[GH-ISSUE #4626] Strange issue with xonotic.profile on Arch

gitea-mirror commented

2026-05-05 09:23:33 -06:00

Owner

Originally created by @jose1711 on GitHub (Oct 19, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4626

Can't wrap my head around this 😞 Updated Arch Linux, xonotic installed from community repo, latest firejail from master. There are 3 binaries in /usr/bin:

/usr/bin/xonotic-dedicated: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d9e228eb4389da867dbcb6d5c02674c2a375c0b, for GNU/Linux 3.2.0, stripped
/usr/bin/xonotic-glx:       ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2f4d1533ef8c2b67aa6103485b12e42cbf9e9c2, for GNU/Linux 3.2.0, stripped
/usr/bin/xonotic-sdl:       ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1726aef21639cca734120f22a8cfe094b46911d3, for GNU/Linux 3.2.0, stripped

The profile defines a private-bin as follows:

private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*

If I run the game I get:

$ xonotic-sdl
Error: cannot find the program in the path

This is odd so I change xonotic* to xonotic-sdl. Now the game starts. I revert the change and run a bash inside the profile. Inside it I can see that all 3 files were copied as expected

$ firejail --profile=xonotic-sdl bash
bash-5.1$ echo /usr/bin/*xonotic*
/usr/bin/xonotic-dedicated /usr/bin/xonotic-glx /usr/bin/xonotic-sdl

So it looks like the globbing worked. Any idea where is this coming from?

Originally created by @jose1711 on GitHub (Oct 19, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4626 Can't wrap my head around this :disappointed: Updated Arch Linux, `xonotic` installed from community repo, latest `firejail` from master. There are 3 binaries in `/usr/bin`: ``` /usr/bin/xonotic-dedicated: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d9e228eb4389da867dbcb6d5c02674c2a375c0b, for GNU/Linux 3.2.0, stripped /usr/bin/xonotic-glx: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2f4d1533ef8c2b67aa6103485b12e42cbf9e9c2, for GNU/Linux 3.2.0, stripped /usr/bin/xonotic-sdl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1726aef21639cca734120f22a8cfe094b46911d3, for GNU/Linux 3.2.0, stripped ``` The profile defines a `private-bin` as follows: ``` private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* ``` If I run the game I get: ``` $ xonotic-sdl Error: cannot find the program in the path ``` This is odd so I change `xonotic*` to `xonotic-sdl`. Now the game starts. I revert the change and run a bash inside the profile. Inside it I can see that all 3 files were copied as expected ``` $ firejail --profile=xonotic-sdl bash bash-5.1$ echo /usr/bin/*xonotic* /usr/bin/xonotic-dedicated /usr/bin/xonotic-glx /usr/bin/xonotic-sdl ``` So it looks like the globbing worked. Any idea where is this coming from?

gitea-mirror

2026-05-05 09:23:33 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:23:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 20, 2021):

Any idea where is this coming from?

$ git grep "cannot find the program in the path"
src/firejail/run_symlink.c:             fprintf(stderr, "Error: cannot find the program in the path\n");

void run_symlink(int argc, char **argv, int run_as_is) {
    ...
    char *p = find_in_path(program);
    if (!p) {
        fprintf(stderr, "Error: cannot find the program in the path\n");
        exit(1);
    }
    ...

Can you run firejail --debug /usr/bin/xonotic-sdl.

What does which -a xonotic-sdl show?
Maybe 7a1dd38c broke it? cc @smitsohu

@rusty-snake commented on GitHub (Oct 20, 2021): > Any idea where is this coming from? ```console $ git grep "cannot find the program in the path" src/firejail/run_symlink.c: fprintf(stderr, "Error: cannot find the program in the path\n"); ``` ```C void run_symlink(int argc, char **argv, int run_as_is) { ... char *p = find_in_path(program); if (!p) { fprintf(stderr, "Error: cannot find the program in the path\n"); exit(1); } ... ``` Can you run `firejail --debug /usr/bin/xonotic-sdl`. What does `which -a xonotic-sdl` show? Maybe 7a1dd38c broke it? cc @smitsohu

gitea-mirror commented

2026-05-05 09:23:36 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Oct 20, 2021):

I noticed this a few months ago on Fedora 34.
Had to revert the wildcard.

