[GH-ISSUE #4026] --private and $HOME #2507

New issue

Closed

opened 2026-05-05 09:11:28 -06:00 by gitea-mirror · 16 comments

gitea-mirror commented 2026-05-05 09:11:28 -06:00

Owner

Copy link

Originally created by @reinerh on GitHub (Mar 2, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4026

A Debian user reported the oddity that a bin directory inside a --private home directory is read-only.
This is caused by read-only ${HOME}/bin from disable-common.inc.

Is it actually intended that ${HOME} applies to the private home directory as well?

Originally created by @reinerh on GitHub (Mar 2, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4026 A Debian user [reported](https://bugs.debian.org/983746) the oddity that a `bin` directory inside a `--private` home directory is read-only. This is caused by `read-only ${HOME}/bin` from `disable-common.inc`. Is it actually intended that `${HOME}` applies to the private home directory as well?

gitea-mirror 2026-05-05 09:11:28 -06:00

• closed this issue
• added the
  question_old
  label

gitea-mirror commented 2026-05-05 09:11:31 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 2, 2021):

If not we can close #903.

---

I would have thought that the typical use is to create a directory,
copy a minimum number of (non-confidential) files in it, and do
all the dirty work in it via "firejail --private=". I do that for
testing actively developed 3rd party software, and this needs
something like "make install" each time the software is updated.
If bin is read-only, this doesn't work.

That's one workflow, another can be --private=~/work or --private=~/kleingartenverein. Then ${HOME} should expand to the --private home. Let's say you run ssh and firefox in ~/work, then you don't want that firefox can read the ssh keys of your company.

So I think it's better to expand ${HOME} to --private and use noblacklist/nowhitelist/read-write/ignore.

<!-- gh-comment-id:789048395 --> @rusty-snake commented on GitHub (Mar 2, 2021): If not we can close #903. ------ > I would have thought that the typical use is to create a directory, copy a minimum number of (non-confidential) files in it, and do all the dirty work in it via "firejail --private=". I do that for testing actively developed 3rd party software, and this needs something like "make install" each time the software is updated. If bin is read-only, this doesn't work. That's one workflow, another can be `--private=~/work` or `--private=~/kleingartenverein`. Then ${HOME} should expand to the --private home. Let's say you run ssh and firefox in ~/work, then you don't want that firefox can read the ssh keys of your company. So I think it's better to expand ${HOME} to --private and use noblacklist/nowhitelist/read-write/ignore.

gitea-mirror commented 2026-05-05 09:11:32 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

Well, if firefox cannot read the ssh configuration, then ssh won't be able to read it either (both being run in the jail)! So what's the point of storing ssh configuration in ~/work?

<!-- gh-comment-id:789081401 --> @vinc17fr commented on GitHub (Mar 2, 2021): Well, if firefox cannot read the ssh configuration, then ssh won't be able to read it either (both being run in the jail)! So what's the point of storing ssh configuration in `~/work`?

gitea-mirror commented 2026-05-05 09:11:33 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 2, 2021):

Well, if firefox cannot read the ssh configuration, then ssh won't be able to read it either (both being run in the jail)!

The workflow would look like firejail --private=~/work firefox and firejail --private=~/work ssh. Both will use their own profile (with may has noblacklist ${HOME}/.ssh).

So what's the point of storing ssh configuration in ~/work?

Using different homes for work, personal stuff, association activity, ... (https://firejail.wordpress.com/documentation-2/firefox-guide/#work).

<!-- gh-comment-id:789091624 --> @rusty-snake commented on GitHub (Mar 2, 2021): > Well, if firefox cannot read the ssh configuration, then ssh won't be able to read it either (both being run in the jail)! The workflow would look like `firejail --private=~/work firefox` and `firejail --private=~/work ssh`. Both will use their own profile (with may has `noblacklist ${HOME}/.ssh`). > So what's the point of storing ssh configuration in ~/work? Using different homes for work, personal stuff, association activity, ... (https://firejail.wordpress.com/documentation-2/firefox-guide/#work).

gitea-mirror commented 2026-05-05 09:11:33 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Mar 2, 2021):

@vinc17fr Would it work for you to create overrides in disable-common.local (or your own profile if you are using one)?
Some users might already be relying on the fact that $HOME also applies to private home directories, so it's difficult to loosen this now.

<!-- gh-comment-id:789115496 --> @reinerh commented on GitHub (Mar 2, 2021): @vinc17fr Would it work for you to create overrides in `disable-common.local` (or your own profile if you are using one)? Some users might already be relying on the fact that `$HOME` also applies to private home directories, so it's difficult to loosen this now.

gitea-mirror commented 2026-05-05 09:11:34 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

If firefox and ssh have their own profile, I suppose that it is this profile that should blacklist/restrict the various files and directories, just like if --private were not used. Having to use things like noblacklist ${HOME}/.ssh for ssh would just be ugly and error prone.

