github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3878] umask always 0002 #2437

New issue

Closed

opened 2026-05-05 09:07:03 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:07:03 -06:00

Owner

Originally created by @SkewedZeppelin on GitHub (Jan 9, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3878

umask is always set to 0002 in the sandbox.
I don't remember this in the past.
Noticed it appear a few months ago.
umask shouldn't be less restrictive then what the distro/user defaults to.
eg. umask shouldn't become 0002 if the distro sets 0022 or the user sets 0077.

Environment

Fedora 33
firejail from 7c3dd381a6

Originally created by @SkewedZeppelin on GitHub (Jan 9, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3878 umask is always set to 0002 in the sandbox. I don't remember this in the past. Noticed it appear a few months ago. umask shouldn't be less restrictive then what the distro/user defaults to. eg. umask shouldn't become 0002 if the distro sets 0022 or the user sets 0077. **Environment** - Fedora 33 - firejail from 7c3dd381a65281a2689def21f6d3633cfb7b800b

gitea-mirror

2026-05-05 09:07:03 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 09:07:06 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 9, 2021):

Try the following outside Firejail

[me@localhost ~]$ umask 123
[me@localhost ~]$ umask
0123
[me@localhost ~]$ bash
[me@localhost ~]$ umask
0002
[me@localhost ~]$

It's the default Fedora configuration (/etc/bashrc via ~/.bashrc).

@smitsohu commented on GitHub (Jan 9, 2021): Try the following outside Firejail ``` [me@localhost ~]$ umask 123 [me@localhost ~]$ umask 0123 [me@localhost ~]$ bash [me@localhost ~]$ umask 0002 [me@localhost ~]$ ``` It's the default Fedora configuration (`/etc/bashrc` via `~/.bashrc`).

gitea-mirror commented

2026-05-05 09:07:07 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 9, 2021):

If it is considered useful we could probably have an option to set the umask per sandbox. All the machinery is in place already, it is just that Firejail does not expose it to the user.

@smitsohu commented on GitHub (Jan 9, 2021): If it is considered useful we could probably have an option to set the umask per sandbox. All the machinery is in place already, it is just that Firejail does not expose it to the user.

gitea-mirror commented

2026-05-05 09:07:08 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 9, 2021):

@smitsohu

It's the default Fedora configuration (/etc/bashrc via ~/.bashrc).

Yep, you are correct.
I should've checked that.

Why isn't the existing umask persisted into the sandbox?

@SkewedZeppelin commented on GitHub (Jan 9, 2021): @smitsohu > It's the default Fedora configuration (`/etc/bashrc` via `~/.bashrc`). Yep, you are correct. I should've checked that. Why isn't the existing umask persisted into the sandbox?

gitea-mirror commented

2026-05-05 09:07:11 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 10, 2021):

When Firejail is done with configuring the sandbox, and there was no --shell=none request, the last thing it does is either running $SHELL, or, if an application was specified, $SHELL -c application.

If no application was specified, what we get is an interactive shell. Assuming $SHELL is bash, it reads ~/.bashrc and executes the instructions. All descendent processes, basically the entire sandbox, then inherit the default 0002 umask.

If, however, an application was specified, the shell is not interactive, ~/.bashrc is ignored and the umask is passed through as expected:

[me@localhost firejail]$ umask 123
[me@localhost firejail]$ umask
0123
[me@localhost firejail]$ firejail --noprofile umask
Parent pid 39134, child pid 39135
Child process initialized in 23.80 ms
0123

Parent is shutting down, bye...

@smitsohu commented on GitHub (Jan 10, 2021): When Firejail is done with configuring the sandbox, and there was no `--shell=none` request, the last thing it does is either running `$SHELL`, or, if an application was specified, `$SHELL -c application`. If no application was specified, what we get is an interactive shell. Assuming `$SHELL` is bash, it reads ~/.bashrc and executes the instructions. All descendent processes, basically the entire sandbox, then inherit the default `0002` umask. If, however, an application was specified, the shell is not interactive, ~/.bashrc is ignored and the umask is passed through as expected: ``` [me@localhost firejail]$ umask 123 [me@localhost firejail]$ umask 0123 [me@localhost firejail]$ firejail --noprofile umask Parent pid 39134, child pid 39135 Child process initialized in 23.80 ms 0123 Parent is shutting down, bye... ```

gitea-mirror commented

2026-05-05 09:07:12 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 10, 2021):

Yep, I see it now.
Thank you @smitsohu for the clarification.

@SkewedZeppelin commented on GitHub (Jan 10, 2021): Yep, I see it now. Thank you @smitsohu for the clarification.

gitea-mirror referenced this issue

2026-05-05 10:17:40 -06:00

[PR #2437] [MERGED] Streamline machine-id comment #4309

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2437

No description provided.

Rows
Columns