github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3711] zoom profile: can't access webcam #2336

New issue
Closed
opened 2026-05-05 09:01:22 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 09:01:22 -06:00
Owner
Copy link

Originally created by @tornaria on GitHub (Oct 30, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3711

After #3518, zoom cannot access webcam via /dev/video*.

Bug and expected behavior

$ firejail --quiet --profile=/etc/firejail/zoom.profile id
uid=1000 gid=1000 groups=1000
$ firejail --quiet --profile=/etc/firejail/zoom.profile ls -l /dev/video*
crw-rw---- 1 65534 65534 81, 0 Oct 30 17:12 /dev/video0
crw-rw---- 1 65534 65534 81, 1 Oct 30 17:12 /dev/video1

It turns out the user doesn't have access to the devices /dev/video* because it lacks the group video (note that outside firejail, the user does have access to the group video)

Workaround

In zoom.profile, if I comment out nogroup and I add group to the private-etc whitelist, then it works:

$ firejail --quiet --profile=/etc/firejail/zoom.profile id
uid=1000 gid=1000(tornaria) groups=1000(tornaria),12(audio),13(video)

since now the user is in group video, it has access to the devices /dev/video* and the webcam works.

Extra comments

a. I couldn't find a way to override nogroups in my local profile. Is there any way?

b. audio and video groups are kept only if /etc/group is whitelisted in private-etc, presumably because the identification of the groups is done by name inside firejail. Would it make sense to use the group names outside of firejail so that /etc/group is not needed?

c. Would it make sense for nogroups to also except special groups like audio and video?

d. Is there another workaround that I'm not seeing?

Originally created by @tornaria on GitHub (Oct 30, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3711 After #3518, zoom cannot access webcam via `/dev/video*`. **Bug and expected behavior** ``` $ firejail --quiet --profile=/etc/firejail/zoom.profile id uid=1000 gid=1000 groups=1000 $ firejail --quiet --profile=/etc/firejail/zoom.profile ls -l /dev/video* crw-rw---- 1 65534 65534 81, 0 Oct 30 17:12 /dev/video0 crw-rw---- 1 65534 65534 81, 1 Oct 30 17:12 /dev/video1 ``` It turns out the user doesn't have access to the devices `/dev/video*` because it lacks the group `video` (note that outside firejail, the user does have access to the group `video`) **Workaround** In `zoom.profile`, if I comment out `nogroup` _and_ I add `group` to the `private-etc` whitelist, then it works: ``` $ firejail --quiet --profile=/etc/firejail/zoom.profile id uid=1000 gid=1000(tornaria) groups=1000(tornaria),12(audio),13(video) ``` since now the user is in group `video`, it has access to the devices `/dev/video*` and the webcam works. **Extra comments** a. I couldn't find a way to override `nogroups` in my local profile. Is there any way? b. `audio` and `video` groups are kept only if `/etc/group` is whitelisted in `private-etc`, presumably because the identification of the groups is done by name _inside_ firejail. Would it make sense to use the group names _outside_ of firejail so that `/etc/group` is not needed? c. Would it make sense for `nogroups` to also except special groups like `audio` and `video`? d. Is there another workaround that I'm not seeing?
gitea-mirror 2026-05-05 09:01:22 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 09:01:26 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 30, 2020):

Thank you for reporting this. To me this sounds like a bug and we should update the zoom profile accordingly. A video conferencing app like zoom should provide necessary functionality without the user having to rely on a local override.

a. I couldn't find a way to override nogroups in my local profile. Is there any way?

ignore nogroups
private-etc group

b. [...] Would it make sense to use the group names outside of firejail so that /etc/group is not needed?

I don't see how that would work. We have several profiles that don't have the nogroups option. If it guarantees expected functionality it is OK to leave it out.

c. Would it make sense for nogroups to also except special groups like audio and video?

Technically it should be possible, one can always code in such exceptions. But in this case I don't see the benefit of doing so. No means no, and not 'no but yes for x & y'. It would only cause confusion IMHO. Hence I'm marking this as a bug and will keep it open to see what other responses we get on this issue.

