github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3844] firejail --private hanging #2421

New issue

Closed

opened 2026-05-05 09:05:46 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:05:46 -06:00

Owner

Originally created by @AnthonyMonterrosa on GitHub (Dec 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3844

I've recently installed firejail, have ran sudo firecfg, and have no custom profiles:

anthony@anthony-desktop ~> ls -la ~/.config/firejail/
total 8
drwxr-xr-x  2 anthony anthony 4096 Dec 21 22:58 .
drwxr-xr-x 23 anthony anthony 4096 Dec 21 22:35 ..

I'm trying to what needs whitelisting for a custom profile I'd like to make, and followed the documentation at https://firejail.wordpress.com/documentation-2/building-custom-profiles/. While trying to run firejail --private, it hung at child process initialized..., and the prompt for the next command never came. So, it seems like firejail --private hangs for me, although I haven't it open for more then a few minutes.

anthony@anthony-desktop ~> firejail --private
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 7400, child pid 7401
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 50.72 ms
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

anthony@anthony-desktop ~ [2]>

firejail firefox and firejail firefox --private work as expected, which makes me think the problem is with running firejail without an application name.

To test this, I ran firejail /bin/bash which is the default behavior listed in the man page if firejail isn't given an application name:

(https://man7.org/linux/man-pages/man1/firejail.1.html):

       If a program argument is not specified, Firejail starts /bin/bash
       shell.  Examples:

       $ firejail [OPTIONS]                # starting a /bin/bash shell

       $ firejail [OPTIONS] firefox        # starting Mozilla Firefox

       # sudo firejail [OPTIONS] /etc/init.d/nginx start

firejail /bin/bash has a permissions error

anthony@anthony-desktop ~ [2]> firejail /bin/bash
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 9642, child pid 9643
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 50.71 ms
warning: An error occurred while redirecting file '/home/anthony/.ssh/environment'
open: Permission denied
chmod: cannot access '/home/anthony/.ssh/environment': Permission denied
source: Error encountered while sourcing file “/home/anthony/.ssh/environment”:
source: Permission denied
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...
anthony@anthony-desktop ~ [2]>

So I tried firejail --noprofile /bin/bash and that does not have a permission error, but still hangs.

anthony@anthony-desktop ~ [2]> firejail --noprofile /bin/bash
Parent pid 9762, child pid 9763
Child process initialized in 6.49 ms

To put all of my information together, I tried firejail --noprofile --private which hangs, albeit with less output.

anthony@anthony-desktop ~ [2]> firejail --noprofile --private
Parent pid 10069, child pid 10070
Child process initialized in 9.66 ms

Environment

screenfetch:

anthony@anthony-desktop
OS: Manjaro 20.2 Nibia
Kernel: x86_64 Linux 5.9.11-3-MANJARO
Uptime: 12m
Packages: 1164
Shell: fish 3.1.2-1775-g75dcbed70
Resolution: 5760x1080
DE: KDE 5.76.0 / Plasma 5.20.4
WM: KWin
GTK Theme: Breath [GTK2/3]
Icon Theme: breath2
Disk: 9.2G / 907G (2%)
CPU: Intel Core i9-9900K @ 16x 5GHz [30.0°C]
GPU: GeForce GTX 1660 Ti
RAM: 2665MiB / 15921MiB+

firejail --version:

firejail version 0.9.64

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

ls -la /etc/firejail | grep "bash":

anthony@anthony-desktop /e/firejail> ls -la /etc/firejail | grep "bash"
-rw-r--r--   1 root root   957 Oct 27 17:35 checkbashisms.profile
anthony@anthony-desktop /e/firejail>

Is there something I should be doing to have firejail --private work as expected? From here, I'm not sure what to try. I believe firejail-profile was installed alongside my firejail installation from the Arch User Repository, given the information I see on the install's page and its list of profiles. https://archlinux.org/packages/community/x86_64/firejail/

