[GH-ISSUE #3153] Whois not working #1980

New issue

Closed

opened 2026-05-05 08:38:37 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 08:38:37 -06:00

Owner

Copy link

Originally created by @aminvakil on GitHub (Jan 16, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3153

firejail --profile=/etc/firejail/whois.profile --private-bin=strace --allow-debuggers strace -e trace=open,openat whois 185.121.130.130
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
getaddrinfo(whois.ripe.net): Name or service not known
+++ exited with 2 +++

resolv.conf is needed to resolve whois.ripe.net.

firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv --allow-debuggers strace -e trace=open,openat whois 185.121.130.130
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4
% This is the RIPE Database query service.
.....
% This query was served by the RIPE Database Query Service version 1.96 (BLAARKOP)
+++ exited with 0 +++

Also gconv library is needed for whois to work properly.

firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* --allow-debuggers strace -e trace=open,openat whois 185.121.130.130
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4
% This is the RIPE Database query service.
...
% This query was served by the RIPE Database Query Service version 1.96 (BLAARKOP)
+++ exited with 0 +++

Also whois requests these additional libraries below which it's been shown on strace, but as far as I tested whois is working properly without those libraries.

libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so*

Originally created by @aminvakil on GitHub (Jan 16, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3153 ``` firejail --profile=/etc/firejail/whois.profile --private-bin=strace --allow-debuggers strace -e trace=open,openat whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) getaddrinfo(whois.ripe.net): Name or service not known +++ exited with 2 +++ ``` `resolv.conf` is needed to resolve whois.ripe.net. ``` firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv --allow-debuggers strace -e trace=open,openat whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ..... % This query was served by the RIPE Database Query Service version 1.96 (BLAARKOP) +++ exited with 0 +++ ``` Also `gconv` library is needed for whois to work properly. ``` firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* --allow-debuggers strace -e trace=open,openat whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (BLAARKOP) +++ exited with 0 +++ ``` Also whois requests these additional libraries below which it's been shown on strace, but as far as I tested whois is working properly without those libraries. ``` libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* ```

gitea-mirror closed this issue 2026-05-05 08:38:38 -06:00

gitea-mirror commented 2026-05-05 08:38:40 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 17, 2020):

@aminvakil Thanks for reporting this. I have been trying to reproduce on Arch (which I assume you're seeing this on due to https://bugs.archlinux.org/task/65182). I have a few questions, as, for now, I haven't been able to reproduce:

• what firejail version are you using? There have been recent changes in the profile. It would be helpful if you could redo your strace tests with the most recent profile too.

• do you use firecfg? This is important, because if you do there should be a symlink at /usr/local/bin/whois. If so, IMHO using 'firejail ... whois' in your strace examples would be incorrect and could explain why I cannot reproduce when redoing the examples with /usr/bin/whois.

For comparison, here is what I see when re-running your strace examples. Basically I get the exact same output with all 3 examples, suggesting the profile from git master works fine as is.

$ firejail --profile=whois --allow-debuggers --private-bin=strace strace -e trace=open,openat /usr/bin/whois 185.121.130.130

openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
% This is the RIPE Database query service.
...
% This query was served by the RIPE Database Query Service version 1.96 (HEREFORD)


+++ exited with 0 +++

$ firejail --profile=whois --allow-debuggers --private-bin=strace --private-etc=resolv.conf strace -e trace=open,openat /usr/bin/whois 185.121.130.130

openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
% This is the RIPE Database query service.
...
% This query was served by the RIPE Database Query Service version 1.96 (HEREFORD)


+++ exited with 0 +++

$ firejail --profile=whois --allow-debuggers --private-bin=strace --private-etc=resolv.conf --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* strace -e trace=open,openat /usr/bin/whois 185.121.130.130

openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
% This is the RIPE Database query service.
...
% This query was served by the RIPE Database Query Service version 1.96 (ANGUS)


