[GH-ISSUE #284] Cannot run lxterminal #199

New issue

Closed

opened 2026-05-05 05:18:10 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 05:18:10 -06:00

Owner

Copy link

Originally created by @liloman on GitHub (Feb 8, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/284

Hi,

I just started to use this tool for firefox with vimperator.
Everything is working right but if I do:
:!pcmanfm

I can launch a file explorer without restriction. ❓

Is it a common issue? Cause if I understand right the child should have the same privileges as his parent.

Cheers and great tool 👍

Originally created by @liloman on GitHub (Feb 8, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/284 Hi, I just started to use this tool for firefox with vimperator. Everything is working right but if I do: :!pcmanfm I can launch a file explorer without restriction. :question: Is it a common issue? Cause if I understand right the child should have the same privileges as his parent. Cheers and great tool :+1:

gitea-mirror 2026-05-05 05:18:10 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 05:18:16 -06:00

Author

Owner

Copy link

@brunonova commented on GitHub (Feb 8, 2016):

I don't use PCManFM, but maybe when it's already running and you execute pcmanfm, the running instance of PCManFM "captures it" and opens a new window?

Some programs do this, like Firefox and Nautilus.

<!-- gh-comment-id:181518334 --> @brunonova commented on GitHub (Feb 8, 2016): I don't use PCManFM, but maybe when it's already running and you execute `pcmanfm`, the running instance of PCManFM "captures it" and opens a new window? Some programs do this, like Firefox and Nautilus.

gitea-mirror commented 2026-05-05 05:18:17 -06:00

Author

Owner

Copy link

@liloman commented on GitHub (Feb 8, 2016):

It possible, I was thinking on something related to dbus/Polkit.

PD: It seems that debugging is not working with journalctl so you have to up syslog??

<!-- gh-comment-id:181581189 --> @liloman commented on GitHub (Feb 8, 2016): It possible, I was thinking on something related to dbus/Polkit. PD: It seems that debugging is not working with journalctl so you have to up syslog??

gitea-mirror commented 2026-05-05 05:18:19 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 9, 2016):

I think PCManFM listens on a regular Unix socket. The only thing is doing is opening a new file manager, it doesn't take any commands over the socket.

<!-- gh-comment-id:181915264 --> @netblue30 commented on GitHub (Feb 9, 2016): I think PCManFM listens on a regular Unix socket. The only thing is doing is opening a new file manager, it doesn't take any commands over the socket.

gitea-mirror commented 2026-05-05 05:18:21 -06:00

Author

Owner

Copy link

@liloman commented on GitHub (Feb 9, 2016):

I've been testing and I can't launch a terminal for example but I can execute /bin commands inside the namespace.

I don't know why It isn't "totally" blacklisted. ❔

Btw my bad, to see the logs from journalctl:

journalctl  SYSLOG_IDENTIFIER=firejail

Nice tools both indeed .

<!-- gh-comment-id:181942305 --> @liloman commented on GitHub (Feb 9, 2016): I've been testing and I can't launch a terminal for example but I can execute /bin commands inside the namespace. I don't know why It isn't "totally" blacklisted. :grey_question: Btw my bad, to see the logs from journalctl: ``` bash journalctl SYSLOG_IDENTIFIER=firejail ``` Nice tools both indeed .

gitea-mirror commented 2026-05-05 05:18:22 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 9, 2016):

I have blacklisted some terminals in /etc/firejail/disable-common.inc. These programs listen on Unix sockets and unlike PCManFM accept commands coming on the socket. This effectively allows an intruder to break out of the sandbox. You can still start a terminal using --noblacklist:

$ firejail --noblacklist=/usr/bin/lxterminal lxterminal

<!-- gh-comment-id:181974662 --> @netblue30 commented on GitHub (Feb 9, 2016): I have blacklisted some terminals in /etc/firejail/disable-common.inc. These programs listen on Unix sockets and unlike PCManFM accept commands coming on the socket. This effectively allows an intruder to break out of the sandbox. You can still start a terminal using --noblacklist: ``` $ firejail --noblacklist=/usr/bin/lxterminal lxterminal ```

gitea-mirror commented 2026-05-05 05:18:23 -06:00

Author

Owner

Copy link

@liloman commented on GitHub (Feb 10, 2016):

Even launching it from a lxterminal:

firejail --noblacklist=/usr/bin/lxterminal lxterminal
Reading profile /usr/local/etc/firejail/generic.profile
Reading profile /usr/local/etc/firejail/disable-mgmt.inc
Reading profile /usr/local/etc/firejail/disable-secret.inc
Reading profile /usr/local/etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 10033, child pid 10034

Child process initialized
/bin/bash: /bin/lxterminal: Permiso denegado

parent is shutting down, bye...

