[GH-ISSUE #3355] Some warnings should be errors #2109

New issue

Open

opened 2026-05-05 08:47:09 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 08:47:09 -06:00

Owner

Copy link

Originally created by @rdiez on GitHub (Apr 14, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3355

You can argue that Firejail is an important security tool. If it has been asked to do something, and it cannot, it should fail. Instead, it tends to drop the specify security measure and happily carry on. I have seen this behaviour with the following warnings:

1. Warning: you are not allowed to change /tmp to read-write

If such configuration fails, applications may stop working correctly. It would be better to stop straight away, so that the issue is promptly recognised and fixed before it causes trouble.

Does this happen too if Firejail has been asked to make something "read-only". If so, that would be a serious issue. You believe that you have placed protections in place, and suddenly, on some system, they may be ignored.

2. Warning: cannot create a new user namespace, going forward without it...

If I specifically do not want to leak other usernames to the application, Firejail should not just ignore me and leak them anyway.

I am using Ubuntu 18.04.4 LTS, which comes with Firejail version 0.9.52, a rather old version indeed. So maybe this has already been improved in the meantime.

Originally created by @rdiez on GitHub (Apr 14, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3355 You can argue that Firejail is an important security tool. If it has been asked to do something, and it cannot, it should fail. Instead, it tends to drop the specify security measure and happily carry on. I have seen this behaviour with the following warnings: 1) Warning: you are not allowed to change /tmp to read-write If such configuration fails, applications may stop working correctly. It would be better to stop straight away, so that the issue is promptly recognised and fixed before it causes trouble. Does this happen too if Firejail has been asked to make something "read-only". If so, that would be a serious issue. You believe that you have placed protections in place, and suddenly, on some system, they may be ignored. 2) Warning: cannot create a new user namespace, going forward without it... If I specifically do not want to leak other usernames to the application, Firejail should not just ignore me and leak them anyway. I am using Ubuntu 18.04.4 LTS, which comes with Firejail version 0.9.52, a rather old version indeed. So maybe this has already been improved in the meantime.

gitea-mirror added the

enhancement

label 2026-05-05 08:47:09 -06:00

gitea-mirror commented 2026-05-05 08:47:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 14, 2020):

See note in #3354 on how to get the latest stable release.

If such configuration fails, applications may stop working correctly. It would be better to stop straight away, so that the issue is promptly recognised and fixed before it causes trouble.

That sounds reasonable. There's been some recent work on letting users decide on how to deal with seccomp filtering for instance (see #3301). Plenty of work left to broaden the scope of such finer-grained user control.

Does this happen too if Firejail has been asked to make something "read-only". If so, that would be a serious issue. You believe that you have placed protections in place, and suddenly, on some system, they may be ignored.

Firejail follows the general Linux file permission model/rukes AFAICT. In your ${HOME} you should be able to make anything read-only or read-write. But if your user tries to change access mode on something without having the required privileges, it will fail. So answering your question: it depends on the specifics...

<!-- gh-comment-id:613644722 --> @ghost commented on GitHub (Apr 14, 2020): See note in #3354 on how to get the latest stable release. > If such configuration fails, applications may stop working correctly. It would be better to stop straight away, so that the issue is promptly recognised and fixed before it causes trouble. That sounds reasonable. There's been some recent work on letting users decide on how to deal with seccomp filtering for instance (see #3301). Plenty of work left to broaden the scope of such finer-grained user control. > Does this happen too if Firejail has been asked to make something "read-only". If so, that would be a serious issue. You believe that you have placed protections in place, and suddenly, on some system, they may be ignored. Firejail follows the general Linux file permission model/rukes AFAICT. In your ${HOME} you should be able to make anything read-only or read-write. But if your user tries to change access mode on something without having the required privileges, it will fail. So answering your question: it depends on the specifics...

gitea-mirror commented 2026-05-05 08:47:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 14, 2020):

Does this happen too if Firejail has been asked to make something "read-only".

No.

<!-- gh-comment-id:613646153 --> @rusty-snake commented on GitHub (Apr 14, 2020): > Does this happen too if Firejail has been asked to make something "read-only". No.

gitea-mirror commented 2026-05-05 08:47:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 15, 2020):

If firejail would hardfail on these, it would be broken for some users.