+++ exited with 0 +++

<!-- gh-comment-id:575437378 --> @ghost commented on GitHub (Jan 17, 2020): @aminvakil Thanks for reporting this. I have been trying to reproduce on Arch (which I assume you're seeing this on due to https://bugs.archlinux.org/task/65182). I have a few questions, as, for now, I haven't been able to reproduce: - what firejail version are you using? There have been [recent changes](https://github.com/netblue30/firejail/blob/master/etc/whois.profile) in the profile. It would be helpful if you could redo your strace tests with the most recent profile too. - do you use firecfg? This is important, because if you do there should be a symlink at /usr/local/bin/whois. If so, IMHO using 'firejail ... whois' in your strace examples would be incorrect and could explain why I cannot reproduce when redoing the examples with /usr/bin/whois. For comparison, here is what I see when re-running your strace examples. Basically I get the exact same output with all 3 examples, suggesting the profile from git master works fine as is. $ firejail --profile=whois --allow-debuggers --private-bin=strace strace -e trace=open,openat /usr/bin/whois 185.121.130.130 ``` openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++ ``` $ firejail --profile=whois --allow-debuggers --private-bin=strace --private-etc=resolv.conf strace -e trace=open,openat /usr/bin/whois 185.121.130.130 ``` openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++ ``` $ firejail --profile=whois --allow-debuggers --private-bin=strace --private-etc=resolv.conf --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* strace -e trace=open,openat /usr/bin/whois 185.121.130.130 ``` openat(AT_FDCWD, "/usr/lib/libhardened_malloc.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (ANGUS) +++ exited with 0 +++ ```

gitea-mirror commented 2026-05-05 08:38:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 17, 2020):

@aminvakil @glitsj16 firejail --trace=whois.trace --private-etc=resolv.conf whois 1.2.3.4 and after that grep -E ":open(at)? " whois.trace is much simpler.

<!-- gh-comment-id:575613193 --> @rusty-snake commented on GitHub (Jan 17, 2020): @aminvakil @glitsj16 `firejail --trace=whois.trace --private-etc=resolv.conf whois 1.2.3.4` and after that `grep -E ":open(at)? " whois.trace` is much simpler.

gitea-mirror commented 2026-05-05 08:38:42 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 17, 2020):

firejail --version
firejail version 0.9.62

Yes, I'm using firecfg, but as I though executing /usr/local/bin/whois is not different from executing /usr/bin/whois with whois.profile.

Also I'm using the latest whois.profile from this git repo, although the latest whois.profile from Archlinux package makes problem with libraries as well, as far I realized difference from Archlinux whois.profile and this repo whois.profile is the error which this repo whois.profile gives related to resolv.conf.

I've tested again with /usr/bin/whois and output is the same.

<!-- gh-comment-id:575698912 --> @aminvakil commented on GitHub (Jan 17, 2020): ``` firejail --version firejail version 0.9.62 ``` Yes, I'm using firecfg, but as I though executing /usr/local/bin/whois is not different from executing /usr/bin/whois with whois.profile. Also I'm using the latest whois.profile from this git repo, although the latest whois.profile from Archlinux package makes problem with libraries as well, as far I realized difference from Archlinux whois.profile and this repo whois.profile is the error which this repo whois.profile gives related to resolv.conf. I've tested again with /usr/bin/whois and output is the same.

gitea-mirror commented 2026-05-05 08:38:43 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 17, 2020):

Output:
firejail --profile=/etc/firejail/whois.profile --private-bin=strace --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) getaddrinfo(whois.ripe.net): Name or service not known +++ exited with 2 +++

firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++

firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++

<!-- gh-comment-id:575700781 --> @aminvakil commented on GitHub (Jan 17, 2020): Output: `firejail --profile=/etc/firejail/whois.profile --private-bin=strace --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) getaddrinfo(whois.ripe.net): Name or service not known +++ exited with 2 +++` `firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++` `firejail --profile=/etc/firejail/whois.profile --private-etc=resolv.conf --private-bin=strace --private-lib=gconv,libnss_mymachines.so*,libnss_myhostname.so*,libnss_resolve.so*,libresolv.so* --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/lib/libtracelog.so", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/run/firejail/mnt/fslogger", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4 % This is the RIPE Database query service. ... % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD) +++ exited with 0 +++`

gitea-mirror commented 2026-05-05 08:38:44 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 17, 2020):

Have you a whois.local / globals.local?

