github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3658] read-write permission for /opt/ directory or other shared documents #2304

New issue
Open
opened 2026-05-05 08:59:37 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 08:59:37 -06:00
Owner
Copy link

Originally created by @hlvs44 on GitHub (Oct 6, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3658

Hi,
it seems impossible to work on /opt/ directory in read-write mode:
firejail --read-write=/opt/xxx/ libreoffice

ls -la /opt/xxx

drwxrws--- 6 vdesktop contabilita    4096 set 21 12:45  .
drwxrws--- 4 vdesktop contabilita    4096 lug 23 14:54  ..
-rw-rw---- 1 vdesktop contabilita     240 lug 30 01:57  aaaa.desktop
-rw-rw---- 1 vdesktop contabilita     292 lug 23 14:53  bbb.desktop
drwxrws--- 8 vdesktop contabilita    4096 set 23 02:01  file
drwxrws--- 5 vdesktop contabilita    4096 lug 18 21:38 'macro bug'
drwxrws--- 4 vdesktop contabilita    4096 ago  7 22:25  vvvv.doc
-rw-rw---- 1 vdesktop contabilita 2713927 set 21 12:44  xxxx.odb

As you can see all users of "contabilita" group can access in read and write mode to this directory and this is very important as in this location are stored important shared documents.
My security strategy for libreoffice is just to block internet access to it, not file system access.
I understand from dicumentation that files outside user home directory or not directly owned by the user are remounted in read-only mode by firejail.
No way to change this behavior?
Is it a bug or a missing feature?

My system is:
$ lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	**Ubuntu 20.04.1 LTS**
Release:	20.04
Codename:	focal

If I try with "noprofile" option:
firejail --noprofile --read-write=/opt/xxx/ --net=br1 --ip=198.110.1.2 libreoffice

Parent pid 61594, child pid 61595

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0             02:30:e8:7f:ce:24  192.117.1.2      255.255.255.0    UP    
Default gateway 198.110.1.1

Child process initialized in 1466.43 ms

--> NO ERRORS BUT NOTHING HAPPENS, LIBREOFFICE NOT STARTING

If I try with "noprofile" and without network options:
Everything works fine but without bridge option (it's very important as in this way only mysql connections to the server are allowed from bridge subnet and nothing else).
In addition, in libreoffice is missing the menu bar....!!
--> see the picture <---

The question is: how can I just use libreoffice with normal file system privileges?
I just want to block net access (and I've achieved that) but leaving full file system access respecting the way I have configured group permissions in the file system.
Thanks a lot.

ale

PS - my libreoffice:

Version: 7.0.1.2
Build ID: 00(Build:2)
CPU threads: 1; OS: Linux 5.4; UI render: default; VCL: gtk3
Locale: it-IT (it_IT.UTF-8); Interfaccia utente: it-IT
Ubuntu package version: 1:7.0.1_rc2-0ubuntu0.20.04.1
Calc: threaded

Relates to:

Originally created by @hlvs44 on GitHub (Oct 6, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3658 Hi, it seems impossible to work on /opt/ directory in read-write mode: **firejail --read-write=/opt/xxx/ libreoffice** `ls -la /opt/xxx` ``` drwxrws--- 6 vdesktop contabilita 4096 set 21 12:45 . drwxrws--- 4 vdesktop contabilita 4096 lug 23 14:54 .. -rw-rw---- 1 vdesktop contabilita 240 lug 30 01:57 aaaa.desktop -rw-rw---- 1 vdesktop contabilita 292 lug 23 14:53 bbb.desktop drwxrws--- 8 vdesktop contabilita 4096 set 23 02:01 file drwxrws--- 5 vdesktop contabilita 4096 lug 18 21:38 'macro bug' drwxrws--- 4 vdesktop contabilita 4096 ago 7 22:25 vvvv.doc -rw-rw---- 1 vdesktop contabilita 2713927 set 21 12:44 xxxx.odb ``` As you can see all users of "_contabilita_" group can access in read and write mode to this directory and this is very important as in this location are stored important shared documents. My security strategy for libreoffice is just to block internet access to it, not file system access. I understand from dicumentation that files outside user home directory or not directly owned by the user are remounted in read-only mode by firejail. No way to change this behavior? Is it a bug or a missing feature? My system is: `$ lsb_release -a` ``` No LSB modules are available. Distributor ID: Ubuntu Description: **Ubuntu 20.04.1 LTS** Release: 20.04 Codename: focal ``` --------------------------------------------------------------------------- If I try with "noprofile" option: `firejail --noprofile --read-write=/opt/xxx/ --net=br1 --ip=198.110.1.2 libreoffice` ``` Parent pid 61594, child pid 61595 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0 02:30:e8:7f:ce:24 192.117.1.2 255.255.255.0 UP Default gateway 198.110.1.1 Child process initialized in 1466.43 ms ``` **--> NO ERRORS BUT NOTHING HAPPENS, LIBREOFFICE NOT STARTING** --------------------------------------------------------------------------- If I try with "noprofile" and without network options: Everything works fine but without bridge option (it's very important as in this way only mysql connections to the server are allowed from bridge subnet and nothing else). In addition, in libreoffice is missing the menu bar....!! --> [see the picture](https://www.dropbox.com/s/jbw1wdg50vutvce/2020-10-07_00-41.png?dl=0) <--- --------------------------------------------------------------------------- The question is: how can I just use libreoffice with normal file system privileges? I just want to block net access (and I've achieved that) but leaving full file system access respecting the way I have configured group permissions in the file system. Thanks a lot. ale PS - my libreoffice: ``` Version: 7.0.1.2 Build ID: 00(Build:2) CPU threads: 1; OS: Linux 5.4; UI render: default; VCL: gtk3 Locale: it-IT (it_IT.UTF-8); Interfaccia utente: it-IT Ubuntu package version: 1:7.0.1_rc2-0ubuntu0.20.04.1 Calc: threaded ``` Relates to: * #5034
gitea-mirror added the
enhancement
 label 2026-05-05 08:59:37 -06:00
gitea-mirror commented 2026-05-05 08:59:39 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 7, 2020):

A writable-opt option like we have for /var (writable-var) or /etc (writable-etc) would be the best IMO.

<!-- gh-comment-id:704957467 --> @rusty-snake commented on GitHub (Oct 7, 2020): A `writable-opt` option like we have for /var (`writable-var`) or /etc (`writable-etc`) would be the best IMO.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2304
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?