<!-- gh-comment-id:613897714 --> @rusty-snake commented on GitHub (Apr 15, 2020): If firejail would hardfail on these, it would be broken for some users.

gitea-mirror commented 2026-05-05 08:47:14 -06:00

Author

Owner

Copy link

@rdiez commented on GitHub (Apr 15, 2020):

I would recommend stop using Firejail, o any security tool for that matter, which, when instructed to protect some areas, it then skips the protections due to some external system or configuration mismatch. You just cannot rely on such a tool!

<!-- gh-comment-id:613934634 --> @rdiez commented on GitHub (Apr 15, 2020): I would recommend stop using Firejail, o any security tool for that matter, which, when instructed to protect some areas, it then skips the protections due to some external system or configuration mismatch. You just cannot rely on such a tool!

gitea-mirror commented 2026-05-05 08:47:16 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 15, 2020):

--read-write is not a protection, its a exception.

<!-- gh-comment-id:613939544 --> @rusty-snake commented on GitHub (Apr 15, 2020): `--read-write` is not a protection, its a exception.

gitea-mirror commented 2026-05-05 08:47:16 -06:00

Author

Owner

Copy link

@rdiez commented on GitHub (Apr 15, 2020):

But --noroot is, which is what generates the "cannot create a new user namespace" warning.

I am starting to distrust Firejail. What other protection measures could be skipped like this?

<!-- gh-comment-id:613953568 --> @rdiez commented on GitHub (Apr 15, 2020): But --noroot is, which is what generates the "cannot create a new user namespace" warning. I am starting to distrust Firejail. What other protection measures could be skipped like this?

gitea-mirror commented 2026-05-05 08:47:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 15, 2020):

I am starting to distrust Firejail. What other protection measures could be skipped like this?

Personally I think it's a good thing to raise these concerns. Distrust and security tool in the same sentence isn't anathema. So, after repeatedly going over #3354, #3355, #3356 and #3357, I decided to label them for now and await discussion involving other collaborators.

<!-- gh-comment-id:614009759 --> @ghost commented on GitHub (Apr 15, 2020): > I am starting to distrust Firejail. What other protection measures could be skipped like this? Personally I think it's a good thing to raise these concerns. Distrust and security tool in the same sentence isn't anathema. So, after repeatedly going over #3354, #3355, #3356 and #3357, I decided to label them for now and await discussion involving other collaborators.

gitea-mirror commented 2026-05-05 08:47:18 -06:00

Author

Owner

Copy link

@matu3ba commented on GitHub (Apr 15, 2020):

@glitsj16

I am starting to distrust Firejail. What other protection measures could be skipped like this?

Personally I think it's a good thing to raise these concerns. Distrust and security tool in the same sentence isn't anathema. So, after repeatedly going over #3354, #3355, #3356 and #3357, I decided to label them for now and await discussion involving other collaborators.

You might want to create a tracking issue collecting a list of options related to PR #3301 and schedule a short meeting to find consensus on the project status and goal.
How to simplify things from the user side and specify program behavior would also come to my mind, but that is up to you.

<!-- gh-comment-id:614186182 --> @matu3ba commented on GitHub (Apr 15, 2020): @glitsj16 > > I am starting to distrust Firejail. What other protection measures could be skipped like this? > > Personally I think it's a good thing to raise these concerns. Distrust and security tool in the same sentence isn't anathema. So, after repeatedly going over #3354, #3355, #3356 and #3357, I decided to label them for now and await discussion involving other collaborators. You might want to create a tracking issue collecting a list of options related to PR #3301 and schedule a short meeting to find consensus on the project status and goal. How to simplify things from the user side and specify program behavior would also come to my mind, but that is up to you.

gitea-mirror commented 2026-05-05 08:47:18 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Apr 16, 2020):

Letting noroot fail hard would force us to remove the option from all profiles.

IMHO this behavior should be documented in the man pages. Maybe it would also be good to provide more feedback as to why creating a new user namespace failed.

Another idea: would it make sense to add something like an (opt-in) fatal-warnings option?

