errexit;
-	// not a link
-	if (is_link("/etc/hosts"))
-		goto errexit;
 	// owned by root
 	if (s.st_uid != 0)
 		goto errexit;

      ''
      )
    ];
  }));
}

@Enteee commented on GitHub (Mar 23, 2021): Can confirm the same behavior as @rmrgh observed on NixOS (symlinked /etc/hosts). Firejail `0.9.64.4` does fail on `firejail --hosts-file=/dev/null` with: ``` Error: dumpable process Remove read permission on fseccomp executable Warning: cleaning all supplementary groups Error: invalid /etc/hosts file Error: proc 13962 cannot sync with peer: unexpected EOF Peer 13963 unexpectedly exited with status 1 ``` this is the check that fails: https://github.com/netblue30/firejail/blob/2609e5cf0b82222d83637fa1bd2538645999f04d/src/firejail/fs_hostname.c#L226-L227 Removing this check seem to be simple enough, but I am not quite sure why this is there in the first place. For those who use NixOs: I have written an overlay that removes the check by patching firejail. Running the command is working, but the /etc/hosts file is not read. Inside the jail the file /etc/hosts points to is actually changed to whatever you set as `--hosts-file` but it is not actually used by the system resolve. Don't really know why... ```nix self: super: { firejail = (super.firejail.overrideAttrs (oldAttrs: { patches = [ ( # Fix for https://github.com/netblue30/firejail/issues/2758 super.writeText "fix-2758" '' diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 8a3bb71e..0d318744 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -222,9 +218,6 @@ void fs_mount_hosts_file(void) { struct stat s; if (stat("/etc/hosts", &s) == -1) goto errexit; - // not a link - if (is_link("/etc/hosts")) - goto errexit; // owned by root if (s.st_uid != 0) goto errexit; '' ) ]; })); } ```

gitea-mirror commented

2026-05-05 08:24:22 -06:00

Author

Owner

@deliciouslytyped commented on GitHub (Mar 31, 2021):

@Enteee thanks, I ran into the same issue.

Low key note that copying the script into a config wont work if you use spaces because the source file uses tabs, it causes a small bit of confusion as to why the patch isn't applying.

@deliciouslytyped commented on GitHub (Mar 31, 2021): @Enteee thanks, I ran into the same issue. Low key note that copying the script into a config wont work if you use spaces because the source file uses tabs, it causes a small bit of confusion as to why the patch isn't applying.

gitea-mirror commented

2026-05-05 08:24:22 -06:00

Author

Owner

@dunesong commented on GitHub (Jul 31, 2021):

Had the same issue. In my case, /etc/hosts was not owned by root. Correcting that fixed the issue.

sudo chown root:root /etc/hosts

@dunesong commented on GitHub (Jul 31, 2021): Had the same issue. In my case, /etc/hosts was not owned by root. Correcting that fixed the issue. `sudo chown root:root /etc/hosts`

gitea-mirror commented

2026-05-05 08:24:23 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 22, 2021):

@onny May I ask where the link points to in NixOS?

EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to /nix/store/something if I understand correctly.

@smitsohu commented on GitHub (Sep 22, 2021): @onny May I ask where the link points to in NixOS? EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to `/nix/store/something` if I understand correctly.

gitea-mirror commented

2026-05-05 08:24:24 -06:00

Author

Owner

@onny commented on GitHub (Sep 24, 2021):

@onny May I ask where the link points to in NixOS?

EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to /nix/store/something if I understand correctly.

