[GH-ISSUE #3357] No warning or error if a file or directory does not exist

gitea-mirror commented

2026-05-05 08:47:09 -06:00

Owner

Originally created by @rdiez on GitHub (Apr 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3357

The following command prints no errors or warnings:

firejail --noprofile --read-write=/does/not/exist --read-only=/does/not/exist sh -c "echo a"

This makes using Firejail rather brittle. You will tend to miss errors in your scripts.

I think that specifying a path which does not exist should fail straight away.

A file glob expression that matches no files or directories should at least generate a warning. Compare with the "rm" command, which fails immediately:

$ rm *does-not-exist*
rm: cannot remove '*does-not-exist*': No such file or directory

I have tested this issue with the latest Firejail release version 0.9.62. I am using Ubuntu 18.04.4 LTS, so that new version came from the Firejail PPA.

Originally created by @rdiez on GitHub (Apr 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3357 The following command prints no errors or warnings: `firejail --noprofile --read-write=/does/not/exist --read-only=/does/not/exist sh -c "echo a"` This makes using Firejail rather brittle. You will tend to miss errors in your scripts. I think that specifying a path which does not exist should fail straight away. A file glob expression that matches no files or directories should at least generate a warning. Compare with the "rm" command, which fails immediately: ``` $ rm *does-not-exist* rm: cannot remove '*does-not-exist*': No such file or directory ``` I have tested this issue with the latest Firejail release version 0.9.62. I am using Ubuntu 18.04.4 LTS, so that new version came from the [Firejail PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).

gitea-mirror added the

enhancement

label 2026-05-05 08:47:09 -06:00

gitea-mirror commented

2026-05-05 08:47:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 15, 2020):

The issue here are all the disable-*.inc files.
Consider

blacklist /etc/fedora_path
blacklist /etc/ubuntu_path
# or
blacklist ${HOME}/.mozilla
blacklist ${HOME}/.config/chrome

You will either need to spam your home directory, or comment every thing and forget to uncomment when you need it.

You can use mkdir and mkfile to create paths.

@rusty-snake commented on GitHub (Apr 15, 2020): The issue here are all the disable-*.inc files. Consider ``` blacklist /etc/fedora_path blacklist /etc/ubuntu_path # or blacklist ${HOME}/.mozilla blacklist ${HOME}/.config/chrome ``` You will either need to spam your home directory, or comment every thing and forget to uncomment when you need it. You can use `mkdir` and `mkfile` to create paths.

gitea-mirror commented

2026-05-05 08:47:11 -06:00

Author

Owner

@rdiez commented on GitHub (Apr 15, 2020):

What you describe is the "normal user" scenario that just types "firejail firefox" and relies on profiles.

Firejail's tendency to ignore non-existent paths is problematic in that scenario too. Say the path changes in Fedora or Ubuntu. Nobody will realise that some path is no longer blacklisted. That makes a security tool like Firejail unreliable.

But I am also thinking about other usage scenarios:

I manually type a command with --read-only= and I make a mistake (a typo).
I am writing a script and I make a mistake. Firejail will just silently ignore my mistakes.

@rdiez commented on GitHub (Apr 15, 2020): What you describe is the "normal user" scenario that just types "firejail firefox" and relies on profiles. Firejail's tendency to ignore non-existent paths is problematic in that scenario too. Say the path changes in Fedora or Ubuntu. Nobody will realise that some path is no longer blacklisted. That makes a security tool like Firejail unreliable. But I am also thinking about other usage scenarios: - I manually type a command with --read-only= and I make a mistake (a typo). - I am writing a script and I make a mistake. Firejail will just silently ignore my mistakes.

gitea-mirror commented

2026-05-05 08:47:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 17, 2020):

Firejail will just silently ignore my mistakes.

You can use --debug, --debug-blacklists, ... to be sure your path is blacklisted/read-only.

