github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4545] Error fcopy: invalid ownership for file /etc/resolv.conf (systemd-resolved) #2698

New issue
Closed
opened 2026-05-05 09:21:45 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 09:21:45 -06:00
Owner
Copy link

Originally created by @crocket on GitHub (Sep 14, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4545

I want to run a sandboxed program with

sudo -u xxx firejail --private-etc=file prog

--private-etc=file results in

Error fcopy: invalid ownership for file /etc/file

because

$ ls -lh /etc/file
-rw-r----- 1 xxx xxx ... /etc/file

Let's say owner and group are xxx which is neither root nor a regular user that runs my desktop environment.

A workaround is

--whitelist=/etc/file

Version

$ firejail --version
firejail version 0.9.66

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

OS: Gentoo Linux

Relates to:

Originally created by @crocket on GitHub (Sep 14, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4545 I want to run a sandboxed program with ``` sudo -u xxx firejail --private-etc=file prog ``` `--private-etc=file` results in ``` Error fcopy: invalid ownership for file /etc/file ``` because ``` $ ls -lh /etc/file -rw-r----- 1 xxx xxx ... /etc/file ``` Let's say owner and group are `xxx` which is neither root nor a regular user that runs my desktop environment. A workaround is ``` --whitelist=/etc/file ``` Version ``` $ firejail --version firejail version 0.9.66 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` OS: Gentoo Linux Relates to: * #1531
gitea-mirror 2026-05-05 09:21:45 -06:00
gitea-mirror commented 2026-05-05 09:21:48 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 27, 2023):

I don't know what changed, but my signal-desktop suddenly is also broken:

kmille@linbox: signal-desktop             
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /home/kmille/.config/firejail/globals.local
Reading profile /etc/firejail/electron.profile
Reading profile /home/kmille/.config/firejail/electron.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/kmille/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 115237, child pid 115241
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 115237 cannot sync with peer: unexpected EOF
Peer 115241 unexpectedly exited with status 1

In signal-desktop.profile, there is

private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl

Temporary fix is to add ignore private-etc in ~/.config/firejail/signal-desktop.local.

<!-- gh-comment-id:1827604128 --> @kmille commented on GitHub (Nov 27, 2023): I don't know what changed, but my `signal-desktop` suddenly is also broken: ``` kmille@linbox: signal-desktop Reading profile /etc/firejail/signal-desktop.profile Reading profile /home/kmille/.config/firejail/globals.local Reading profile /etc/firejail/electron.profile Reading profile /home/kmille/.config/firejail/electron.local Reading profile /etc/firejail/disable-common.inc Reading profile /home/kmille/.config/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 115237, child pid 115241 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Error fcopy: invalid ownership for file /etc/resolv.conf Error: failed to run /run/firejail/lib/fcopy, exiting... Error: proc 115237 cannot sync with peer: unexpected EOF Peer 115241 unexpectedly exited with status 1 ``` In `signal-desktop.profile`, there is > private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl Temporary fix is to add `ignore private-etc` in `~/.config/firejail/signal-desktop.local`.
gitea-mirror commented 2026-05-05 09:21:48 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 27, 2023):

I don't know what changed, but my signal-desktop suddenly is also broken:

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 115237 cannot sync with peer: unexpected EOF
Peer 115241 unexpectedly exited with status 1

In signal-desktop.profile, there is

private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl

Temporary fix is to add ignore private-etc in
~/.config/firejail/signal-desktop.local.

What is the firejail version and distribution name/version?

What is the output of ls -l /etc/resolv.conf?

Does it happen with firejail-git?

