github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2970] ping broken #1858

New issue
Closed
opened 2026-05-05 08:31:48 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 08:31:48 -06:00
Owner
Copy link

Originally created by @rusty-snake on GitHub (Sep 18, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2970

Moved from #2969.

$ ping -c1 github.com
# Works (without firejail)
$ firejail ping -c1 github.com
ping: socket: Die Operation ist nicht erlaubt

firejail: lastet git.

Originally created by @rusty-snake on GitHub (Sep 18, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2970 Moved from #2969. ``` $ ping -c1 github.com # Works (without firejail) $ firejail ping -c1 github.com ping: socket: Die Operation ist nicht erlaubt ``` firejail: lastet git.
gitea-mirror 2026-05-05 08:31:48 -06:00
gitea-mirror commented 2026-05-05 08:31:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 18, 2019):

Fix: force-nonewprivs no in firejail.config.

@blinux45 can you confirm?

<!-- gh-comment-id:532731862 --> @rusty-snake commented on GitHub (Sep 18, 2019): Fix: `force-nonewprivs no` in firejail.config. @blinux45 can you confirm?
gitea-mirror commented 2026-05-05 08:31:52 -06:00
Author
Owner
Copy link

@blinux45 commented on GitHub (Sep 19, 2019):

Uncommenting force-nonewprivs no in /etc/firejail/firejail.config did not resolve the ping issue.

<!-- gh-comment-id:532928686 --> @blinux45 commented on GitHub (Sep 19, 2019): Uncommenting `force-nonewprivs no` in /etc/firejail/firejail.config did not resolve the ping issue.
gitea-mirror commented 2026-05-05 08:31:53 -06:00
Author
Owner
Copy link

@blinux45 commented on GitHub (Sep 19, 2019):

I would like to clarify that for me ping worked within firejail until I used "private-bin ping,....".

<!-- gh-comment-id:532930211 --> @blinux45 commented on GitHub (Sep 19, 2019): I would like to clarify that for me ping worked within firejail until I used "private-bin ping,....".
gitea-mirror commented 2026-05-05 08:31:54 -06:00
Author
Owner
Copy link

@blinux45 commented on GitHub (Sep 19, 2019):

As @smitsohu say /bin is mounted nosuid.
To recap:
Without private-bin, ping works but when private-bin is enabled it doesn't.
Is the mounting of /bin different in both cases? Something else seems to be going on.
Also when ping is copied to /home/myuser/firejail, it doesn't work under firejail.
Outside firejail it works fine.
Is this a mounting problem as well?

<!-- gh-comment-id:533184177 --> @blinux45 commented on GitHub (Sep 19, 2019): > As @smitsohu say /bin is mounted `nosuid`. To recap: Without private-bin, ping works but when private-bin is enabled it doesn't. Is the mounting of /bin different in both cases? Something else seems to be going on. Also when ping is copied to /home/myuser/firejail, it doesn't work under firejail. Outside firejail it works fine. Is this a mounting problem as well?
gitea-mirror commented 2026-05-05 08:31:55 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 19, 2019):

@blinux45

Without private-bin, ping works but when private-bin is enabled it doesn't.
Is the mounting of /bin different in both cases?

Yes, without private-binit is not nosuid.

Also when ping is copied to /home/myuser/firejail, it doesn't work under firejail.

Did you try with --noprofile? The default profile will prevent any raising of privileges.

Edit: nevermind, there is a ping profile.

<!-- gh-comment-id:533282094 --> @smitsohu commented on GitHub (Sep 19, 2019): @blinux45 > Without private-bin, ping works but when private-bin is enabled it doesn't. Is the mounting of /bin different in both cases? Yes, without `private-bin`it is not nosuid. > Also when ping is copied to /home/myuser/firejail, it doesn't work under firejail. Did you try with `--noprofile`? The default profile will prevent any raising of privileges. Edit: nevermind, there is a ping profile.
gitea-mirror commented 2026-05-05 08:31:57 -06:00
Author
Owner
Copy link

@blinux45 commented on GitHub (Sep 20, 2019):

To recap, there seems no way to get /bin/ping to work when private-bin is enabled even though ping is explicitly requested.
As in: "--private-bin ping"
Is there an absolute requirement for nosuid to be applied simultaneously with private-bin?
Could nosuid be applied independently (for example nosuid=/bin)?
Enabling/disabling specific commands within /bin seems a separate issue from nosuid.
This is breaking ping.