<!-- gh-comment-id:575701156 --> @rusty-snake commented on GitHub (Jan 17, 2020): Have you a whois.local / globals.local?

gitea-mirror commented 2026-05-05 08:38:44 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 17, 2020):

Have you a whois.local / globals.local?

No.

<!-- gh-comment-id:575701535 --> @aminvakil commented on GitHub (Jan 17, 2020): > Have you a whois.local / globals.local? No.

gitea-mirror commented 2026-05-05 08:38:45 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 17, 2020):

@aminvakil @glitsj16 firejail --trace=whois.trace --private-etc=resolv.conf whois 1.2.3.4 and after that grep -E ":open(at)? " whois.trace is much simpler.

This doesn't output anything extra:
firejail --trace=whois.trace --private-etc=resolv.conf /usr/bin/whois 185.121.130.130 iconv_open: Invalid argument

Also an interesting thing I realized now is whois 1.2.3.4 works, but whois 185.121.130.130 not.

I've seen some other IPs before which doesn't have problem and queries correctly, but I can't understand the pattern yet.

<!-- gh-comment-id:575708863 --> @aminvakil commented on GitHub (Jan 17, 2020): > @aminvakil @glitsj16 `firejail --trace=whois.trace --private-etc=resolv.conf whois 1.2.3.4` and after that `grep -E ":open(at)? " whois.trace` is much simpler. This doesn't output anything extra: `firejail --trace=whois.trace --private-etc=resolv.conf /usr/bin/whois 185.121.130.130 iconv_open: Invalid argument` Also an interesting thing I realized now is `whois 1.2.3.4` works, but `whois 185.121.130.130` not. I've seen some other IPs before which doesn't have problem and queries correctly, but I can't understand the pattern yet.

gitea-mirror commented 2026-05-05 08:38:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 17, 2020):

@aminvakil this is an alternative to the complex strace line. Adding --private-lib=gconv and what else is needed will help. My intention was the workflow, not the full cmd for whois.

<!-- gh-comment-id:575709863 --> @rusty-snake commented on GitHub (Jan 17, 2020): @aminvakil this is an alternative to the complex strace line. Adding `--private-lib=gconv` and what else is needed will help. My intention was the workflow, not the full cmd for whois.

gitea-mirror commented 2026-05-05 08:38:46 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 19, 2020):

Also an interesting thing I realized now is whois 1.2.3.4 works, but whois 185.121.130.130 not.

@aminvakil That's weird indeed. Do you see similar results on different IP addresses also without using firejail? How does your DNS setup look like? Anything non-default in your /etc/whois.conf? I'd try different hosts using the whois --host flag, in combination with --verbose mode. Just anything really that might show a more precise view on what whois is doing exactly...

<!-- gh-comment-id:575970080 --> @ghost commented on GitHub (Jan 19, 2020): > Also an interesting thing I realized now is whois 1.2.3.4 works, but whois 185.121.130.130 not. @aminvakil That's weird indeed. Do you see similar results on different IP addresses also without using firejail? How does your DNS setup look like? Anything non-default in your /etc/whois.conf? I'd try different hosts using the whois `--host` flag, in combination with `--verbose` mode. Just anything really that might show a more precise view on what whois is doing exactly...

gitea-mirror commented 2026-05-05 08:38:46 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 19, 2020):

My /etc/whois.conf is empty (except default comments).

cat /etc/whois.conf 
# whois configuration file
#
# This file can contain details of alternative whois servers to use if
# the compiled in servers are not suitable.  Each entry is a single
# text line and consists of a regular expression pattern to match and
# the whois server to be used for it, separated by blank space. 
# IDN domains must use the ACE format.
#
# Eg: 
# \.nz$ nz.whois-servers.net
#

I can't see any problem using whois without firejail.

