[GH-ISSUE #4625] Firejail Incompatible with Ubuntu 21.10

gitea-mirror commented

2026-05-05 09:23:33 -06:00

Owner

Originally created by @bobsmitherton on GitHub (Oct 19, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4625

Summary: The firejail packet in the packet sources of Ubuntu 21.10 misses the suid bit.
Fix: sudo chmod u+s /usr/bin/firejail
If you have a launchpad account: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4

Description

Upon upgrading to Ubuntu 21.10, Firejail no longer sandboxes Firefox as designed.
The Firefox browser is no longer restricted to just accessing the /Downloads directory.
In addition, LibreOffice Calc, Impress, and Writer won't start at all.
Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time.

Steps to Reproduce

Part 1: Launching FireTools results in:

Cannot run Firejail sandbox, you may not have the correct permissions to access this program.

In the terminal, I get this:

$ firejail --list
Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted
Error: failed to run /usr/bin/firemon

Part 2: Once Firejail is removed using sudo apt-get purge --auto-remove firejail, the LibreOffice programs start normally.
The LibreOffice programs can work if Firejail is installed but sudo firecfg has not been run yet (confirmed using sudo firecfg --list which shows no entries).

Part 3: Running firejail firefox kicks back this message:

Error mkdir: util.c:1138 create_empty_dir_as_root: Permission denied.

Expected behavior

Firefox browser should be restricted to just accessing the /Downloads directory after running sudo firecfg.
LibreOffice programs should open.

Actual behavior

I was able to successfully upload test files within Firefox from both the /Pictures and /Music directories thus confirming the sandbox is broken.
LibreOffice programs never start.

Additional context

Furthermore, I tried the PPA located at: https://launchpad.net/~deki/+archive/ubuntu/firejail and that did not solve the issue.

Environment

Ubuntu: 21.10
Firefox: 93.0
Kernel: Linux 5.13.0-19-generic x86_64
Firejail: 0.9.66-1~0ubuntu21.10.0
LibreOffice: 7.2.2.2

Edit by @kmk3: Formatting.

Originally created by @bobsmitherton on GitHub (Oct 19, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4625 **Summary:** The firejail packet in the packet sources of Ubuntu 21.10 misses the suid bit. **Fix:** `sudo chmod u+s /usr/bin/firejail` If you have a launchpad account: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4 --- ### Description Upon upgrading to Ubuntu 21.10, Firejail no longer sandboxes Firefox as designed. The Firefox browser is no longer restricted to just accessing the /Downloads directory. In addition, LibreOffice Calc, Impress, and Writer won't start at all. Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time. ### Steps to Reproduce **Part 1:** Launching FireTools results in: > Cannot run Firejail sandbox, you may not have the correct permissions to access this program. In the terminal, I get this: ```console $ firejail --list Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted Error: failed to run /usr/bin/firemon ``` **Part 2:** Once Firejail is removed using `sudo apt-get purge --auto-remove firejail`, the LibreOffice programs start normally. The LibreOffice programs **can** work if Firejail is installed **but** `sudo firecfg` **has not been run yet** (confirmed using `sudo firecfg --list` which shows no entries). **Part 3:** Running `firejail firefox` kicks back this message: > Error mkdir: util.c:1138 create_empty_dir_as_root: Permission denied. ### Expected behavior Firefox browser should be restricted to just accessing the /Downloads directory after running `sudo firecfg`. LibreOffice programs should open. ### Actual behavior I was able to successfully upload test files within Firefox from both the /Pictures and /Music directories thus confirming the sandbox is broken. LibreOffice programs never start. ### Additional context Furthermore, I tried the PPA located at: https://launchpad.net/~deki/+archive/ubuntu/firejail and that did not solve the issue. ### Environment * Ubuntu: 21.10 * Firefox: 93.0 * Kernel: Linux 5.13.0-19-generic x86_64 * Firejail: 0.9.66-1~0ubuntu21.10.0 * LibreOffice: 7.2.2.2 --- Edit by @kmk3: Formatting.

gitea-mirror

2026-05-05 09:23:33 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:23:36 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 19, 2021):

@bobsmitherton commented on Oct 19:

Description

Upon upgrading to Ubuntu 21.10, Firejail no longer sandboxes Firefox as designed.
The Firefox browser is no longer restricted to just accessing the /Downloads directory.
In addition, LibreOffice Calc, Impress, and Writer won't start at all.
Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time.