<!-- gh-comment-id:1827772713 --> @kmk3 commented on GitHub (Nov 27, 2023): > I don't know what changed, but my `signal-desktop` suddenly is also broken: > ``` > Error fcopy: invalid ownership for file /etc/resolv.conf > Error: failed to run /run/firejail/lib/fcopy, exiting... > Error: proc 115237 cannot sync with peer: unexpected EOF > Peer 115241 unexpectedly exited with status 1 > ``` > > In `signal-desktop.profile`, there is > > > private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl > > Temporary fix is to add `ignore private-etc` in > `~/.config/firejail/signal-desktop.local`. What is the firejail version and distribution name/version? What is the output of `ls -l /etc/resolv.conf`? Does it happen with firejail-git?
gitea-mirror commented 2026-05-05 09:21:49 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 27, 2023):

I'm running firejail version 0.9.72 on Arch-Linux. By the way the same happened for Nextcloud client.

kmille@linbox:~ ls -l /etc/resolv.conf 
-rw-r--r-- 1 systemd-resolve systemd-resolve 56 Nov 26 11:53 /etc/resolv.conf

UPDATE:
Nothing changes if I use firejail-git (0.9.72.r740.g8f55f6c9a-1). I'm a bit suprised that tag 0.9.72 if from Jan 2023 ...
UPDATE2:
Thunderbird also doesn't start. Seems like my whole system is affacted. Am I the only one? I ignore private-etc in my globals.conf for now

<!-- gh-comment-id:1828313349 --> @kmille commented on GitHub (Nov 27, 2023): I'm running `firejail version 0.9.72` on Arch-Linux. By the way the same happened for Nextcloud client. ``` kmille@linbox:~ ls -l /etc/resolv.conf -rw-r--r-- 1 systemd-resolve systemd-resolve 56 Nov 26 11:53 /etc/resolv.conf ``` UPDATE: Nothing changes if I use firejail-git (0.9.72.r740.g8f55f6c9a-1). I'm a bit suprised that tag 0.9.72 if from Jan 2023 ... UPDATE2: Thunderbird also doesn't start. Seems like my whole system is affacted. Am I the only one? I ignore private-etc in my globals.conf for now
gitea-mirror commented 2026-05-05 09:21:50 -06:00
Author
Owner
Copy link

@tredondo commented on GitHub (Oct 29, 2024):

Is #6296 the same error?

<!-- gh-comment-id:2443463551 --> @tredondo commented on GitHub (Oct 29, 2024): Is #6296 the same error?
gitea-mirror commented 2026-05-05 09:21:51 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 13, 2024):

Hmm. The problem came up after the latest update:

kmille@linbox:~ firejail --version
firejail version 0.9.73

kmille@linbox: ping -c 1 1.1.1.1
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 62538 cannot sync with peer: unexpected EOF
Peer 62540 unexpectedly exited with status 1

kmille@linbox: ls -l /etc/resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 63 Nov 12 19:52 /etc/resolv.conf

Thunderbird and signal also broke. Adding ignore private-etc to globals.local fixes the problem.

<!-- gh-comment-id:2474742335 --> @kmille commented on GitHub (Nov 13, 2024): Hmm. The problem came up after the latest update: ``` kmille@linbox:~ firejail --version firejail version 0.9.73 kmille@linbox: ping -c 1 1.1.1.1 Error fcopy: invalid ownership for file /etc/resolv.conf Error: failed to run /run/firejail/lib/fcopy, exiting... Error: proc 62538 cannot sync with peer: unexpected EOF Peer 62540 unexpectedly exited with status 1 kmille@linbox: ls -l /etc/resolv.conf -rw-r--r-- 1 systemd-resolve systemd-resolve 63 Nov 12 19:52 /etc/resolv.conf ``` Thunderbird and signal also broke. Adding `ignore private-etc` to `globals.local` fixes the problem.
gitea-mirror commented 2026-05-05 09:21:52 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 14, 2024):

Hmm. The problem came up after the latest update:

Update of what?

What is the version before and after?

kmille@linbox:~ firejail --version
firejail version 0.9.73

kmille@linbox: ping -c 1 1.1.1.1
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 62538 cannot sync with peer: unexpected EOF
Peer 62540 unexpectedly exited with status 1

kmille@linbox: ls -l /etc/resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 63 Nov 12 19:52 /etc/resolv.conf

Thunderbird and signal also broke. Adding ignore private-etc to
globals.local fixes the problem.