My /etc/resolv.conf is being managed by NetworkManager and varies from time to time based on my environment, but I really doubt that causes the problem.

I've installed firejail from Archlinux repo again which doesn't have `private-etc and goes as below: (I have a question here, if whois doesn't have access to /etc/resolv.conf how should it resolv whois.ripe.net, etc.?)

cat /etc/firejail/whois.profile
# Firejail profile for whois
# Description: Intelligent WHOIS client
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include whois.local
# Persistent global definitions
include globals.local

include disable-common.inc
# include disable-devel.inc
include disable-exec.inc
# include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-xdg.inc

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
# ipc-namespace
netfilter
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol inet,inet6
seccomp
shell none

disable-mnt
private
private-bin bash,sh,whois
private-cache
private-dev
# private-etc alternatives,hosts,services,whois.conf
private-lib
private-tmp

memory-deny-write-execute

I tried some IPs (which are typed randomly) which succeed and failed using firejail whois of course as below:

Failed:

whois 185.121.130.130 --verbose
Using server whois.ripe.net.
Query string: "-V Md5.5.4 185.121.130.130"

iconv_open: Invalid argument

whois 200.190.213.123 --verbose
Using server whois.lacnic.net.
Query string: "200.190.213.123"

iconv_open: Invalid argument

whois 91.29.11.11 --verbose
Using server whois.ripe.net.
Query string: "-V Md5.5.4 91.29.11.11"

iconv_open: Invalid argument

Succeed:

whois 1.1.1.1 --verbose
Using server whois.apnic.net.
Query string: "-V Md5.5.4 1.1.1.1"

% [whois.apnic.net]

whois 20.190.213.123 --verbose
Using server whois.arin.net.
Query string: "n + 20.190.213.123"


#
# ARIN WHOIS data and services are subject to the Terms of Use

whois 102.2.1.4 --verbose
Using server whois.afrinic.net.
Query string: "-V Md5.5.4 102.2.1.4"

% This is the AfriNIC Whois server.

Also I'm from Iran and Internet in our country is so messed up, many websites are filter by our own government and many websites are blocked because of sanctions, but I've tested these using proxies in different countries and results are the same. (In case someone notices where I am from:))

<!-- gh-comment-id:575974107 --> @aminvakil commented on GitHub (Jan 19, 2020): My `/etc/whois.conf` is empty (except default comments). ``` cat /etc/whois.conf # whois configuration file # # This file can contain details of alternative whois servers to use if # the compiled in servers are not suitable. Each entry is a single # text line and consists of a regular expression pattern to match and # the whois server to be used for it, separated by blank space. # IDN domains must use the ACE format. # # Eg: # \.nz$ nz.whois-servers.net # ``` I can't see any problem using whois without firejail. My `/etc/resolv.conf` is being managed by NetworkManager and varies from time to time based on my environment, but I really doubt that causes the problem. I've installed firejail from Archlinux repo again which doesn't have `private-etc and goes as below: (I have a question here, if whois doesn't have access to /etc/resolv.conf how should it resolv whois.ripe.net, etc.?) ``` cat /etc/firejail/whois.profile # Firejail profile for whois # Description: Intelligent WHOIS client # This file is overwritten after every install/update quiet # Persistent local customizations include whois.local # Persistent global definitions include globals.local include disable-common.inc # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc #include disable-xdg.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all # ipc-namespace netfilter no3d nodbus nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol inet,inet6 seccomp shell none disable-mnt private private-bin bash,sh,whois private-cache private-dev # private-etc alternatives,hosts,services,whois.conf private-lib private-tmp memory-deny-write-execute ``` I tried some IPs (which are typed randomly) which succeed and failed using firejail whois of course as below: Failed: ``` whois 185.121.130.130 --verbose Using server whois.ripe.net. Query string: "-V Md5.5.4 185.121.130.130" iconv_open: Invalid argument ``` ``` whois 200.190.213.123 --verbose Using server whois.lacnic.net. Query string: "200.190.213.123" iconv_open: Invalid argument ``` ``` whois 91.29.11.11 --verbose Using server whois.ripe.net. Query string: "-V Md5.5.4 91.29.11.11" iconv_open: Invalid argument ``` Succeed: ``` whois 1.1.1.1 --verbose Using server whois.apnic.net. Query string: "-V Md5.5.4 1.1.1.1" % [whois.apnic.net] ``` ``` whois 20.190.213.123 --verbose Using server whois.arin.net. Query string: "n + 20.190.213.123" # # ARIN WHOIS data and services are subject to the Terms of Use ``` ``` whois 102.2.1.4 --verbose Using server whois.afrinic.net. Query string: "-V Md5.5.4 102.2.1.4" % This is the AfriNIC Whois server. ``` Also I'm from Iran and Internet in our country is so messed up, many websites are filter by our own government and many websites are blocked because of sanctions, but I've tested these using proxies in different countries and results are the same. (In case someone notices where I am from:))

