[GH-ISSUE #3342] Permission denied when using terminal inside dolphin / kate

gitea-mirror commented

2026-05-05 08:46:39 -06:00

Owner

Originally created by @ghost on GitHub (Apr 10, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3342

Describe the bug
Both dolphin (file manager) and kate (editor) use the KDE terminal application konsole to show a terminal window inside the application. Before using firejail, commands were executed, now commands such as python (only dolphin) or sudo echo test (both programs) result in

Permission denied.

Behavior change on disabling firejail
All commands were executed without permission error.

To Reproduce
Steps to reproduce the behavior:

Start dolphin / kate
Open terminal window inside application
Run one of the above commands inside terminal
See error

Expected behavior
All commands are executed without permission error.

Desktop (please complete the following information):

Ubuntu 19.10
Firejail 0.9.60

Originally created by @ghost on GitHub (Apr 10, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3342 **Describe the bug** Both `dolphin` (file manager) and `kate` (editor) use the KDE terminal application `konsole` to show a terminal window inside the application. Before using firejail, commands were executed, now commands such as `python` (only dolphin) or `sudo echo test` (both programs) result in > Permission denied. **Behavior change on disabling firejail** All commands were executed without permission error. **To Reproduce** Steps to reproduce the behavior: 1. Start dolphin / kate 2. Open terminal window inside application 3. Run one of the above commands inside terminal 4. See error **Expected behavior** All commands are executed without permission error. **Desktop (please complete the following information):** - Ubuntu 19.10 - Firejail 0.9.60

gitea-mirror

2026-05-05 08:46:39 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:46:42 -06:00

Author

Owner

@ghost commented on GitHub (Apr 10, 2020):

Thanks for reporting this. Not being familiar with KDE this is all a bit speculative, but looking at the firejail profiles for both dolphin and kate, I see a few things that might explain your issues. Both profiles have the 'noroot' option, which could account for commands run with sudo to fail hard. Besides that, the sudo command itself is blacklisted in disable-common.inc, which also gets included in both profiles. Can you try with adding the below to override files /etc/firejail/dolphin.local and /etc/firejail/kate.local (create those if non-existing):

noblacklist ${PATH}/sudo
ignore noroot

The python issue is probably the easiest to get fixed, as that is only blacklisted via disable-interpreters.inc in the dolphin profile. Try putting the below in /etc/firejail/dolphin.local (you'll have to create that override file if it doesn't exist):

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

@ghost commented on GitHub (Apr 10, 2020): Thanks for reporting this. Not being familiar with KDE this is all a bit speculative, but looking at the firejail profiles for both dolphin and kate, I see a few things that might explain your issues. Both profiles have the 'noroot' option, which could account for commands run with sudo to fail hard. Besides that, the `sudo` command itself is blacklisted in disable-common.inc, which also gets included in both profiles. Can you try with adding the below to override files /etc/firejail/dolphin.local and /etc/firejail/kate.local (create those if non-existing): ``` noblacklist ${PATH}/sudo ignore noroot ``` The python issue is probably the easiest to get fixed, as that is only blacklisted via disable-interpreters.inc in the dolphin profile. Try putting the below in /etc/firejail/dolphin.local (you'll have to create that override file if it doesn't exist): ``` # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc ```

gitea-mirror commented

2026-05-05 08:46:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 10, 2020):

sudo is a suid binary to additional to @glitsj16 fix you need to ignore nonewprivs.

I'm unsure about nogroups.

@rusty-snake commented on GitHub (Apr 10, 2020): sudo is a suid binary to additional to @glitsj16 fix you need to `ignore nonewprivs`. I'm unsure about `nogroups`.

gitea-mirror commented

2026-05-05 08:46:44 -06:00

Author

Owner

@ghost commented on GitHub (Apr 11, 2020):

Thank you very much for all your help!