Yep thats right.

namei -l /etc/hosts
f: /etc/hosts
drwxr-xr-x root root   /
drwxr-xr-x root root   etc
lrwxrwxrwx root root   hosts -> /etc/static/hosts
drwxr-xr-x root root     /
drwxr-xr-x root root     etc
lrwxrwxrwx root root     static -> /nix/store/6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc/etc
drwxr-xr-x root root       /
drwxr-xr-x root root       nix
drwxrwxr-t root nixbld     store
dr-xr-xr-x root root       6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc
dr-xr-xr-x root root       etc
lrwxrwxrwx root root     hosts -> /nix/store/ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts
drwxr-xr-x root root       /
drwxr-xr-x root root       nix
drwxrwxr-t root nixbld     store
-r--r--r-- root root       ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts

@onny commented on GitHub (Sep 24, 2021): > @onny May I ask where the link points to in NixOS? > > EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to `/nix/store/something` if I understand correctly. Yep thats right. ``` namei -l /etc/hosts f: /etc/hosts drwxr-xr-x root root / drwxr-xr-x root root etc lrwxrwxrwx root root hosts -> /etc/static/hosts drwxr-xr-x root root / drwxr-xr-x root root etc lrwxrwxrwx root root static -> /nix/store/6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc/etc drwxr-xr-x root root / drwxr-xr-x root root nix drwxrwxr-t root nixbld store dr-xr-xr-x root root 6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc dr-xr-xr-x root root etc lrwxrwxrwx root root hosts -> /nix/store/ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts drwxr-xr-x root root / drwxr-xr-x root root nix drwxrwxr-t root nixbld store -r--r--r-- root root ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts ```

gitea-mirror commented

2026-05-05 08:24:24 -06:00

Author

Owner

@Enteee commented on GitHub (Sep 25, 2021):

@netblue30 : why was this closed. I think the issue is still relevant.

@Enteee commented on GitHub (Sep 25, 2021): @netblue30 : why was this closed. I think the issue is still relevant.

gitea-mirror commented

2026-05-05 08:24:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 25, 2021):

Because #4560 was merged and this issue is a linked issues in #4560.

@Enteee do you still get this error?

@rusty-snake commented on GitHub (Sep 25, 2021): Because #4560 was merged and this issue is a linked issues in #4560. @Enteee do you still get this error?

gitea-mirror commented

2026-05-05 08:24:26 -06:00

Author

Owner

@Enteee commented on GitHub (Sep 25, 2021):

I have not yet tested it. But I think before merging something that is more or less my suggested patch somebody should have falsified the following:

Inside the jail the file /etc/hosts points to is actually changed to whatever you set as --hosts-file but it is not actually used by the system resolve. Don't really know why...

@Enteee commented on GitHub (Sep 25, 2021): I have not yet tested it. But I think before merging something that is more or less my suggested patch somebody should have falsified the following: > Inside the jail the file /etc/hosts points to is actually changed to whatever you set as --hosts-file but it is not actually used by the system resolve. Don't really know why...

gitea-mirror commented

2026-05-05 08:24:27 -06:00

Author

Owner

@earldouglas commented on GitHub (Mar 6, 2025):

I also ran into this on NixOS. In my case, the fix was simply to add a newline to the end of my hosts file.

@earldouglas commented on GitHub (Mar 6, 2025): I also ran into this on NixOS. In my case, the fix was simply to add a newline to the end of my hosts file.

gitea-mirror commented

2026-05-05 08:24:27 -06:00

Author

Owner

@gleruzh commented on GitHub (Apr 10, 2025):

Check owner and permissions on your hosts file.

@gleruzh commented on GitHub (Apr 10, 2025): Check owner and permissions on your hosts file.

gitea-mirror commented

2026-05-05 08:24:28 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 12, 2025):

Note that this issue was closed years ago.

If something does not appear to work as intended, please open a new issue and
follow the bug report template:

https://github.com/netblue30/firejail/issues/new?template=bug_report.md

@kmk3 commented on GitHub (Apr 12, 2025): Note that this issue was closed years ago. If something does not appear to work as intended, please open a new issue and follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>

gitea-mirror referenced this issue

2026-05-05 10:12:54 -06:00

[PR #1733] [MERGED] chore(.gitignore) ignore built packages #4054

gitea-mirror referenced this issue

2026-05-05 10:37:59 -06:00

[PR #5248] [MERGED] build: add dist build directory to .gitignore #5414

Rows
Columns

[GH-ISSUE #2758] Firejail does not work with a custom hosts file #1733