github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #362] seccomp, --user, caps, setcap not working together #259

New issue

Closed

opened 2026-05-05 05:27:16 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 05:27:16 -06:00

Owner

Originally created by @aliascc on GitHub (Mar 10, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/362

Hi,

I have the following script:

#!/usr/bin/python
import socket
ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ss.bind(("127.0.0.1", 569))
ss.listen(20)

I run the commands (as root):

setcap cap_net_admin,cap_net_bind_service+eip /usr/bin/python2.7
firejail --noprofile --seccomp --caps.keep=net_admin,net_bind_service --user=carlos -- ./server.py

And it gives me the following error:

Switching to user carlos, UID 1000, GID 1000
Parent pid 7620, child pid 7621

Child process initialized
Traceback (most recent call last):
  File "./server.py", line 7, in <module>
    ss.bind(("127.0.0.1", 569))
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied

if I run the command without --seccomp it works correctly:

firejail --noprofile --caps.keep=net_admin,net_bind_service --user=carlos -- ./server.py

Is this expected behavior or an issue?

Originally created by @aliascc on GitHub (Mar 10, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/362 Hi, I have the following script: ``` #!/usr/bin/python import socket ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ss.bind(("127.0.0.1", 569)) ss.listen(20) ``` I run the commands (as root): - setcap cap_net_admin,cap_net_bind_service+eip /usr/bin/python2.7 - firejail --noprofile --seccomp --caps.keep=net_admin,net_bind_service --user=carlos -- ./server.py And it gives me the following error: ``` Switching to user carlos, UID 1000, GID 1000 Parent pid 7620, child pid 7621 Child process initialized Traceback (most recent call last): File "./server.py", line 7, in <module> ss.bind(("127.0.0.1", 569)) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 13] Permission denied ``` if I run the command without **--seccomp** it works correctly: - firejail --noprofile --caps.keep=net_admin,net_bind_service --user=carlos -- ./server.py Is this expected behavior or an issue?

gitea-mirror

2026-05-05 05:27:16 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:27:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2016):

It is clear seccomp doesn't like something there. Check your system log (/var/log/syslog on Debian) for seccomp messages such as this:

Dec  8 12:53:57 debian kernel: [17261.662738] audit: type=1326 audit(1450461237.367:2): auid=1000 uid=1000 gid=1000 ses=1 pid=4750 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7ff42f8cdc6c code=0x0

It will tell you what system call killed the process.

@netblue30 commented on GitHub (Mar 10, 2016): It is clear seccomp doesn't like something there. Check your system log (/var/log/syslog on Debian) for seccomp messages such as this: ``` Dec 8 12:53:57 debian kernel: [17261.662738] audit: type=1326 audit(1450461237.367:2): auid=1000 uid=1000 gid=1000 ses=1 pid=4750 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7ff42f8cdc6c code=0x0 ``` It will tell you what system call killed the process.

gitea-mirror commented

2026-05-05 05:27:25 -06:00

Author

Owner

@aliascc commented on GitHub (Mar 10, 2016):

I look at syslog, kern.log, auth.log, nothing is been log when the error occurs :S

@aliascc commented on GitHub (Mar 10, 2016): I look at syslog, kern.log, auth.log, nothing is been log when the error occurs :S

gitea-mirror commented

2026-05-05 05:27:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2016):

I think the problem is with the port number, use something above 1000. The order of operation is this: first the user is switched to carlos, then secomp and caps are set, then the program is run. Your program is running as carlos, so it will not be able to bind to that port.

@netblue30 commented on GitHub (Mar 10, 2016): I think the problem is with the port number, use something above 1000. The order of operation is this: first the user is switched to carlos, then secomp and caps are set, then the program is run. Your program is running as carlos, so it will not be able to bind to that port.

gitea-mirror commented

2026-05-05 05:27:28 -06:00

Author

Owner

@aliascc commented on GitHub (Mar 10, 2016):

Yes, but adding the CAP_NET_BIND_SERVICE, CAP_NET_ADMIN to the executable should allow the process to run. Are you saying that seccomp filters go first and then the CAPs are applied?

@aliascc commented on GitHub (Mar 10, 2016): Yes, but adding the CAP_NET_BIND_SERVICE, CAP_NET_ADMIN to the executable should allow the process to run. Are you saying that seccomp filters go first and then the CAPs are applied?

gitea-mirror commented

2026-05-05 05:27:30 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2016):

A root user without CAP_NET_BIND cannot bind to ports below 1024. A regular user can never bind to ports below 1024, regardless what the value of CAP_NET_BIND is. Your program is running as user carlos.

@netblue30 commented on GitHub (Mar 10, 2016): A root user without CAP_NET_BIND cannot bind to ports below 1024. A regular user can never bind to ports below 1024, regardless what the value of CAP_NET_BIND is. Your program is running as user carlos.

gitea-mirror commented

2026-05-05 05:27:31 -06:00

Author

Owner

@aliascc commented on GitHub (Mar 11, 2016):

Yes it is running as user carlos. But the python interpreter has the "setcap" for CAP_NET_BIND_SERVICE. If I do

root@mypc# su carlos
carlos@mypc# ./server2

It works correctly.

the command

root@mypc# getcap /usr/bin/python2.7 
/usr/bin/python2.7 = cap_net_bind_service,cap_net_admin+eip

@aliascc commented on GitHub (Mar 11, 2016): Yes it is running as user carlos. But the python interpreter has the "setcap" for CAP_NET_BIND_SERVICE. If I do ``` root@mypc# su carlos carlos@mypc# ./server2 ``` It works correctly. the command ``` root@mypc# getcap /usr/bin/python2.7 /usr/bin/python2.7 = cap_net_bind_service,cap_net_admin+eip ```

gitea-mirror commented

2026-05-05 05:27:32 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 11, 2016):

So basically you allow any program running under python to rise privileges and become root for networking purposes. You were right, --seccomp is the problem. It disables the privilege rise, so actually your program is prevented from becoming root, and it will fail to bind to that specific port.

@netblue30 commented on GitHub (Mar 11, 2016): So basically you allow any program running under python to rise privileges and become root for networking purposes. You were right, --seccomp is the problem. It disables the privilege rise, so actually your program is prevented from becoming root, and it will fail to bind to that specific port.

gitea-mirror commented

2026-05-05 05:27:34 -06:00

Author

Owner

@aliascc commented on GitHub (Mar 13, 2016):

So it is an expected behavior from seccomp. I guess we can close the issue. Thank you very much!

@aliascc commented on GitHub (Mar 13, 2016): So it is an expected behavior from seccomp. I guess we can close the issue. Thank you very much!

gitea-mirror referenced this issue

2026-05-05 05:40:26 -06:00

[GH-ISSUE #504] Should ~/.local/share/ be blacklisted? #355

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#259

No description provided.

Rows
Columns