It appears that the code expects /etc/resolv.conf to be a symlink to
/run/systemd/resolve/resolv.conf, which is not the case above.

Does it work with the following patch?

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 24f5fd629..61cac877d 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -328,7 +328,9 @@ static char *check(const char *src) {
        //    /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user
        // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock
        uid_t user = getuid();
-       if (user == 0 && strncmp(rsrc, "/run/systemd/resolve/", 21) == 0) {
+       if (user == 0 &&
+           (strcmp(rsrc, "/etc/resolv.conf") == 0) ||
+           strncmp(rsrc, "/run/systemd/resolve/", 21) == 0) {
                // check user systemd-resolve
                struct passwd *p = getpwnam("systemd-resolve");
                if (!p)
<!-- gh-comment-id:2476020373 --> @kmk3 commented on GitHub (Nov 14, 2024): > Hmm. The problem came up after the latest update: Update of what? What is the version before and after? > ``` > kmille@linbox:~ firejail --version > firejail version 0.9.73 > > kmille@linbox: ping -c 1 1.1.1.1 > Error fcopy: invalid ownership for file /etc/resolv.conf > Error: failed to run /run/firejail/lib/fcopy, exiting... > Error: proc 62538 cannot sync with peer: unexpected EOF > Peer 62540 unexpectedly exited with status 1 > > kmille@linbox: ls -l /etc/resolv.conf > -rw-r--r-- 1 systemd-resolve systemd-resolve 63 Nov 12 19:52 /etc/resolv.conf > ``` > > Thunderbird and signal also broke. Adding `ignore private-etc` to > `globals.local` fixes the problem. It appears that the code expects /etc/resolv.conf to be a symlink to /run/systemd/resolve/resolv.conf, which is not the case above. Does it work with the following patch? ```diff diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 24f5fd629..61cac877d 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -328,7 +328,9 @@ static char *check(const char *src) { // /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock uid_t user = getuid(); - if (user == 0 && strncmp(rsrc, "/run/systemd/resolve/", 21) == 0) { + if (user == 0 && + (strcmp(rsrc, "/etc/resolv.conf") == 0) || + strncmp(rsrc, "/run/systemd/resolve/", 21) == 0) { // check user systemd-resolve struct passwd *p = getpwnam("systemd-resolve"); if (!p) ```
gitea-mirror commented 2026-05-05 09:21:52 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 14, 2024):

[2024-11-05T09:31:01+0100] [ALPM] upgraded firejail-git (0.9.72.r1140.gb2be4870d-1 -> 0.9.72.r1144.gd763fb73c-1)

I will check the patch later, thanks!

<!-- gh-comment-id:2476181323 --> @kmille commented on GitHub (Nov 14, 2024): ``` [2024-11-05T09:31:01+0100] [ALPM] upgraded firejail-git (0.9.72.r1140.gb2be4870d-1 -> 0.9.72.r1144.gd763fb73c-1) ``` I will check the patch later, thanks!
gitea-mirror commented 2026-05-05 09:21:53 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 14, 2024):

The patch works, thanks! Should we close this?

UPDATE: Btw: this was actually a misconfiguration... Fixed it (but unrelated)

kmille@linbox:~ ls /etc/resolv.conf 
lrwxrwxrwx 1 root root 41 Nov 14 13:30 /etc/resolv.conf -> /var/run/systemd/resolve/stub-resolv.conf
<!-- gh-comment-id:2476234302 --> @kmille commented on GitHub (Nov 14, 2024): The patch works, thanks! Should we close this? UPDATE: Btw: this was actually a misconfiguration... Fixed it (but unrelated) ``` kmille@linbox:~ ls /etc/resolv.conf lrwxrwxrwx 1 root root 41 Nov 14 13:30 /etc/resolv.conf -> /var/run/systemd/resolve/stub-resolv.conf ```
gitea-mirror commented 2026-05-05 09:21:53 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 15, 2024):

The patch works, thanks!