Originally created by @AnthonyMonterrosa on GitHub (Dec 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3844 I've recently installed `firejail`, have ran `sudo firecfg`, and have no custom profiles: ``` anthony@anthony-desktop ~> ls -la ~/.config/firejail/ total 8 drwxr-xr-x 2 anthony anthony 4096 Dec 21 22:58 . drwxr-xr-x 23 anthony anthony 4096 Dec 21 22:35 .. ``` I'm trying to what needs whitelisting for a custom profile I'd like to make, and followed the documentation at `https://firejail.wordpress.com/documentation-2/building-custom-profiles/`. While trying to run `firejail --private`, it hung at `child process initialized...`, and the prompt for the next command never came. So, it seems like `firejail --private` hangs for me, although I haven't it open for more then a few minutes. ``` anthony@anthony-desktop ~> firejail --private Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 7400, child pid 7401 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 50.72 ms ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... anthony@anthony-desktop ~ [2]> ``` `firejail firefox` and `firejail firefox --private` work as expected, which makes me think the problem is with running `firejail` without an application name. To test this, I ran `firejail /bin/bash` which is the default behavior listed in the man page if `firejail` isn't given an application name: (https://man7.org/linux/man-pages/man1/firejail.1.html): ``` If a program argument is not specified, Firejail starts /bin/bash shell. Examples: $ firejail [OPTIONS] # starting a /bin/bash shell $ firejail [OPTIONS] firefox # starting Mozilla Firefox # sudo firejail [OPTIONS] /etc/init.d/nginx start ``` `firejail /bin/bash` has a permissions error ``` anthony@anthony-desktop ~ [2]> firejail /bin/bash Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 9642, child pid 9643 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 50.71 ms warning: An error occurred while redirecting file '/home/anthony/.ssh/environment' open: Permission denied chmod: cannot access '/home/anthony/.ssh/environment': Permission denied source: Error encountered while sourcing file “/home/anthony/.ssh/environment”: source: Permission denied ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... anthony@anthony-desktop ~ [2]> ``` So I tried `firejail --noprofile /bin/bash` and that does not have a permission error, but still hangs. ``` anthony@anthony-desktop ~ [2]> firejail --noprofile /bin/bash Parent pid 9762, child pid 9763 Child process initialized in 6.49 ms ``` To put all of my information together, I tried `firejail --noprofile --private` which hangs, albeit with less output. ``` anthony@anthony-desktop ~ [2]> firejail --noprofile --private Parent pid 10069, child pid 10070 Child process initialized in 9.66 ms ``` <details><summary> Environment </summary> `screenfetch`: ``` anthony@anthony-desktop OS: Manjaro 20.2 Nibia Kernel: x86_64 Linux 5.9.11-3-MANJARO Uptime: 12m Packages: 1164 Shell: fish 3.1.2-1775-g75dcbed70 Resolution: 5760x1080 DE: KDE 5.76.0 / Plasma 5.20.4 WM: KWin GTK Theme: Breath [GTK2/3] Icon Theme: breath2 Disk: 9.2G / 907G (2%) CPU: Intel Core i9-9900K @ 16x 5GHz [30.0°C] GPU: GeForce GTX 1660 Ti RAM: 2665MiB / 15921MiB+ ``` `firejail --version`: ``` firejail version 0.9.64 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` `ls -la /etc/firejail | grep "bash"`: ``` anthony@anthony-desktop /e/firejail> ls -la /etc/firejail | grep "bash" -rw-r--r-- 1 root root 957 Oct 27 17:35 checkbashisms.profile anthony@anthony-desktop /e/firejail> ``` </details> Is there something I should be doing to have `firejail --private` work as expected? From here, I'm not sure what to try. I believe `firejail-profile` was installed alongside my `firejail` installation from the Arch User Repository, given the information I see on the install's page and its list of profiles. `https://archlinux.org/packages/community/x86_64/firejail/`

gitea-mirror closed this issue

2026-05-05 09:05:47 -06:00

gitea-mirror commented

2026-05-05 09:05:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 22, 2020):

fish (as login shell) and firejail bite each other quite often. Read #3434 for some discussions.

@rusty-snake commented on GitHub (Dec 22, 2020): fish (as login shell) and firejail bite each other quite often. Read #3434 for some discussions.

gitea-mirror commented

2026-05-05 09:05:49 -06:00

Author

Owner

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020):

Ah, I see. Fish isn't POSIX compliant and then things don't work. So firejail doesn't run /bin/bash, it runs $SHELL. I agree with some of the comments in #3434 that it'd be nice to have the man page updated.

I'll try firejail --shell=/bin/bash after work.

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020): Ah, I see. Fish isn't POSIX compliant and then things don't work. So `firejail` doesn't run `/bin/bash`, it runs `$SHELL`. I agree with some of the comments in #3434 that it'd be nice to have the man page updated. I'll try `firejail --shell=/bin/bash` after work.

gitea-mirror commented

2026-05-05 09:05:50 -06:00

Author

Owner

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020):

Can confirm, running firejail --private --shell=/bin/bash works as expected.

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020): Can confirm, running `firejail --private --shell=/bin/bash` works as expected.

gitea-mirror commented

2026-05-05 09:05:51 -06:00

Author

Owner

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020):

In that case, should I close this issue? I'd like to see the manpage updated, whether it's from this issue or #3434.

@AnthonyMonterrosa commented on GitHub (Dec 22, 2020): In that case, should I close this issue? I'd like to see the manpage updated, whether it's from this issue or #3434.

gitea-mirror referenced this issue

2026-05-05 10:17:29 -06:00

[PR #2421] [MERGED] Openssh #4298

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2421

No description provided.

Rows
Columns