What do you mean by overrides? Note that just unblacklisting bin would not be sufficient in general. There should be no restriction on files inside the private directory.

<!-- gh-comment-id:789120656 --> @vinc17fr commented on GitHub (Mar 2, 2021): If firefox and ssh have their own profile, I suppose that it is this profile that should blacklist/restrict the various files and directories, just like if `--private` were not used. Having to use things like `noblacklist ${HOME}/.ssh` for ssh would just be ugly and error prone. What do you mean by overrides? Note that just unblacklisting `bin` would not be sufficient in general. There should be no restriction on files inside the private directory.

gitea-mirror commented 2026-05-05 09:11:35 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Mar 2, 2021):

If firefox and ssh have their own profile, I suppose that it is this profile that should blacklist/restrict the various files and directories

Disallowing acces to e.g. ${HOME}/.ssh makes sense globally. It is too much maintenance effort to blacklist common sensitive paths in every single profile.

Having to use things like noblacklist ${HOME}/.ssh for ssh would just be ugly and error prone

This is currently the case for the ssh.profile. Exactly this "pattern" allows blacklisting .ssh globally by default. Having to remember to put it into every profile is more error prone.

What do you mean by overrides? Note that just unblacklisting bin would not be sufficient in general.

I mean adding ignore read-only ${HOME}/bin to disable-common.local (or the profile of your application you use with a private home). This will prevent having read-only bin directory.

There should be no restriction on files inside the private directory.

I think your use case is different than others. If you really want no restriction at all, you could also use --noprofile to not load any profile (firejail --noprofile --private=fj-test).

<!-- gh-comment-id:789129709 --> @reinerh commented on GitHub (Mar 2, 2021): > If firefox and ssh have their own profile, I suppose that it is this profile that should blacklist/restrict the various files and directories Disallowing acces to e.g. `${HOME}/.ssh` makes sense globally. It is too much maintenance effort to blacklist common sensitive paths in every single profile. > Having to use things like noblacklist ${HOME}/.ssh for ssh would just be ugly and error prone This is currently the case for the `ssh.profile`. Exactly this "pattern" allows blacklisting .ssh globally by default. Having to remember to put it into every profile is more error prone. > What do you mean by overrides? Note that just unblacklisting bin would not be sufficient in general. I mean adding `ignore read-only ${HOME}/bin` to `disable-common.local` (or the profile of your application you use with a private home). This will prevent having read-only bin directory. > There should be no restriction on files inside the private directory. I think your use case is different than others. If you really want no restriction at all, you could also use `--noprofile` to not load any profile (`firejail --noprofile --private=fj-test`).

gitea-mirror commented 2026-05-05 09:11:35 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

Having to use things like noblacklist ${HOME}/.ssh for ssh would just be ugly and error prone

This is currently the case for the ssh.profile.

But the ssh.profile is fine. I'm talking about the default profile.

There should be no restriction on files inside the private directory.

I think your use case is different than others. If you really want no restriction at all, you could also use --noprofile to not load any profile (firejail --noprofile --private=fj-test).

This is not OK. I still want the usual blacklists, e.g. /etc/ssh.

<!-- gh-comment-id:789134092 --> @vinc17fr commented on GitHub (Mar 2, 2021): > > Having to use things like noblacklist ${HOME}/.ssh for ssh would just be ugly and error prone > > This is currently the case for the `ssh.profile`. But the `ssh.profile` is fine. I'm talking about the default profile. > > There should be no restriction on files inside the private directory. > > I think your use case is different than others. If you really want no restriction at all, you could also use `--noprofile` to not load any profile (`firejail --noprofile --private=fj-test`). This is not OK. I still want the usual blacklists, e.g. `/etc/ssh`.

gitea-mirror commented 2026-05-05 09:11:35 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Mar 2, 2021):

Can you please explain why modifying your application's profile (or .local override file) is not an option for you?

Unfortunately no profile works for 100% of users, and .local files are there to allow customizations for some corner cases.

<!-- gh-comment-id:789136973 --> @reinerh commented on GitHub (Mar 2, 2021): Can you please explain why modifying your application's profile (or .local override file) is not an option for you? Unfortunately no profile works for 100% of users, and .local files are there to allow customizations for some corner cases.

gitea-mirror commented 2026-05-05 09:11:36 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 2, 2021):

This is not OK. I still want the usual blacklists, e.g. /etc/ssh.