-rw-r--r--. 1 root root 1.4K Aug 20 11:31 /etc/firejail/xonotic.profile

@SkewedZeppelin commented on GitHub (Oct 20, 2021): I noticed this a few months ago on Fedora 34. Had to revert the wildcard. ``` -rw-r--r--. 1 root root 1.4K Aug 20 11:31 /etc/firejail/xonotic.profile ```

gitea-mirror commented

2026-05-05 09:23:38 -06:00

Author

Owner

@jose1711 commented on GitHub (Oct 20, 2021):

Tried to revert 7a1dd38c51 but it's still the same. Maybe we want to go back from xonotic* to explicitly naming the files? (partially revert 41f69f7a74)

@jose1711 commented on GitHub (Oct 20, 2021): Tried to revert https://github.com/netblue30/firejail/commit/7a1dd38c5155bf833e62a55aab56450b8377db75 but it's still the same. Maybe we want to go back from `xonotic*` to explicitly naming the files? (partially revert https://github.com/netblue30/firejail/commit/41f69f7a748f1533b7506f1e28529520d660b894)

gitea-mirror commented

2026-05-05 09:23:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 20, 2021):

firejail --debug --private /usr/bin/xonotic-sdl works for me ...

Can you try with --debug.

@rusty-snake commented on GitHub (Oct 20, 2021): `firejail --debug --private /usr/bin/xonotic-sdl` works for me ... Can you try with `--debug`.

gitea-mirror commented

2026-05-05 09:23:39 -06:00

Author

Owner

@jose1711 commented on GitHub (Oct 20, 2021):

firejail --debug --private /usr/bin/xonotic-sdl works for me ...

Can you try with --debug.

Same. Are you on Arch as well? Also which part of the output should I paste (it's massive).

@jose1711 commented on GitHub (Oct 20, 2021): > `firejail --debug --private /usr/bin/xonotic-sdl` works for me ... > > Can you try with `--debug`. Same. Are you on Arch as well? Also which part of the output should I paste (it's massive).

gitea-mirror commented

2026-05-05 09:23:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 20, 2021):

Fedora 34.

The lines before "cannot find the program in the path" e.g. where tries to search.

@rusty-snake commented on GitHub (Oct 20, 2021): Fedora 34. The lines before "cannot find the program in the path" e.g. where tries to search.

gitea-mirror commented

2026-05-05 09:23:41 -06:00

Author

Owner

@jose1711 commented on GitHub (Oct 20, 2021):

..
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 0
Supplementary groups: 92 91 50 
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/xonotic-sdl
Child process initialized in 124.10 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Error: cannot find the program in the path
monitoring pid 48

@jose1711 commented on GitHub (Oct 20, 2021): ``` .. Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Create the new ld.so.preload file Blacklist violations are logged to syslog Mount the new ld.so.preload file Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 100, nogroups 0 Supplementary groups: 92 91 50 Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/xonotic-sdl Child process initialized in 124.10 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Error: cannot find the program in the path monitoring pid 48 ```

gitea-mirror commented

2026-05-05 09:23:41 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 20, 2021):

In the debug log there might be a section like this

Searching $PATH for bla
trying #/usr/local/bin/bla#
trying #/usr/bin/bla#
trying #/bin/bla#
trying #/usr/local/sbin/bla#
trying #/usr/sbin/bla#

You may also want to compare the output of firejail --profile=xonotic --quiet sh -c "echo $PATH" to echo $PATH outside the sandbox.

Inside the sandbox, after private-bin was processed, there should be no Firejail symbolic links at all. Because private-bin mounts a tmpfs on /usr/local/bin, which is where these links normally go.

