github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2968] using --private=homedir and --private-cache, doesn't do --private-cache #1856

New issue

Closed

opened 2026-05-05 08:31:36 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:31:36 -06:00

Owner

Originally created by @jonleivent on GitHub (Sep 17, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2968

In firejail version 0.9.61 on Debian 10.

The combination of using --private=somedir with --private-cache doesn't work: the --private-cache setting doesn't prevent somedir/.cache from being used.

Tested using:
firejail --private=somedir --private-cache firefox

I haven't checked previous versions of firejail. My use case is that I'm placing somedir in a small encrypted volume (possibly on a usb stick): so somedir/.cache is superfluous, uses up precious space in the encrypted volume, and slows things down as it encrypts/decrypts.

Originally created by @jonleivent on GitHub (Sep 17, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2968 In firejail version 0.9.61 on Debian 10. The combination of using --private=somedir with --private-cache doesn't work: the --private-cache setting doesn't prevent somedir/.cache from being used. Tested using: firejail --private=somedir --private-cache firefox I haven't checked previous versions of firejail. My use case is that I'm placing somedir in a small encrypted volume (possibly on a usb stick): so somedir/.cache is superfluous, uses up precious space in the encrypted volume, and slows things down as it encrypts/decrypts.

gitea-mirror

2026-05-05 08:31:36 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:31:39 -06:00

Author

Owner

@jonleivent commented on GitHub (Sep 17, 2019):

More on this: the failure of --private-cache to take hold only happens when there was initially no .cache folder present in somedir. If I create an empty somedir/.cache, then --private=somedir --private-cache work together properly. OK - I will keep an empty .cache around in each such somedir. But, should firejail print out an error if there is no .cache directory in home when --private-cache is used? If not, this is perhaps a security issue, allowing info to escape the firejail into .cache when that was supposed to be prevented by --private-cache?

@jonleivent commented on GitHub (Sep 17, 2019): More on this: the failure of --private-cache to take hold only happens when there was initially no .cache folder present in somedir. If I create an empty somedir/.cache, then --private=somedir --private-cache work together properly. OK - I will keep an empty .cache around in each such somedir. But, should firejail print out an error if there is no .cache directory in home when --private-cache is used? If not, this is perhaps a security issue, allowing info to escape the firejail into .cache when that was supposed to be prevented by --private-cache?

gitea-mirror commented

2026-05-05 08:31:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 17, 2019):

~~Fix: '--mkdir=${HOME}/.cache'~~ #903

@rusty-snake commented on GitHub (Sep 17, 2019): ~Fix: `'--mkdir=${HOME}/.cache'`~ #903

gitea-mirror commented

2026-05-05 08:31:42 -06:00

Author

Owner

@jonleivent commented on GitHub (Sep 17, 2019):

Unfortunately @rusty-snake, using mkdir in a profile only works in ~ or in /tmp. The somedir I'm using in --private=somedir is on a separate volume entirely (and even after "private somedir" appears in the profile, somedir isn't considered by mkdir to be adequate). I will just have to ensure somedir has a .cache in it via a script check outside of the firejail profile.

@jonleivent commented on GitHub (Sep 17, 2019): Unfortunately @rusty-snake, using mkdir in a profile only works in ~ or in /tmp. The somedir I'm using in --private=somedir is on a separate volume entirely (and even after "private somedir" appears in the profile, somedir isn't considered by mkdir to be adequate). I will just have to ensure somedir has a .cache in it via a script check outside of the firejail profile.

gitea-mirror commented

2026-05-05 08:31:43 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 18, 2019):

But, should firejail print out an error if there is no .cache directory in home when --private-cache is used?

You should see a warning, and if there is none that's a bug I would say.

@smitsohu commented on GitHub (Sep 18, 2019): > But, should firejail print out an error if there is no .cache directory in home when --private-cache is used? You should see a warning, and if there is none that's a bug I would say.

gitea-mirror commented

2026-05-05 08:31:44 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 24, 2019):

Making the warning an error is a bit problematic, iirc some people are putting this in their /etc/firejail/globals.local, and it would break their setup.

But I've updated the warning message, I think it is more clear now there is something going wrong with the private-cache. Thanks for the report.

Closing for now.

@smitsohu commented on GitHub (Nov 24, 2019): Making the warning an error is a bit problematic, iirc some people are putting this in their /etc/firejail/globals.local, and it would break their setup. But I've updated the warning message, I think it is more clear now there is something going wrong with the `private-cache`. Thanks for the report. Closing for now.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1856

No description provided.

Rows
Columns