gitea-mirror commented 2026-05-05 08:38:47 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 19, 2020):

@aminvakil Thank you for testing and posting results here. After looking at those more carefully, here are my observations:

/etc/whois.conf looks fine, stock Arch defaults
/etc/resolv.conf is being managed by NetworkManager: although there are other options, this should work

I have a question here, if whois doesn't have access to /etc/resolv.conf how should it resolv whois.ripe.net, etc.?

Spot on. AFAIK whois guesses the right server to ask for the specified object from an internal database. If a 'guess' fails, it moves on and tries another one. Looking at your failure/succes pattern, some of these 'guesses' always seem to fail, others succeed. To me that suggests something is off with DNS resolution. Wether or not that has anything to do with the current Iranian situation is something I cannot ascertain, sadly enough. But don't despair, we can try a few things!

Have you tried using firejail's --dns option yet? If not, please run some more tests, no need for stracing this time. Especially test the failing IP lookups:

$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 185.121.130.130
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 185.121.130.130
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 185.121.130.130
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 185.121.130.130

$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 200.190.213.123
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 200.190.213.123
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 200.190.213.123
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 200.190.213.123

$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 91.29.11.11
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 91.29.11.11
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 91.29.11.11
$ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 91.29.11.11

When 1.1.1.1 and 9.9.9.9 do work as expected (with or without specifying a whois host with the -h flag), you can use a whois.local file like the below:

$ cat /etc/firejail/whois.local
# Firejail profile for whois
# Persistent local customizations

# DNS (not supported on systemd-resolved setups) - maximum 3
# IMPORTANT: check these servers are resolving properly and reliably
dns 1.1.1.1
dns 9.9.9.9
dns 127.0.0.1
# ignore dns wil ignore any following, but not previously parsed dns option
# this safeguards DNS from being changed during processing
ignore dns

# add resolv.conf to private-etc
private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf

# add gconv to private-lib
private-lib gconv

Best of luck!