I saw no tests with --noblacklist. Maybe when I have some time and make some test.

PS: It's a fresh git installation.

<!-- gh-comment-id:182584314 --> @liloman commented on GitHub (Feb 10, 2016): Even launching it from a lxterminal: ``` bash firejail --noblacklist=/usr/bin/lxterminal lxterminal Reading profile /usr/local/etc/firejail/generic.profile Reading profile /usr/local/etc/firejail/disable-mgmt.inc Reading profile /usr/local/etc/firejail/disable-secret.inc Reading profile /usr/local/etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 10033, child pid 10034 Child process initialized /bin/bash: /bin/lxterminal: Permiso denegado parent is shutting down, bye... ``` I saw no tests with --noblacklist. Maybe when I have some time and make some test. PS: It's a fresh git installation.

gitea-mirror commented 2026-05-05 05:18:24 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 11, 2016):

/bin/bash: /bin/lxterminal: Permiso denegado

Start it like this:

$ firejail --noblacklist=/bin/lxterminal lxterminal

Probably you are running Arch Linux. Arch is merging /bin and /usr/bin directory into a single directory.

<!-- gh-comment-id:182668799 --> @netblue30 commented on GitHub (Feb 11, 2016): > /bin/bash: /bin/lxterminal: Permiso denegado Start it like this: ``` $ firejail --noblacklist=/bin/lxterminal lxterminal ``` Probably you are running Arch Linux. Arch is merging /bin and /usr/bin directory into a single directory.

gitea-mirror commented 2026-05-05 05:18:26 -06:00

Author

Owner

Copy link

@liloman commented on GitHub (Feb 11, 2016):

You're right I'm running Fedora who was the impulsor (Lennart) of this merging. :)

firejail --noblacklist=/bin/lxterminal lxterminal
Reading profile /usr/local/etc/firejail/generic.profile
Reading profile /usr/local/etc/firejail/disable-mgmt.inc
Reading profile /usr/local/etc/firejail/disable-secret.inc
Reading profile /usr/local/etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 10684, child pid 10685

Child process initialized
/bin/bash: /bin/lxterminal: Permiso denegado

parent is shutting down, bye...

It's often a susprise how things can work differently in one distro and another. 🏄

<!-- gh-comment-id:182802889 --> @liloman commented on GitHub (Feb 11, 2016): You're right I'm running Fedora who was the impulsor (Lennart) of this merging. :) ``` bash firejail --noblacklist=/bin/lxterminal lxterminal Reading profile /usr/local/etc/firejail/generic.profile Reading profile /usr/local/etc/firejail/disable-mgmt.inc Reading profile /usr/local/etc/firejail/disable-secret.inc Reading profile /usr/local/etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 10684, child pid 10685 Child process initialized /bin/bash: /bin/lxterminal: Permiso denegado parent is shutting down, bye... ``` It's often a susprise how things can work differently in one distro and another. :surfer:

gitea-mirror commented 2026-05-05 05:18:27 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 11, 2016):

I'll have to fix it, thanks!

<!-- gh-comment-id:182835028 --> @netblue30 commented on GitHub (Feb 11, 2016): I'll have to fix it, thanks!

gitea-mirror commented 2026-05-05 05:18:28 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 13, 2016):

Fixed! Try:

$ firejail lxterminal

<!-- gh-comment-id:183663021 --> @netblue30 commented on GitHub (Feb 13, 2016): Fixed! Try: ``` $ firejail lxterminal ```

gitea-mirror commented 2026-05-05 05:18:31 -06:00

Author

Owner

Copy link

@liloman commented on GitHub (Feb 13, 2016):

Working!.

Nice. :)

<!-- gh-comment-id:183699922 --> @liloman commented on GitHub (Feb 13, 2016): Working!. Nice. :)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#199

No description provided.