Regarding /home/myuser/firejail/ping, I use a custom profile --profile=myprofile.
The default profile shouldn't be used in this case. Or is it?
I don't see anything in the custom profile that would block ping from running in /home/myuser/firejail/ping.
In my test case scenario, I invoke a bash shell through firejail (using a custom profile).
if I call ping from within this shell, would the ping profile be used? I would assume a no answer, but it is better to be sure.

<!-- gh-comment-id:533587940 --> @blinux45 commented on GitHub (Sep 20, 2019): To recap, there seems no way to get /bin/ping to work when private-bin is enabled even though ping is explicitly requested. As in: "--private-bin ping" Is there an absolute requirement for nosuid to be applied simultaneously with private-bin? Could nosuid be applied independently (for example nosuid=/bin)? Enabling/disabling specific commands within /bin seems a separate issue from nosuid. This is breaking ping. Regarding /home/myuser/firejail/ping, I use a custom profile --profile=myprofile. The default profile shouldn't be used in this case. Or is it? I don't see anything in the custom profile that would block ping from running in /home/myuser/firejail/ping. In my test case scenario, I invoke a bash shell through firejail (using a custom profile). if I call ping from within this shell, would the ping profile be used? I would assume a no answer, but it is better to be sure.
gitea-mirror commented 2026-05-05 08:31:57 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Sep 20, 2019):

Does --private-bin=sh,bash,ping work for you? It's working for me on Arch.

Of course I'm not sure that allowing shell access within private-bin defeats the whole purpose of private-bin... we have to do it sometimes for profiles (it seems especially on Arch this is needed) but I suspect this is a less-than-ideal scenario.

<!-- gh-comment-id:533593569 --> @Fred-Barclay commented on GitHub (Sep 20, 2019): Does `--private-bin=sh,bash,ping` work for you? It's working for me on Arch. Of course I'm not sure that allowing shell access within private-bin defeats the whole purpose of private-bin... we have to do it sometimes for profiles (it seems especially on Arch this is needed) but I suspect this is a less-than-ideal scenario.
gitea-mirror commented 2026-05-05 08:31:58 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Sep 21, 2019):

The problem with allowing setuid in general is that firejail also lets the unprivileged user to manipulate the file system and capabilities, and it could be possible use that to trick the setuid program to leak elevated privileges if there was no protection. It's not possible for firejail to know which changes to file system or capabilities is safe for a specific setuid program or to even know all possible setuid programs.

<!-- gh-comment-id:533776010 --> @topimiettinen commented on GitHub (Sep 21, 2019): The problem with allowing setuid in general is that firejail also lets the unprivileged user to manipulate the file system and capabilities, and it could be possible use that to trick the setuid program to leak elevated privileges if there was no protection. It's not possible for firejail to know which changes to file system or capabilities is safe for a specific setuid program or to even know all possible setuid programs.
gitea-mirror commented 2026-05-05 08:31:58 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 21, 2019):

@topimiettinen as I understand this discussion, nosuid is only used for private-bin option so problem with setuid bins is only mitigated in this specific case.

<!-- gh-comment-id:533824923 --> @Vincent43 commented on GitHub (Sep 21, 2019): @topimiettinen as I understand this discussion, `nosuid` is only used for `private-bin` option so problem with setuid bins is only mitigated in this specific case.
gitea-mirror commented 2026-05-05 08:31:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 13, 2019):

Closing here. Future discussion about nosuid+private-bin in #2969.

<!-- gh-comment-id:541425259 --> @rusty-snake commented on GitHub (Oct 13, 2019): Closing here. Future discussion about `nosuid`+`private-bin` in #2969.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1858
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?