@rusty-snake commented on GitHub (Apr 17, 2020): > Firejail will just silently ignore my mistakes. You can use `--debug`, `--debug-blacklists`, ... to be sure your path is blacklisted/read-only.

gitea-mirror commented

2026-05-05 08:47:13 -06:00

Author

Owner

@rdiez commented on GitHub (Apr 17, 2020):

That does not really cut it. Nobody should be expected to use debug flags to get a warning or an error when a specified path does not exist. Besides, debug flags tend to be too noisy for everyday usage.

@rdiez commented on GitHub (Apr 17, 2020): That does not really cut it. Nobody should be expected to use debug flags to get a warning or an error when a specified path does not exist. Besides, debug flags tend to be too noisy for everyday usage.

gitea-mirror commented

2026-05-05 08:47:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 17, 2020):

Do you have a suggestion how this should look like then? hardfailing if a blacklist path does not exist and removing disable-progams.inc, disable-common.inc, disable-xdg.inc, disable-devel.inc and disable-interpreters.inc isn't a solution. This would decrease the security.

@rusty-snake commented on GitHub (Apr 17, 2020): Do you have a suggestion how this should look like then? hardfailing if a blacklist path does not exist and removing disable-progams.inc, disable-common.inc, disable-xdg.inc, disable-devel.inc and disable-interpreters.inc isn't a solution. This would decrease the security.

gitea-mirror commented

2026-05-05 08:47:15 -06:00

Author

Owner

@rdiez commented on GitHub (Apr 17, 2020):

I recently wrote some ideas about a related issue here .

User smitsohu also suggested something like fatal-warnings .

@rdiez commented on GitHub (Apr 17, 2020): I recently wrote some ideas about a related issue [here ](https://github.com/netblue30/firejail/issues/3355#issuecomment-614598413) . User smitsohu also suggested something like fatal-warnings .

gitea-mirror commented

2026-05-05 08:47:16 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 17, 2020):

For the warnings (e.g. noroot) this makes sense. But I doesn't see a advantage of a error-on-non-existing option since it will fail as long as you include disable-common and co.

@rusty-snake commented on GitHub (Apr 17, 2020): For the warnings (e.g. noroot) this makes sense. But I doesn't see a advantage of a error-on-non-existing option since it will fail as long as you include disable-common and co.

gitea-mirror commented

2026-05-05 08:47:17 -06:00

Author

Owner

@rdiez commented on GitHub (Apr 17, 2020):

Like I mentioned before, you could implement something like "ignore-errors" (or "ignore-non-existing-paths") as an option that is only in effect for the profile it is in.

Or maybe the reverse, some "strict" command-line option that affects anything afterwards.

The goal is to have a way to run "firejail --noprofile --strict ..etc...", so that you can really be confident that anything you ask for, and every path you specify, is enforced, checked, etc.

Otherwise, one day some hacker is going to slip through the protections, and in the security advisory you will find a comment like "Firejail silently ignored a misconfigured / buggy option that would have saved the day, but that problem was undetected for years". And then it is not going to look very professional on your side... }8-)

@rdiez commented on GitHub (Apr 17, 2020): Like I mentioned before, you could implement something like "ignore-errors" (or "ignore-non-existing-paths") as an option that is only in effect for the profile it is in. Or maybe the reverse, some "strict" command-line option that affects anything afterwards. The goal is to have a way to run "firejail --noprofile --strict ..etc...", so that you can really be confident that anything you ask for, and every path you specify, is enforced, checked, etc. Otherwise, one day some hacker is going to slip through the protections, and in the security advisory you will find a comment like "Firejail silently ignored a misconfigured / buggy option that would have saved the day, but that problem was undetected for years". And then it is not going to look very professional on your side... }8-)

gitea-mirror commented

2026-05-05 08:47:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 17, 2020):

The goal is to have a way to run "firejail --noprofile --strict ..etc..."

In combination with --noprofile it maybe makes sense. I understood that above that firejail should error by default on that.

@rusty-snake commented on GitHub (Apr 17, 2020): > The goal is to have a way to run "firejail --noprofile --strict ..etc..." In combination with `--noprofile` it maybe makes sense. I understood that above that firejail should error by default on that.

Rows
Columns

[GH-ISSUE #3357] No warning or error if a file or directory does not exist #2108