Regarding sudo: I started testing with dolphin (kate will probably be similar). As it turns out, I need all of the following commands for the dolphin.local:

noblacklist ${PATH}/sudo
noblacklist /etc/shadow
ignore caps.drop
ignore noroot
ignore nonewprivs
ignore protocol
ignore seccomp

This set is minimal, i.e. if i leave any one of them out, sudo fails (with different errors). But I am not sure - is this really the best solution, especially regarding caps.drop and protocol (which have values all and unix,inet,inet6,netlink in the dolphin.profile)? The best solution for me is the one that keeps as much blacklisting / restriction as possible while still allowing sudo to work.

By the way, nogroups is not required.

@ghost commented on GitHub (Apr 11, 2020): Thank you very much for all your help! Regarding `sudo`: I started testing with dolphin (kate will probably be similar). As it turns out, I need all of the following commands for the dolphin.local: ``` noblacklist ${PATH}/sudo noblacklist /etc/shadow ignore caps.drop ignore noroot ignore nonewprivs ignore protocol ignore seccomp ``` This set is minimal, i.e. if i leave any one of them out, sudo fails (with different errors). But I am not sure - is this really the best solution, especially regarding `caps.drop` and `protocol` (which have values `all` and `unix,inet,inet6,netlink` in the dolphin.profile)? The best solution for me is the one that keeps as much blacklisting / restriction as possible while still allowing `sudo` to work. By the way, `nogroups` is not required.

gitea-mirror commented

2026-05-05 08:46:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 11, 2020):

ignore caps.drop all you can keep this and add caps.keep cap1,cap2,.... Use firejail --debug-caps as a help. I think at least setuid and setgid are required.
ignore protocol you can try unix,inet,inet6,netlink,packet. That's are all the protocols supported by firejail, but I think sudo needs something crazy.
seccomp either sudo reject any seccomp filter on it (for security reasons) or it need some blacklisted. The last is definitely true, the first I don't know. Search your syslog/journal for SECCOMP violations. Firejail 0.9.60 does not support exceptions for seccomp, therefore you need to add seccomp.drop
syscalls.txt
syscalls.txt (0.9.60)

@rusty-snake commented on GitHub (Apr 11, 2020): - `ignore caps.drop all` you can keep this and add `caps.keep cap1,cap2,...`. Use `firejail --debug-caps` as a help. I think at least `setuid` and `setgid` are required. - `ignore protocol` you can try `unix,inet,inet6,netlink,packet`. That's are all the protocols supported by firejail, but I think sudo needs something crazy. - `seccomp` either sudo reject any seccomp filter on it (for security reasons) or it need some blacklisted. The last is definitely true, the first I don't know. Search your syslog/journal for SECCOMP violations. Firejail 0.9.60 does not support exceptions for seccomp, therefore you need to add `seccomp.drop` [syscalls.txt](https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt) [syscalls.txt (0.9.60)](https://github.com/netblue30/firejail/blob/79717102b41cb94fff512f4b7b54dd9494c98f7e/etc/templates/syscalls.txt)

gitea-mirror commented

2026-05-05 08:46:46 -06:00

Author

Owner

@ghost commented on GitHub (Apr 12, 2020):

File managers are a bit special and notoriously hard to sandbox IMO, at least not in a practical/workable way (without crippling the profiles to a bare minimum). That's why firecfg does not enable caja, nautilus, nemo, pcmanfm, ranger and {T,t}hunar by default. I was a bit surprised to see that the only other file manager we support is in fact enabled by default: dolphin. Not sure if we would want to change that, as - like I mentioned before - my KDE experience/insights are close to zero.

@udopt This is just my personal opinion. It is based mainly on the fact that applications inherit the sandbox properties from the application they were launched by. In this context that means - again IMO - that it hardly makes sense to firejail a file-manager you use daily/very frequently. Or to put it differently, it makes more sense to give the specific applications their best possible profile protection, which means you launch them from a not-already-sandboxed application (like a file-manager or a terminal emulator). It is up to you to find a sensible balance between security and workability. Other opinions on this are very welcome, just wanted to give the best info I can on this issue.