@smitsohu commented on GitHub (Oct 20, 2021): In the debug log there _might_ be a section like this ``` Searching $PATH for bla trying #/usr/local/bin/bla# trying #/usr/bin/bla# trying #/bin/bla# trying #/usr/local/sbin/bla# trying #/usr/sbin/bla# ``` You may also want to compare the output of `firejail --profile=xonotic --quiet sh -c "echo $PATH"` to `echo $PATH` outside the sandbox. Inside the sandbox, after `private-bin` was processed, there _should_ be no Firejail symbolic links at all. Because `private-bin` mounts a tmpfs on /usr/local/bin, which is where these links normally go.

gitea-mirror commented

2026-05-05 09:23:42 -06:00

Author

Owner

@jose1711 commented on GitHub (Oct 21, 2021):

There is no such section/lines:

$ firejail --debug --private /usr/bin/xonotic-sdl 2>&1 | grep -e Search -e trying
$

You may also want to compare the output of

PATH is the same inside and outside the sandbox.

there should be no Firejail symbolic links

OK then I think that is probably the issue, b/c:

$ firejail --profile=xonotic --quiet sh -c 'ls -l /usr/local/bin/xonotic*'
-rwxr-xr-x 1 nobody nobody 3410952 okt 21 13:59 /usr/local/bin/xonotic-dedicated
lrwxrwxrwx 1 nobody nobody      17 okt 21 13:59 /usr/local/bin/xonotic-glx -> /usr/bin/firejail
lrwxrwxrwx 1 nobody nobody      17 okt 21 13:59 /usr/local/bin/xonotic-sdl -> /usr/bin/firejail

@jose1711 commented on GitHub (Oct 21, 2021): There is no such section/lines: ``` $ firejail --debug --private /usr/bin/xonotic-sdl 2>&1 | grep -e Search -e trying $ ``` > You may also want to compare the output of `PATH` is the same inside and outside the sandbox. > there should be no Firejail symbolic links OK then I think that is probably the issue, b/c: ``` $ firejail --profile=xonotic --quiet sh -c 'ls -l /usr/local/bin/xonotic*' -rwxr-xr-x 1 nobody nobody 3410952 okt 21 13:59 /usr/local/bin/xonotic-dedicated lrwxrwxrwx 1 nobody nobody 17 okt 21 13:59 /usr/local/bin/xonotic-glx -> /usr/bin/firejail lrwxrwxrwx 1 nobody nobody 17 okt 21 13:59 /usr/local/bin/xonotic-sdl -> /usr/bin/firejail ```

gitea-mirror commented

2026-05-05 09:23:43 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 21, 2021):

Ok, that's strange.
You didn't by chance enable private-bin-no-local in the Firejail configuration file (/etc/firejail/firejail.config)?

firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin
Does that show all of /usr/bin, or do you have a restricted view?

@smitsohu commented on GitHub (Oct 21, 2021): Ok, that's strange. You didn't by chance enable `private-bin-no-local` in the Firejail configuration file (`/etc/firejail/firejail.config`)? `firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin` Does that show all of /usr/bin, or do you have a restricted view?

gitea-mirror commented

2026-05-05 09:23:44 -06:00

Author

Owner

@jose1711 commented on GitHub (Oct 22, 2021):

firejail.config is stock (all entries are commented out).

$ firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin
total 13420
-rwxr-xr-x 1 nobody nobody   39072 Oct 22 10:07 basename
-rwxr-xr-x 1 nobody nobody  952720 Oct 22 10:07 bash
-rwxr-xr-x 1 nobody nobody   47296 Oct 22 10:07 cut
-rwxr-xr-x 1 nobody nobody 3781264 Oct 22 10:07 darkplaces-glx
-rwxr-xr-x 1 nobody nobody 3765776 Oct 22 10:07 darkplaces-sdl
-rwxr-xr-x 1 nobody nobody   39072 Oct 22 10:07 dirname
-rwsr-xr-x 1 nobody nobody  478664 Oct 22 10:07 firejail
-rwxr-xr-x 1 nobody nobody   63464 Oct 22 10:07 glxinfo
-rwxr-xr-x 1 nobody nobody  235824 Oct 22 10:07 grep
-rwxr-xr-x 1 nobody nobody   47296 Oct 22 10:07 head
-rwxr-xr-x 1 nobody nobody    5443 Oct 22 10:07 ldd
-rwxr-xr-x 1 nobody nobody  146056 Oct 22 10:07 ls
-rwxr-xr-x 1 nobody nobody  153848 Oct 22 10:07 netstat
-rwxr-xr-x 1 nobody nobody  137504 Oct 22 10:07 ps
-rwxr-xr-x 1 nobody nobody   47264 Oct 22 10:07 readlink
-rwxr-xr-x 1 nobody nobody  186712 Oct 22 10:07 sed
lrwxrwxrwx 1 nobody nobody      13 Oct 22 10:07 sh -> /usr/bin/bash
-rwxr-xr-x 1 nobody nobody   39104 Oct 22 10:07 uname
-rwxr-xr-x 1 nobody nobody 3410952 Oct 22 10:07 xonotic-dedicated
lrwxrwxrwx 1 nobody nobody      17 Oct 22 10:07 xonotic-glx -> /usr/bin/firejail
lrwxrwxrwx 1 nobody nobody      17 Oct 22 10:07 xonotic-sdl -> /usr/bin/firejail
-rwxr-xr-x 1 nobody nobody  127368 Oct 22 10:07 zenity

@jose1711 commented on GitHub (Oct 22, 2021): `firejail.config` is stock (all entries are commented out). ``` $ firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin total 13420 -rwxr-xr-x 1 nobody nobody 39072 Oct 22 10:07 basename -rwxr-xr-x 1 nobody nobody 952720 Oct 22 10:07 bash -rwxr-xr-x 1 nobody nobody 47296 Oct 22 10:07 cut -rwxr-xr-x 1 nobody nobody 3781264 Oct 22 10:07 darkplaces-glx -rwxr-xr-x 1 nobody nobody 3765776 Oct 22 10:07 darkplaces-sdl -rwxr-xr-x 1 nobody nobody 39072 Oct 22 10:07 dirname -rwsr-xr-x 1 nobody nobody 478664 Oct 22 10:07 firejail -rwxr-xr-x 1 nobody nobody 63464 Oct 22 10:07 glxinfo -rwxr-xr-x 1 nobody nobody 235824 Oct 22 10:07 grep -rwxr-xr-x 1 nobody nobody 47296 Oct 22 10:07 head -rwxr-xr-x 1 nobody nobody 5443 Oct 22 10:07 ldd -rwxr-xr-x 1 nobody nobody 146056 Oct 22 10:07 ls -rwxr-xr-x 1 nobody nobody 153848 Oct 22 10:07 netstat -rwxr-xr-x 1 nobody nobody 137504 Oct 22 10:07 ps -rwxr-xr-x 1 nobody nobody 47264 Oct 22 10:07 readlink -rwxr-xr-x 1 nobody nobody 186712 Oct 22 10:07 sed lrwxrwxrwx 1 nobody nobody 13 Oct 22 10:07 sh -> /usr/bin/bash -rwxr-xr-x 1 nobody nobody 39104 Oct 22 10:07 uname -rwxr-xr-x 1 nobody nobody 3410952 Oct 22 10:07 xonotic-dedicated lrwxrwxrwx 1 nobody nobody 17 Oct 22 10:07 xonotic-glx -> /usr/bin/firejail lrwxrwxrwx 1 nobody nobody 17 Oct 22 10:07 xonotic-sdl -> /usr/bin/firejail -rwxr-xr-x 1 nobody nobody 127368 Oct 22 10:07 zenity ```

gitea-mirror commented

2026-05-05 09:23:45 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 22, 2021):

Thanks, I think it's clear now. We are skipping these Firejail symbolic links when there is no globbing, but with globbing we need to do the same thing. It's a bug!

@smitsohu commented on GitHub (Oct 22, 2021): Thanks, I think it's clear now. We are skipping these Firejail symbolic links when there is no globbing, but with globbing we need to do the same thing. It's a bug!

Rows
Columns

[GH-ISSUE #4626] Strange issue with xonotic.profile on Arch #2728