Steps to Reproduce

Part 1: Launching FireTools results in:
Cannot run Firejail sandbox, you may not have the correct permissions to access this program.
In the terminal, I get this:
$ firejail --list
Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted
Error: failed to run /usr/bin/firemon
Part 2: Once Firejail is removed using sudo apt-get purge --auto-remove firejail, the LibreOffice programs start normally. The LibreOffice programs can work if Firejail is installed but sudo firecfg has not been run yet (confirmed using sudo firecfg --list which shows no entries).

Part 3: Running firejail firefox kicks back this message:
Error mkdir: util.c:1138 create_empty_dir_as_root: Permission denied.

Not sure if this is related or not, but Ubuntu 21.10 comes with Firefox (among
other programs) installed as a snap rather than a normal package (see #4554).
If the default "app store" is used, it also installs certain things as snaps.
And firejail does not work with snaps.

Can you confirm that the programs being executed aren't the snap versions?

@kmk3 commented on GitHub (Oct 19, 2021): @bobsmitherton commented [on Oct 19](https://github.com/netblue30/firejail/issues/4625#issue-1030526477): > ### Description > > Upon upgrading to Ubuntu 21.10, Firejail no longer sandboxes Firefox as designed. > The Firefox browser is no longer restricted to just accessing the /Downloads directory. > In addition, LibreOffice Calc, Impress, and Writer won't start at all. > Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time. > > ### Steps to Reproduce > > **Part 1:** Launching FireTools results in: > > > ``` > > Cannot run Firejail sandbox, you may not have the correct permissions to access this program. > > ``` > > In the terminal, I get this: > > ``` > $ firejail --list > Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted > Error: failed to run /usr/bin/firemon > ``` > > **Part 2:** Once Firejail is removed using `sudo apt-get purge --auto-remove firejail`, the LibreOffice programs start normally. The LibreOffice programs **can** work if Firejail is installed **but** `sudo firecfg` **has not been run yet** (confirmed using `sudo firecfg --list` which shows no entries). > > **Part 3:** Running `firejail firefox` kicks back this message: > > > ``` > > Error mkdir: util.c:1138 create_empty_dir_as_root: Permission denied. > > ``` Not sure if this is related or not, but Ubuntu 21.10 comes with Firefox (among other programs) installed as a snap rather than a normal package (see #4554). If the default "app store" is used, it also installs certain things as snaps. And firejail does not work with snaps. Can you confirm that the programs being executed aren't the snap versions?

gitea-mirror commented

2026-05-05 09:23:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 19, 2021):

What did I said? Only 5 days. Fuck yeah, Canonical this time you really shot it down. How long do you actually want to use snaps before you use flatpaks? As long as you used upstart? Or Unity? Or MIR? Did any "innovation" from ubuntu ever make it? Or was it always Red Hat?

@rusty-snake commented on GitHub (Oct 19, 2021): What did I said? Only 5 days. Fuck yeah, Canonical this time you really shot it down. How long do you actually want to use snaps before you use flatpaks? As long as you used upstart? Or Unity? Or MIR? Did any "innovation" from ubuntu ever make it? Or was it always Red Hat?

gitea-mirror commented

2026-05-05 09:23:38 -06:00

Author

Owner

@bryn1u commented on GitHub (Oct 22, 2021):

I have exactly the same issue. I installed from repo.

    bryn1u@Proton:~$ firejail --list
    Error mkdir: util.c:1019 create_empty_dir_as_root: Permission denied

    bryn1u@Proton:~$ firejail firefox
    Error mkdir: util.c:1019 create_empty_dir_as_root: Permission denied

    bryn1u@Proton:~$ uname -a
    Linux Proton 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    bryn1u@Proton:~$ lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 21.10
    Release: 21.10
    Codename: impish

@bryn1u commented on GitHub (Oct 22, 2021): I have exactly the same issue. I installed from repo. ``` bryn1u@Proton:~$ firejail --list Error mkdir: util.c:1019 create_empty_dir_as_root: Permission denied bryn1u@Proton:~$ firejail firefox Error mkdir: util.c:1019 create_empty_dir_as_root: Permission denied bryn1u@Proton:~$ uname -a Linux Proton 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux bryn1u@Proton:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 21.10 Release: 21.10 Codename: impish ```

gitea-mirror commented

2026-05-05 09:23:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 22, 2021):

Duplicate of #4609

@rusty-snake commented on GitHub (Oct 22, 2021): Duplicate of #4609

gitea-mirror commented

2026-05-05 09:23:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 22, 2021):

https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480

@rusty-snake commented on GitHub (Oct 22, 2021): https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480

gitea-mirror commented

2026-05-05 09:23:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 22, 2021):

Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time.

