[GH-ISSUE #277] add support for symlinks as /home and /home/user

gitea-mirror commented

2026-05-05 05:17:06 -06:00

Owner

Originally created by @KopiasCsaba on GitHub (Feb 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/277

Hi!

I can not access my home directory from a simple firejailed bash at all, while it works on a test vm.

`meta@x220:~$ firejail bash
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 27140, child pid 27141

Child process initialized
groups: cannot find name for group ID 65534
[meta@x220 /]$ ls ~
ls: cannot access /data/home/meta: No such file or directory
`

Please help me sort this out, my user has a special /data/home/meta home directory set as home folder (also /home/ is linked to /data/home), so thats the background, please help me!

Thank you very much!

Originally created by @KopiasCsaba on GitHub (Feb 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/277 Hi! I can not access my home directory from a simple firejailed bash at all, while it works on a test vm. `meta@x220:~$ firejail bash Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc *\* Note: you can use --noprofile to disable generic.profile *\* Parent pid 27140, child pid 27141 Child process initialized groups: cannot find name for group ID 65534 [meta@x220 /]$ ls ~ ls: cannot access /data/home/meta: No such file or directory ` Please help me sort this out, my user has a special /data/home/meta home directory set as home folder (also /home/ is linked to /data/home), so thats the background, please help me! Thank you very much!

gitea-mirror

2026-05-05 05:17:06 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:17:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 14, 2016):

The symlink is the problem. It looks like I'll have to bring in support for using symlinks as /home or /home/user. It is a very unconventional setup.

@netblue30 commented on GitHub (Feb 14, 2016): The symlink is the problem. It looks like I'll have to bring in support for using symlinks as /home or /home/user. It is a very unconventional setup.

gitea-mirror commented

2026-05-05 05:17:15 -06:00

Author

Owner

@vn971 commented on GitHub (Feb 28, 2016):

offtopic: I used a similar configuration when I only switched from Windows to Linux. After a year of so, I got rid of the /data/ mount point and only used /home though.

@vn971 commented on GitHub (Feb 28, 2016): offtopic: I used a similar configuration when I only switched from Windows to Linux. After a year of so, I got rid of the `/data/` mount point and only used `/home` though.

gitea-mirror commented

2026-05-05 05:17:17 -06:00

Author

Owner

@pepa65 commented on GitHub (Jul 10, 2016):

It seems anything outside of $HOME is out of bounds? Why?? For instance, I store downloads on /data/Downloads which gets symlinked on /home/$USER/Downloads -- doesn't work. What is the thinking behind this? Is there a notion that $HOME is safer?? I actually don't think so, because that is the directory that contains most of the sensitive data on the user.

@pepa65 commented on GitHub (Jul 10, 2016): It seems anything outside of $HOME is out of bounds? Why?? For instance, I store downloads on /data/Downloads which gets symlinked on /home/$USER/Downloads -- doesn't work. What is the thinking behind this? Is there a notion that $HOME is safer?? I actually don't think so, because that is the directory that contains most of the sensitive data on the user.

gitea-mirror commented

2026-05-05 05:17:18 -06:00

Author

Owner

@vn971 commented on GitHub (Jul 10, 2016):

@pepa65 what do you mean by "anything outside of *** is out of bounds"? Surely you can access /usr, /var, /lib etc. Also, what exactly "does not work". You are not allowed to stor files in /data/ anymore, or what?

Talking talking about user-s home directory, AFAIunderstood firejail prefers "convention over configuration". Meaning the $HOME is expected to be inside /home.

I don't know whether that should really change. I think the current approach is good enough, but the author may decide differently.

@vn971 commented on GitHub (Jul 10, 2016): @pepa65 what do you mean by "anything outside of **\* is out of bounds"? Surely you can access /usr, /var, /lib etc. Also, what exactly "does not work". You are not allowed to stor files in /data/ anymore, or what? Talking talking about user-s home directory, AFAIunderstood firejail prefers "convention over configuration". Meaning the $HOME is expected to be inside /home. I don't know whether that should really change. I think the current approach is good enough, but the author may decide differently.

gitea-mirror commented

2026-05-05 05:17:20 -06:00

Author

Owner

@pepa65 commented on GitHub (Jul 10, 2016):

I tried firejail google-chrome-stable which came back with Error: invalid whitelist path /home/pp/Downloads (which is a symlink to /data/Downloads). So then I commented out the line with whitelist ${DOWNLOADS}. Then it came back with Error: invalid whitelist path /home/pp/.fonts (which is a symlink to /data/MyDocuments/fonts) but I can't find where to disable that.