Thanks for testing.

Should we close this?

I think I'll close it with the patch.

UPDATE: Btw: this was actually a misconfiguration... Fixed it (but unrelated)

Could you clarify?

Having it as a normal file seems like a valid configuration.

From systemd-resolved(8):

  • Alternatively, /etc/resolv.conf may be managed by other packages, in which
    case systemd-resolved will read it for DNS configuration data. In this
    mode of operation systemd-resolved is consumer rather than provider of this
    configuration file.

Note that the selected mode of operation for this file is detected fully
automatically, depending on whether /etc/resolv.conf is a symlink to
/run/systemd/resolve/resolve.conf or lists 127.0.0.53 as DNS server.

Also, any idea how /etc/resolv.conf ended up as a normal file but still owned
by systemd-resolve?

kmille@linbox:~ ls /etc/resolv.conf 
lrwxrwxrwx 1 root root 41 Nov 14 13:30 /etc/resolv.conf -> /var/run/systemd/resolve/stub-resolv.conf

Did you manually point it to /var/run instead of /run?

AFAIK distributions with systemd do not use /var/run.

<!-- gh-comment-id:2478250056 --> @kmk3 commented on GitHub (Nov 15, 2024): > The patch works, thanks! Thanks for testing. > Should we close this? I think I'll close it with the patch. > UPDATE: Btw: this was actually a misconfiguration... Fixed it (but unrelated) Could you clarify? Having it as a normal file seems like a valid configuration. From systemd-resolved(8): > * Alternatively, /etc/resolv.conf may be managed by other packages, in which > case systemd-resolved will read it for DNS configuration data. In this > mode of operation systemd-resolved is consumer rather than provider of this > configuration file. > > Note that the selected mode of operation for this file is detected fully > automatically, depending on whether /etc/resolv.conf is a symlink to > /run/systemd/resolve/resolve.conf or lists 127.0.0.53 as DNS server. Also, any idea how /etc/resolv.conf ended up as a normal file but still owned by systemd-resolve? > ``` > kmille@linbox:~ ls /etc/resolv.conf > lrwxrwxrwx 1 root root 41 Nov 14 13:30 /etc/resolv.conf -> /var/run/systemd/resolve/stub-resolv.conf > ``` Did you manually point it to /var/run instead of /run? AFAIK distributions with systemd do not use /var/run.
gitea-mirror commented 2026-05-05 09:21:54 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Nov 15, 2024):

Could you clarify?
Having it as a normal file seems like a valid configuration.

True. But I exepcted it to be a symlink to the systemd-resolved stub.

Also, any idea how /etc/resolv.conf ended up as a normal file but still owned by systemd-resolve?

No. Part of the "misconfiguration"...

Did you manually point it to /var/run instead of /run?

No particular reason. The docs also link to /run. I will change it on my side.

✌️

<!-- gh-comment-id:2479783420 --> @kmille commented on GitHub (Nov 15, 2024): > Could you clarify? > Having it as a normal file seems like a valid configuration. True. But I exepcted it to be a symlink to the systemd-resolved stub. > Also, any idea how /etc/resolv.conf ended up as a normal file but still owned by systemd-resolve? No. Part of the "misconfiguration"... > Did you manually point it to /var/run instead of /run? No particular reason. The [docs](https://wiki.archlinux.org/title/Systemd-resolved) also link to `/run`. I will change it on my side. :v:
gitea-mirror commented 2026-05-05 09:21:54 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 9, 2025):

Is #6296 the same error?

Yes, good catch.

<!-- gh-comment-id:3051079790 --> @kmk3 commented on GitHub (Jul 9, 2025): > Is [#6296](https://github.com/netblue30/firejail/issues/6296) the same error? Yes, good catch.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2698
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?