$ cp /usr/share/doc/firejail/profile.template ~/.config/firejail/my_devel_activity_in_private.profile
# or
$ cp /etc/firejail/default.profile ~/.config/firejail/my_devel_activity_in_private.profile
$ vim ~/.config/firejail/my_devel_activity_in_private.profile
# customize as you need
$ firejail --private=~/foo --profile=my_devel_activity_in_private bash

<!-- gh-comment-id:789138979 --> @rusty-snake commented on GitHub (Mar 2, 2021): > This is not OK. I still want the usual blacklists, e.g. /etc/ssh. ``` $ cp /usr/share/doc/firejail/profile.template ~/.config/firejail/my_devel_activity_in_private.profile # or $ cp /etc/firejail/default.profile ~/.config/firejail/my_devel_activity_in_private.profile $ vim ~/.config/firejail/my_devel_activity_in_private.profile # customize as you need $ firejail --private=~/foo --profile=my_devel_activity_in_private bash ```

gitea-mirror commented 2026-05-05 09:11:36 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

Can you please explain why modifying your application's profile (or .local override file) is not an option for you?

How can one ignore all the read-only?

Something like ignore read-only ${HOME}/* does not work.

<!-- gh-comment-id:789145713 --> @vinc17fr commented on GitHub (Mar 2, 2021): > Can you please explain why modifying your application's profile (or .local override file) is not an option for you? How can one ignore all the `read-only`? Something like `ignore read-only ${HOME}/*` does not work.

gitea-mirror commented 2026-05-05 09:11:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 2, 2021):

ignore is a stupid command that does not know any semantic of it's value (i.e. it can't glob). ignore read-only works.

<!-- gh-comment-id:789149773 --> @rusty-snake commented on GitHub (Mar 2, 2021): `ignore` is a stupid command that does not know any semantic of it's value (i.e. it can't glob). `ignore read-only` works.

gitea-mirror commented 2026-05-05 09:11:37 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

So I think that what I'm seeking for is some simple script that does

firejail --ignore=read-only --noblacklist='${HOME}/*' --private="$1" zsh

<!-- gh-comment-id:789167884 --> @vinc17fr commented on GitHub (Mar 2, 2021): So I think that what I'm seeking for is some simple script that does firejail --ignore=read-only --noblacklist='${HOME}/*' --private="$1" zsh

gitea-mirror commented 2026-05-05 09:11:37 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Mar 2, 2021):

Maybe ignore can be extended to support globs? Or match every line that contains a specified prefix?

<!-- gh-comment-id:789170975 --> @reinerh commented on GitHub (Mar 2, 2021): Maybe `ignore` can be extended to support globs? Or match every line that contains a specified prefix?

gitea-mirror commented 2026-05-05 09:11:38 -06:00

Author

Owner

Copy link

@vinc17fr commented on GitHub (Mar 2, 2021):

Or perhaps a noread-only option, just like one has noblacklist?

A HAS_PRIVATE conditional would be useful, e.g. to have

?HAS_PRIVATE: ignore read-only
?HAS_PRIVATE: noblacklist ${HOME}/*

in default.local (or in some other profile).

<!-- gh-comment-id:789178572 --> @vinc17fr commented on GitHub (Mar 2, 2021): Or perhaps a `noread-only` option, just like one has `noblacklist`? A `HAS_PRIVATE` conditional would be useful, e.g. to have ``` ?HAS_PRIVATE: ignore read-only ?HAS_PRIVATE: noblacklist ${HOME}/* ``` in `default.local` (or in some other profile).

gitea-mirror commented 2026-05-05 09:11:38 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 3, 2021):

Or perhaps a noread-only option, just like one has noblacklist?

We have read-write. Unlike (no)blacklist it works with subpaths too.

# ~/writeable is writeable
read-only ${HOME}
read-write ${HOME}/writeable

# ~ is writeable
read-only ${HOME}
read-write ${HOME}

However, you still need ignore read-only ... if the ro comes abter the rw.

<!-- gh-comment-id:789659034 --> @rusty-snake commented on GitHub (Mar 3, 2021): > Or perhaps a noread-only option, just like one has noblacklist? We have `read-write`. Unlike `(no)blacklist` it works with subpaths too. ``` # ~/writeable is writeable read-only ${HOME} read-write ${HOME}/writeable # ~ is writeable read-only ${HOME} read-write ${HOME} ``` However, you still need `ignore read-only ...` if the ro comes abter the rw.

gitea-mirror commented 2026-05-05 09:11:39 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 4, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

<!-- gh-comment-id:892565515 --> @rusty-snake commented on GitHub (Aug 4, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2507

No description provided.