<!-- gh-comment-id:614584422 --> @smitsohu commented on GitHub (Apr 16, 2020): Letting `noroot` fail hard would force us to remove the option from all profiles. IMHO this behavior should be documented in the man pages. Maybe it would also be good to provide more feedback as to _why_ creating a new user namespace failed. Another idea: would it make sense to add something like an (opt-in) `fatal-warnings` option?

gitea-mirror commented 2026-05-05 08:47:19 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Apr 16, 2020):

Another idea: would it make sense to add something like an (opt-in) fatal-warnings option?

... which down the road is likely to create pressure to turn warnings into mere messages.

<!-- gh-comment-id:614593185 --> @smitsohu commented on GitHub (Apr 16, 2020): > Another idea: would it make sense to add something like an (opt-in) fatal-warnings option? ... which down the road is likely to create pressure to turn warnings into mere messages.

gitea-mirror commented 2026-05-05 08:47:20 -06:00

Author

Owner

Copy link

@rdiez commented on GitHub (Apr 16, 2020):

More ideas:

The profile configuration files could be treated differently than command-line options. Or such default configuration files could start with some "ignore-errors" or "warn-if-error" switch, which is only valid for the profile file it is in.

Providing default configuration files for all Linux distributions is never going to work properly. Like I said, if a particular distribution changes something, chances are that breakage will be noticed much later, leaving users unprotected for quite some time. I would say that Firejail profiles should come from distributions, or even within each software package itself.

Or maybe the configuration files just need to become more flexible. Distributions could provide a top-level configuration file indicating what options will work (or won't) on their distributions.

Managing security settings is hard. Note how polkit ended up introducing a JavaScript engine to manage authorization rules (!).

I just believe it is important to have a way to run Firejail in some "strict" mode you can really rely upon.

<!-- gh-comment-id:614598413 --> @rdiez commented on GitHub (Apr 16, 2020): More ideas: The profile configuration files could be treated differently than command-line options. Or such default configuration files could start with some "ignore-errors" or "warn-if-error" switch, which is only valid for the profile file it is in. Providing default configuration files for all Linux distributions is never going to work properly. Like I said, if a particular distribution changes something, chances are that breakage will be noticed much later, leaving users unprotected for quite some time. I would say that Firejail profiles should come from distributions, or even within each software package itself. Or maybe the configuration files just need to become more flexible. Distributions could provide a top-level configuration file indicating what options will work (or won't) on their distributions. Managing security settings is hard. Note how polkit ended up introducing a JavaScript engine to manage authorization rules (!). I just believe it is important to have a way to run Firejail in some "strict" mode you can really rely upon.

gitea-mirror commented 2026-05-05 08:47:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 16, 2020):

Providing default configuration files for all Linux distributions is never going to work properly. Like I said, if a particular distribution changes something, chances are that breakage will be noticed much later, leaving users unprotected for quite some time.

Then we will end up with only a few profiles per distro. That is even more unprotected.

I would say that Firejail profiles should come from distributions, or even within each software package itself. Or maybe the configuration files just need to become more flexible. Distributions could provide a top-level configuration file indicating what options will work (or won't) on their distributions.

Distriputors and app-developers will not do that.

Anyway, turning some warning into errors (e.g. noroot) sound now reasonable to me. So users need to explicitly opt-out by adding ignore noroot to globals.local. Hardfailing on the cli and/or a fatal-warnings options are also good.

<!-- gh-comment-id:614714076 --> @rusty-snake commented on GitHub (Apr 16, 2020): > Providing default configuration files for all Linux distributions is never going to work properly. Like I said, if a particular distribution changes something, chances are that breakage will be noticed much later, leaving users unprotected for quite some time. Then we will end up with only a few profiles per distro. That is even more unprotected. > I would say that Firejail profiles should come from distributions, or even within each software package itself. Or maybe the configuration files just need to become more flexible. Distributions could provide a top-level configuration file indicating what options will work (or won't) on their distributions. Distriputors and app-developers will not do that. Anyway, turning some warning into errors (e.g. noroot) sound now reasonable to me. So users need to explicitly opt-out by adding `ignore noroot` to globals.local. Hardfailing on the cli and/or a fatal-warnings options are also good.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2109

No description provided.