github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4168] Error: invalid --debug command line option if quiet-by-default is set in firejail.config #2561

New issue
Closed
opened 2026-05-05 09:14:10 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 09:14:10 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Apr 5, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4168

Running

$ firejail --debug git pull
Error: invalid --debug command line option

didn't work as long as quiet-by-default yes is set in the /etc/firejail/firejail.config, what is very confusing.IMHO at least the error message should be different. Something like quite-by-default is set in the configuration. I actually would love to see --debug working even if the quiet-by-default option is set to yes in the configuration.

Environment

  • Archlinux with kernel 5.10.27-1-lts
$ firejail --version
firejail version 0.9.64.4

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
Originally created by @ghost on GitHub (Apr 5, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4168 Running ``` $ firejail --debug git pull Error: invalid --debug command line option ``` didn't work as long as `quiet-by-default yes` is set in the `/etc/firejail/firejail.config`, what is very confusing.IMHO at least the error message should be different. Something like `quite-by-default is set in the configuration`. I actually would love to see `--debug` working even if the `quiet-by-default` option is set to `yes` in the configuration. **Environment** - Archlinux with kernel 5.10.27-1-lts ``` $ firejail --version firejail version 0.9.64.4 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ```
gitea-mirror 2026-05-05 09:14:10 -06:00
gitea-mirror commented 2026-05-05 09:14:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 5, 2021):

I think the only way to make --debug work with quiet is to add --debug=file (which would be nice anyway).

<!-- gh-comment-id:813597880 --> @rusty-snake commented on GitHub (Apr 5, 2021): I think the only way to make `--debug` work with quiet is to add `--debug=file` (which would be nice anyway).
gitea-mirror commented 2026-05-05 09:14:14 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 7, 2021):

@rusty-snake I think this is going into the right direction of what I meant. Then I had some thoughts which arouse from working with firejai and some confusion about the messages I am confronted with. After reading through the code of src/firejail a bit and some other issues concerning quiet mode etc. I think there's a way to make messages and message handling for the end user more comprehensible and maybe solve some of the issues on the way.

I think the default (without setting anything in any profile, configuration file etc.) when you start firejail should be to show only errors. When you start firejail with --verbose you would see the usual firejail output starting with profile loading etc. This would spare the quiet settings in the profiles and the quiet-by-default setting in the config.

Errors (and maybe also information messages) from firejail should be prefixed with "firejail: " to differentiate from error messages coming from the sandboxed application. However that led me to the thought to route every message through a logger. A logger with debug, info and error levels would reflect the current level of implemented messages as far as I have seen it in the src/firejail/main.c file, but additional levels like warning etc. would be easily integratable. I see different ways to reflect a logger in the command line arguments and the configuration:

The first and obvious way would be to keep the current flags and think of them like --quiet (correlates to an inverted --error flag and error logging and suppresses error messages), --verbose (correlates to info level logging) and --debug (correlates to debug logging). Each flag should also be represented in the configuration file firejail.config with a log {error | info |debug} setting. Command line arguments overwrite the value in the configuration file. Then @rusty-snake 's proposal would make it possible to route to a file for example with --{debug | error | info}-target={file | file descriptor | syslog}[: file | file descriptor | syslog]. The default target if none is given on the command line or in the configuration could be stderr. Like shown above maybe multiple targets should be possible to route for example error output to syslog and stderr. Each of the flags should be considered as a setting of one variable log (or so), so a --debug flag on the command line would overwrite a quiet setting in the configuration file directly without the need of booleans. I think the log setting would also work within profiles. Well IMHO better than being forced to start a global profile with quiet and then you cannot overwrite quiet with ignore quiet in local profiles and so on.

The other way would be to introduce new flags --log={none | error | info | debug} and --{error | info | debug}-target{file | file descriptor | syslog}[: file | file descriptor | syslog]. To be backwards compatible , the --debug, --verbose and --quiet flags would still be kept around and map to the corresponding --log=... flag, with --quiet mapping to none and error being the default. The rest of the logic would be pretty much equivalent to the logic described in the first approach.

Please consider, that I haven't read through all of the code and am no a fluent C programmer so it's likely that I may have overseen something and please correct me if I'm wrong.

<!-- gh-comment-id:815068523 --> @ghost commented on GitHub (Apr 7, 2021): @rusty-snake I think this is going into the right direction of what I meant. Then I had some thoughts which arouse from working with firejai and some confusion about the messages I am confronted with. After reading through the code of `src/firejail` a bit and some other issues concerning quiet mode etc. I think there's a way to make messages and message handling for the end user more comprehensible and maybe solve some of the issues on the way. I think the default (without setting anything in any profile, configuration file etc.) when you start firejail should be to show only errors. When you start firejail with --verbose you would see the usual firejail output starting with profile loading etc. This would spare the quiet settings in the profiles and the `quiet-by-default` setting in the config. Errors (and maybe also information messages) from firejail should be prefixed with "firejail: " to differentiate from error messages coming from the sandboxed application. However that led me to the thought to route every message through a logger. A logger with debug, info and error levels would reflect the current level of implemented messages as far as I have seen it in the `src/firejail/main.c` file, but additional levels like warning etc. would be easily integratable. I see different ways to reflect a logger in the command line arguments and the configuration: The first and obvious way would be to keep the current flags and think of them like `--quiet` (correlates to an inverted `--error` flag and error logging and suppresses error messages), `--verbose` (correlates to info level logging) and `--debug` (correlates to debug logging). Each flag should also be represented in the configuration file `firejail.config` with a `log {error | info |debug}` setting. Command line arguments overwrite the value in the configuration file. Then @rusty-snake 's proposal would make it possible to route to a file for example with `--{debug | error | info}-target={file | file descriptor | syslog}[: file | file descriptor | syslog]`. The default target if none is given on the command line or in the configuration could be `stderr`. Like shown above maybe multiple targets should be possible to route for example error output to `syslog` and `stderr`. Each of the flags should be considered as a setting of one variable `log` (or so), so a `--debug` flag on the command line would overwrite a quiet setting in the configuration file directly without the need of booleans. I think the `log` setting would also work within profiles. Well IMHO better than being forced to start a global profile with quiet and then you cannot overwrite `quiet` with `ignore quiet` in local profiles and so on. The other way would be to introduce new flags `--log={none | error | info | debug}` and `--{error | info | debug}-target{file | file descriptor | syslog}[: file | file descriptor | syslog]`. To be backwards compatible , the `--debug`, `--verbose` and `--quiet` flags would still be kept around and map to the corresponding `--log=...` flag, with `--quiet` mapping to `none` and `error` being the default. The rest of the logic would be pretty much equivalent to the logic described in the first approach. Please consider, that I haven't read through all of the code and am no a fluent C programmer so it's likely that I may have overseen something and please correct me if I'm wrong.
gitea-mirror commented 2026-05-05 09:14:16 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 30, 2021):

Fixed! There will be more fixes there, but we track them in #4275

<!-- gh-comment-id:850997077 --> @netblue30 commented on GitHub (May 30, 2021): Fixed! There will be more fixes there, but we track them in #4275
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2561
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?