I initially just modified the launcher to start with firejail, which seemed like a good idea, but nothing whatsoever seemed to be happening after clicking on it, so I ran it from the terminal, and found this.

Maybe I'm misunderstanding, or maybe my firejail is misconfigured somehow (this is firejail-0.9.38 on Ubuntu 16.04, from the standard repo). But I don't know how to get Chrome to run, which is the point for me.
EDIT: commented out whitelist ~/.fonts /etc/firejail/whitelist-common.inc and now Chrome is starting!

Lesson for me: if links to illegal locations get whitelisted in profiles or incs, it's a no-go. What is the danger in whitelisting beyond the handful? Is whitelisting a fragile undertaking??

@pepa65 commented on GitHub (Jul 10, 2016): I tried `firejail google-chrome-stable` which came back with `Error: invalid whitelist path /home/pp/Downloads` (which is a symlink to /data/Downloads). So then I commented out the line with `whitelist ${DOWNLOADS}`. Then it came back with `Error: invalid whitelist path /home/pp/.fonts` (which is a symlink to /data/MyDocuments/fonts) but I can't find where to disable that. I initially just modified the launcher to start with firejail, which seemed like a good idea, but nothing whatsoever seemed to be happening after clicking on it, so I ran it from the terminal, and found this. Maybe I'm misunderstanding, or maybe my firejail is misconfigured somehow (this is firejail-0.9.38 on Ubuntu 16.04, from the standard repo). But I don't know how to get Chrome to run, which is the point for me. EDIT: commented out `whitelist ~/.fonts` /etc/firejail/whitelist-common.inc and now Chrome is starting! Lesson for me: if links to illegal locations get whitelisted in profiles or incs, it's a no-go. What is the danger in whitelisting beyond the handful? Is whitelisting a fragile undertaking??

gitea-mirror commented

2026-05-05 05:17:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 10, 2016):

Currently, firejail doesn't support links outside /home/user directory for whitelisting. There seem to be some exploits against the SUID binary. So far I didn't find a secure way to do it. I am still looking into it. This also applies to /tmp directory. All other directories don't seem to have this problem.

Handling user home directories outside /home is doable, but is kind of messy. I still have it on my todo list.

@pepa65

Any reason you keep your data under /data directory? Can you move the whole directory under /home? - for example in /home/pp/data. If you are bringing it in from an external drive you can mount it anywhere.

@netblue30 commented on GitHub (Jul 10, 2016): Currently, firejail doesn't support links outside /home/user directory for whitelisting. There seem to be some exploits against the SUID binary. So far I didn't find a secure way to do it. I am still looking into it. This also applies to /tmp directory. All other directories don't seem to have this problem. Handling user home directories outside /home is doable, but is kind of messy. I still have it on my todo list. @pepa65 Any reason you keep your data under /data directory? Can you move the whole directory under /home? - for example in /home/pp/data. If you are bringing it in from an external drive you can mount it anywhere.

gitea-mirror commented

2026-05-05 05:17:23 -06:00

Author

Owner

@pepa65 commented on GitHub (Jul 10, 2016):

I don't think under my personal /home directory would be appropriate, because then other users would all need access to a subdirectory of my $HOME. Traditionally, it would probably be somewhere under /var, but I liked the idea of introducing a new toplevel directory under root. It hasn't caused problems the last 15 years.

@pepa65 commented on GitHub (Jul 10, 2016): I don't think under my personal /home directory would be appropriate, because then other users would all need access to a subdirectory of my $HOME. Traditionally, it would probably be somewhere under /var, but I liked the idea of introducing a new toplevel directory under root. It hasn't caused problems the last 15 years.

gitea-mirror commented

2026-05-05 05:17:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 10, 2016):

You have a valid point, I'll bring in something in the next few days.

@netblue30 commented on GitHub (Jul 10, 2016): You have a valid point, I'll bring in something in the next few days.

gitea-mirror commented

2026-05-05 05:17:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 12, 2016):

All set in git, you can give it a try.

@netblue30 commented on GitHub (Jul 12, 2016): All set in git, you can give it a try.

Rows
Columns

[GH-ISSUE #277] add support for symlinks as /home and /home/user #191