[GH-ISSUE #4381] regression in 0.9.64.2: private-tmp whitelists .X11-unix, but makes it read-only #2646

New issue

Closed

opened 2026-05-05 09:18:31 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:18:31 -06:00

Owner

Originally created by @jonleivent on GitHub (Jul 2, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4381

I am testing upgrading firejail from .9.58.2 to .9.64.2, and found that the private-tmp behavior with respect to whitelisting the .X11-unix dir has changed. In .9.58.2, the whitelisting of .X11-unix left it writable, allowing the firejailed process (Xephyr, for instance) to create new sockets. In .9.64.2, .X11-unix is read-only, and cannot be made writable with the read-write option either. As a result, Xephyr subprocesses that use private-tmp don't work.

Is there some additional setting somewhere in .9.64.2 that will leave .X11-unix writable when using private-tmp, or do I have to abandon using private-tmp?

Originally created by @jonleivent on GitHub (Jul 2, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4381 I am testing upgrading firejail from .9.58.2 to .9.64.2, and found that the private-tmp behavior with respect to whitelisting the .X11-unix dir has changed. In .9.58.2, the whitelisting of .X11-unix left it writable, allowing the firejailed process (Xephyr, for instance) to create new sockets. In .9.64.2, .X11-unix is read-only, and cannot be made writable with the read-write option either. As a result, Xephyr subprocesses that use private-tmp don't work. Is there some additional setting somewhere in .9.64.2 that will leave .X11-unix writable when using private-tmp, or do I have to abandon using private-tmp?

gitea-mirror

2026-05-05 09:18:31 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:18:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 2, 2021):

Duplicate of #4244

anything answered there + workaround. closing here.

I am testing upgrading firejail from 0.9.58.2 to 0.9.64.2

You should try to upgrade to at least 0.9.64.4 for security reasons (unless the 0.9.64.2 you want to use has backported fixes).

@rusty-snake commented on GitHub (Jul 2, 2021): Duplicate of #4244 anything answered there + workaround. closing here. > I am testing upgrading firejail from 0.9.58.2 to 0.9.64.2 You should try to upgrade to at least 0.9.64.4 for security reasons (unless the 0.9.64.2 you want to use has backported fixes).

gitea-mirror referenced this issue

2026-05-05 10:20:35 -06:00

[PR #2646] [MERGED] Fix networking for transmission-show and transmission-remote #4463

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2646

No description provided.

Rows
Columns