<!-- gh-comment-id:575990761 --> @ghost commented on GitHub (Jan 19, 2020): @aminvakil Thank you for testing and posting results here. After looking at those more carefully, here are my observations: /etc/whois.conf looks fine, stock Arch defaults /etc/resolv.conf is being managed by NetworkManager: although there are other options, this should work > I have a question here, if whois doesn't have access to /etc/resolv.conf how should it resolv whois.ripe.net, etc.? Spot on. AFAIK whois guesses the right server to ask for the specified object from an internal database. If a 'guess' fails, it moves on and tries another one. Looking at your failure/succes pattern, some of these 'guesses' always seem to fail, others succeed. To me that suggests something is off with DNS resolution. Wether or not that has anything to do with the current Iranian situation is something I cannot ascertain, sadly enough. But don't despair, we can try a few things! Have you tried using firejail's --dns option yet? If not, please run some more tests, no need for stracing this time. Especially test the failing IP lookups: ``` $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 185.121.130.130 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 185.121.130.130 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 185.121.130.130 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 185.121.130.130 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 200.190.213.123 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 200.190.213.123 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 200.190.213.123 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 200.190.213.123 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 91.29.11.11 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.apnic.net 91.29.11.11 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.arin.net 91.29.11.11 $ firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois -h whois.afrinic.net 91.29.11.11 ``` When 1.1.1.1 and 9.9.9.9 do work as expected (with or without specifying a whois host with the -h flag), you can use a whois.local file like the below: ``` $ cat /etc/firejail/whois.local # Firejail profile for whois # Persistent local customizations # DNS (not supported on systemd-resolved setups) - maximum 3 # IMPORTANT: check these servers are resolving properly and reliably dns 1.1.1.1 dns 9.9.9.9 dns 127.0.0.1 # ignore dns wil ignore any following, but not previously parsed dns option # this safeguards DNS from being changed during processing ignore dns # add resolv.conf to private-etc private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf # add gconv to private-lib private-lib gconv ``` Best of luck!

gitea-mirror commented 2026-05-05 08:38:47 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Jan 19, 2020):

I'm going crazy now.

firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 185.121.130.130

This doesn't work at first, and rest of commands if they didn't redirect to another whois server, worked properly, otherwise they would give the error: iconv_open: Invalid argument

Then I added your whois.local file and everything was fine.

After that I remove whois.local and now everything is OK!!!

I don't know how this gets fixed, does it get cached somewhere? Does it sets as you said in its internal database and maybe in another time if I query from another whois server which wasn't in your commands I will face this error again?

Also I added strace to private-bin again to test and this is very interesting too:

firejail --profile=/etc/firejail/whois.profile --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)

openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3

openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4

% This is the RIPE Database query service.
...
+++ exited with 0 +++

Why whois is permitted to access gconv now?

I'm pretty sure I remove whois.local, I've checked it 10 times and it's not there, I reinstalled firejail and my whois.profile is the same as archlinux repos except strace in private-bin.

I think I'm missing something and I don't want to take your time anymore, therefore I will close this issue, but if you had any idea why gconv is permitted to access again please tell me.

Thank you very much indeed

<!-- gh-comment-id:575993782 --> @aminvakil commented on GitHub (Jan 19, 2020): I'm going crazy now. ``` firejail --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/whois 185.121.130.130 ``` This doesn't work at first, and rest of commands if they didn't redirect to another whois server, worked properly, otherwise they would give the error: iconv_open: Invalid argument Then I added your whois.local file and everything was fine. After that I remove whois.local and now everything is OK!!! I don't know how this gets fixed, does it get cached somewhere? Does it sets as you said in its internal database and maybe in another time if I query from another whois server which wasn't in your commands I will face this error again? Also I added strace to private-bin again to test and this is very interesting too: ``` firejail --profile=/etc/firejail/whois.profile --allow-debuggers strace -e trace=open,openat /usr/bin/whois 185.121.130.130 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/haswell/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/x86_64/libidn2.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/whois.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/services", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory) ``` **openat(AT_FDCWD, "/usr/lib/gconv/gconv-modules", O_RDONLY|O_CLOEXEC) = 3** ``` openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) ``` **openat(AT_FDCWD, "/usr/lib/gconv/ISO8859-1.so", O_RDONLY|O_CLOEXEC) = 4** ``` % This is the RIPE Database query service. ... +++ exited with 0 +++ ``` Why whois is permitted to access gconv now? I'm pretty sure I remove whois.local, I've checked it 10 times and it's not there, I reinstalled firejail and my whois.profile is the same as archlinux repos except strace in private-bin. I think I'm missing something and I don't want to take your time anymore, therefore I will close this issue, but if you had any idea why gconv is permitted to access again please tell me. Thank you very much indeed

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1980

No description provided.