<!-- gh-comment-id:719849472 --> @ghost commented on GitHub (Oct 30, 2020): Thank you for reporting this. To me this sounds like a bug and we should update the zoom profile accordingly. A video conferencing app like zoom should provide necessary functionality without the user having to rely on a local override. > a. I couldn't find a way to override nogroups in my local profile. Is there any way? ignore nogroups private-etc group > b. [...] Would it make sense to use the group names outside of firejail so that /etc/group is not needed? I don't see how that would work. We have several profiles that don't have the `nogroups` option. If it guarantees expected functionality it is OK to leave it out. > c. Would it make sense for nogroups to also except special groups like audio and video? Technically it should be possible, one can always code in such exceptions. But in this case I don't see the benefit of doing so. No means no, and not 'no but yes for x & y'. It would only cause confusion IMHO. Hence I'm marking this as a bug and will keep it open to see what other responses we get on this issue.
gitea-mirror commented 2026-05-05 09:01:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

Are you on a system w/o systemd?

c: nogroups means nogroups, IMHO we should not change this. Anyway there is #2042 (and #3303).

<!-- gh-comment-id:719906832 --> @rusty-snake commented on GitHub (Oct 31, 2020): Are you on a system w/o systemd? c: nogroups means nogroups, IMHO we should not change this. Anyway there is #2042 (and #3303).
gitea-mirror commented 2026-05-05 09:01:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 31, 2020):

@tornaria I went ahead and made the needed changes in git. Please feel free to reopen if you experience the same issue again after updating firejail.

<!-- gh-comment-id:719972466 --> @ghost commented on GitHub (Oct 31, 2020): @tornaria I went ahead and made the needed changes in git. Please feel free to reopen if you experience the same issue again after updating firejail.
gitea-mirror commented 2026-05-05 09:01:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

@glitsj16 @tornaria nogroups breaks commonly unprivileged access inside /dev on non-systemd system. If that's the case, we should add a note so users can comment/uncomment it easily because the know when it is save.

<!-- gh-comment-id:719973019 --> @rusty-snake commented on GitHub (Oct 31, 2020): @glitsj16 @tornaria `nogroups` breaks commonly unprivileged access inside /dev on non-systemd system. If that's the case, we should add a note so users can comment/uncomment it easily because the know when it is save.
gitea-mirror commented 2026-05-05 09:01:29 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 31, 2020):

@rusty-snake Good point, let's reopen this and wait for @tornaria to chime in so we can add such a note.

<!-- gh-comment-id:719973502 --> @ghost commented on GitHub (Oct 31, 2020): @rusty-snake Good point, let's reopen this and wait for @tornaria to chime in so we can add such a note.
gitea-mirror commented 2026-05-05 09:01:30 -06:00
Author
Owner
Copy link

@tornaria commented on GitHub (Dec 15, 2020):

@glitsj16 @rusty-snake
Sorry for the delay. Indeed, I use void linux which does not use systemd.

<!-- gh-comment-id:745366187 --> @tornaria commented on GitHub (Dec 15, 2020): @glitsj16 @rusty-snake Sorry for the delay. Indeed, I use void linux which does not use systemd.
gitea-mirror commented 2026-05-05 09:01:31 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 15, 2020):

@tornaria That's alright. I made a PR to re-enable 'nogroups' and added a comment how users on non-systemd systems need to deal with this. Thanks for getting back to us, I think we can close this once the PR gets merged.

<!-- gh-comment-id:745399170 --> @ghost commented on GitHub (Dec 15, 2020): @tornaria That's alright. I made a PR to re-enable 'nogroups' and added a comment how users on non-systemd systems need to deal with this. Thanks for getting back to us, I think we can close this once the PR gets merged.
gitea-mirror commented 2026-05-05 09:01:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 15, 2020):

@tornaria PR is in. Feel free to reopen if you experience any oddness with zoom.

<!-- gh-comment-id:745410067 --> @ghost commented on GitHub (Dec 15, 2020): @tornaria PR is in. Feel free to reopen if you experience any oddness with zoom.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2336
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?