github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2853] Can't use 'less' on many files in own home directory - is that normal? #1781

New issue

Closed

opened 2026-05-05 08:26:57 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 08:26:57 -06:00

Owner

Originally created by @flipsa on GitHub (Jul 10, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2853

Hey there,

I've just switched to a new distro (Parrot OS) which comes with firejail (and AppArmor) preinstalled. While I appreciate the move to more security in general, I was pretty surprised to find out that it blocks me from reading many of the files in my home directory with the 'less' pager ('permission denied'), while other ways of accessing the file contents work fine (editors like vim, nano, or even just 'cat'). I'm still trying to wrap my head around what exactly is going on, but i think the reason for the permission errors come from /etc/firejail/disable-programs.profile.

Is this really the intended behaviour or is my system misbehaving? What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine?

Can anybody shed some light please?
Thanks!

Originally created by @flipsa on GitHub (Jul 10, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2853 Hey there, I've just switched to a new distro (Parrot OS) which comes with firejail (and AppArmor) preinstalled. While I appreciate the move to more security in general, I was pretty surprised to find out that it blocks me from reading many of the files in my home directory with the 'less' pager ('permission denied'), while other ways of accessing the file contents work fine (editors like vim, nano, or even just 'cat'). I'm still trying to wrap my head around what exactly is going on, but i think the reason for the permission errors come from /etc/firejail/disable-programs.profile. Is this really the intended behaviour or is my system misbehaving? What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine? Can anybody shed some light please? Thanks!

gitea-mirror

2026-05-05 08:26:57 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:27:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 10, 2019):

everything's working fine on your system.
What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine?

less: is firejailed by default after running firecfg
cat: hasn't a firejail profile
vim, nano: must be enabled by the user

May helpfull for future understanding:
firejail --list: list all running firejail sandboxes
which PROGRAM/where PROGRAM: see what be execute when running PROGRM
firecfg --list/ls -l /usr/local/bin | grep firejail: list all programs how are firejailed by default when starting.

@rusty-snake commented on GitHub (Jul 10, 2019): 1. everything's working fine on your system. 2. > What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine? less: is firejailed by default after running firecfg cat: hasn't a firejail profile vim, nano: must be enabled by the user May helpfull for future understanding: `firejail --list`: list all running firejail sandboxes `which PROGRAM`/`where PROGRAM`: see what be execute when running PROGRM `firecfg --list`/`ls -l /usr/local/bin | grep firejail`: list all programs how are firejailed by default when starting.

gitea-mirror commented

2026-05-05 08:27:01 -06:00

Author

Owner

@flipsa commented on GitHub (Jul 10, 2019):

Thanks @rusty-snake for your answer, that clears things up a bit.

As a follow up question in regards to ease of use / convenience: I do work at lot in the terminal, and viewing files (esp the ones in my own directory) is a very common occurence. Given that, what is the suggested way of dealing with that use-case without punching too big / too many holes into firejail? Does one allow (whitelist ?) individual files whenever one notices a permission denied error? Is there another / better way? Just trying to find out how to i) make use of firejail, while ii) don't interrupting my work-flow every few minutes. Is there something like a best-practice document?

@flipsa commented on GitHub (Jul 10, 2019): Thanks @rusty-snake for your answer, that clears things up a bit. As a follow up question in regards to ease of use / convenience: I do work at lot in the terminal, and viewing files (esp the ones in my own directory) is a very common occurence. Given that, what is the suggested way of dealing with that use-case without punching too big / too many holes into firejail? Does one allow (whitelist ?) individual files whenever one notices a permission denied error? Is there another / better way? Just trying to find out how to i) make use of firejail, while ii) don't interrupting my work-flow every few minutes. Is there something like a best-practice document?

gitea-mirror commented

2026-05-05 08:27:02 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 10, 2019):

I would recommend disabling less in our firecfg.config

@Vincent43 commented on GitHub (Jul 10, 2019): I would recommend disabling less in our `firecfg.config`

gitea-mirror commented

2026-05-05 08:27:03 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 10, 2019):

@flipsa

allow temporary: firejail --noblacklist="${HOME}/.foo/bar less .foo/bar
allow common used files: ~/.config/firejail/less.local:

noblacklist ${HOME}/.foo/bar
noblacklist ${HOME}/.foo/baz

allow always: comment include disable-programms.incin /etc/firejail/less.profile
don't firejail less by default (as @Vincent43 suggested)

@rusty-snake commented on GitHub (Jul 10, 2019): @flipsa * allow temporary: `firejail --noblacklist="${HOME}/.foo/bar less .foo/bar` * allow common used files: `~/.config/firejail/less.local`: ``` noblacklist ${HOME}/.foo/bar noblacklist ${HOME}/.foo/baz ``` * allow always: comment `include disable-programms.inc`in /etc/firejail/less.profile * don't firejail less by default (as @Vincent43 suggested)

gitea-mirror commented

2026-05-05 08:27:03 -06:00

Author

Owner

@flipsa commented on GitHub (Jul 10, 2019):

That answers my question - closing this issue as solved.
Thanks to both of you!

@flipsa commented on GitHub (Jul 10, 2019): That answers my question - closing this issue as solved. Thanks to both of you!

gitea-mirror commented

2026-05-05 08:27:04 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 10, 2019):

Alternatively we may remove include disable-common.inc and include disable-programs.inc from less profile. Maybe make all ${HOME} except .lesshst read-only?

@Vincent43 commented on GitHub (Jul 10, 2019): Alternatively we may remove `include disable-common.inc` and `include disable-programs.inc` from less profile. Maybe make all `${HOME}` except `.lesshst` read-only?

gitea-mirror commented

2026-05-05 08:27:04 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 10, 2019):

I changed this in ef97d0c5d2

@Vincent43 commented on GitHub (Jul 10, 2019): I changed this in https://github.com/netblue30/firejail/commit/ef97d0c5d250362e089ed2b9d78e5575c4dd287a

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1781

No description provided.

Rows
Columns