@ghost commented on GitHub (Apr 12, 2020): File managers are a bit `special` and notoriously hard to sandbox IMO, at least not in a _practical/workable_ way (without crippling the profiles to a bare minimum). That's why `firecfg` does **not** enable caja, nautilus, nemo, pcmanfm, ranger and {T,t}hunar by default. I was a bit surprised to see that the only other file manager we support **is** in fact enabled by default: `dolphin`. Not sure if we would want to change that, as - like I mentioned before - my KDE experience/insights are close to zero. @udopt This is just my personal opinion. It is based mainly on the fact that applications inherit the sandbox properties from the application they were launched by. In this context that means - again IMO - that it hardly makes sense to firejail a file-manager you use daily/very frequently. Or to put it differently, it makes more sense to give the specific applications their best possible profile protection, which means you launch them from a not-already-sandboxed application (like a file-manager or a terminal emulator). It is up to you to find a _sensible_ balance between security and workability. Other opinions on this are very welcome, just wanted to give the best info I can on this issue.

gitea-mirror commented

2026-05-05 08:46:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jun 4, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror commented

2026-05-05 08:46:47 -06:00

Author

Owner

@ghost commented on GitHub (Apr 27, 2021):

Hey

I would like to run a bash script inside of dolphin and I get the following error message:
bash: ./cp-releng.sh: /bin/bash: bad interpreter: Permission denied.
Ignoring apparmor solved the issue but I would like to try to allow apparmor.

type=AVC msg=audit(1619554752.107:770): apparmor="DENIED" operation="exec" profile="firejail-default" name="~/cp-releng.sh" pid=484211 comm="bash" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000^]FSUID="dan" OUID="dan"

Which one should I work on? Firejail or Apparmor?

dolphin.local looks like this at the moment (samba is another problem :)):

# Allow internet access
ignore net

# Allow samba fstab mounting
noblacklist ${PATH}/sudo
ignore caps.drop
ignore noroot
ignore nonewprivs
ignore protocol
ignore seccomp
ignore noexec

# For /bin/bash execute
ignore apparmor

Thanks

@ghost commented on GitHub (Apr 27, 2021): Hey I would like to run a bash script inside of dolphin and I get the following error message: `bash: ./cp-releng.sh: /bin/bash: bad interpreter: Permission denied`. Ignoring apparmor solved the issue but I would like to try to allow apparmor. `type=AVC msg=audit(1619554752.107:770): apparmor="DENIED" operation="exec" profile="firejail-default" name="~/cp-releng.sh" pid=484211 comm="bash" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000^]FSUID="dan" OUID="dan"` Which one should I work on? Firejail or Apparmor? dolphin.local looks like this at the moment (samba is another problem :)): ``` # Allow internet access ignore net # Allow samba fstab mounting noblacklist ${PATH}/sudo ignore caps.drop ignore noroot ignore nonewprivs ignore protocol ignore seccomp ignore noexec # For /bin/bash execute ignore apparmor ``` Thanks

gitea-mirror commented

2026-05-05 08:46:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 28, 2021):

Ignoring apparmor solved the issue but I would like to try to allow apparmor.

5515b5e4eb/etc/apparmor/firejail-local (L4-L15)

@rusty-snake commented on GitHub (Apr 28, 2021): > Ignoring apparmor solved the issue but I would like to try to allow apparmor. https://github.com/netblue30/firejail/blob/5515b5e4ebbc3c76ed201b3fb0b3cf79ecb94fd2/etc/apparmor/firejail-local#L4-L15

gitea-mirror referenced this issue

2026-05-05 10:15:06 -06:00

[PR #2096] [CLOSED] Remove nogroups from audio player profiles #4172

Rows
Columns

[GH-ISSUE #3342] Permission denied when using terminal inside dolphin / kate #2096