@bobsmitherton Nope, you have the snap sandbox and firefox's sandbox.

@rusty-snake commented on GitHub (Oct 22, 2021): > Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time. @bobsmitherton Nope, you have the snap sandbox and firefox's sandbox.

gitea-mirror commented

2026-05-05 09:23:41 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 23, 2021):

Hm, somehow firejail was not installed suid root in Ubuntu 21.10.

Build log for 0.9.64.4-1 in 21.04: https://launchpadlibrarian.net/522037166/buildlog_ubuntu-hirsute-amd64.firejail_0.9.64.4-1_BUILDING.txt.gz

-rwsr-xr-x root/root    474800 2021-02-08 17:23 ./usr/bin/firejail

Build log for 0.9.64.4-2 in 21.10: https://launchpadlibrarian.net/536116439/buildlog_ubuntu-impish-amd64.firejail_0.9.64.4-2_BUILDING.txt.gz

-rwxr-xr-x root/root    458416 2021-02-27 11:25 ./usr/bin/firejail

No idea right now where this broke. Probably in some toolchain package.

@reinerh commented on GitHub (Oct 23, 2021): Hm, somehow firejail was not installed suid root in Ubuntu 21.10. Build log for 0.9.64.4-1 in 21.04: https://launchpadlibrarian.net/522037166/buildlog_ubuntu-hirsute-amd64.firejail_0.9.64.4-1_BUILDING.txt.gz ``` -rwsr-xr-x root/root 474800 2021-02-08 17:23 ./usr/bin/firejail ``` Build log for 0.9.64.4-2 in 21.10: https://launchpadlibrarian.net/536116439/buildlog_ubuntu-impish-amd64.firejail_0.9.64.4-2_BUILDING.txt.gz ``` -rwxr-xr-x root/root 458416 2021-02-27 11:25 ./usr/bin/firejail ``` No idea right now where this broke. Probably in some toolchain package.

gitea-mirror commented

2026-05-05 09:23:41 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 23, 2021):

Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time.

I wouldn't get your hopes up, Ubuntu is extremely slow with applying security fixes, even for their LTS releases. For a different actual security issue a patch is available in their bug tracker for many months (see Ubuntu bug 1916767) and the security team is aware of it (they would just need to upload it), but for some reason it's stuck...

If security is important to you and you don't have a good reason for running Ubuntu, I would recommend using something else (e.g. directly Debian).

@reinerh commented on GitHub (Oct 23, 2021): > Hopefully, this security issue can be resolved quickly because I am browsing the Internet without the benefit of a sandbox at this time. I wouldn't get your hopes up, Ubuntu is extremely slow with applying security fixes, even for their LTS releases. For a different actual security issue a patch is available in their bug tracker for many months (see Ubuntu bug [1916767](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)) and the security team is aware of it (they would just need to upload it), but for some reason it's stuck... If security is important to you and you don't have a good reason for running Ubuntu, I would recommend using something else (e.g. directly Debian).

gitea-mirror commented

2026-05-05 09:23:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 23, 2021):

I have little idea about deb/dpkg/... but this looks to me to be in the wrong order (i.e. set suid -> remove suid)

make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   debian/rules override_dh_fixperms-arch
make[1]: Entering directory '/<<PKGBUILDDIR>>'
dh_fixperms -Xfshaper.sh -Xfcopy -Xfldd -Xfnet -Xfnetfilter -Xfsec-optimize -Xfsec-print -Xfseccomp
chmod 4755 debian/firejail/usr/bin/firejail
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   dh_fixperms -Nfirejail
   debian/rules override_dh_missing

@rusty-snake commented on GitHub (Oct 23, 2021): I have little idea about deb/dpkg/... but this looks to me to be in the wrong order (i.e. set suid -> remove suid) ``` make[1]: Leaving directory '/<<PKGBUILDDIR>>' debian/rules override_dh_fixperms-arch make[1]: Entering directory '/<<PKGBUILDDIR>>' dh_fixperms -Xfshaper.sh -Xfcopy -Xfldd -Xfnet -Xfnetfilter -Xfsec-optimize -Xfsec-print -Xfseccomp chmod 4755 debian/firejail/usr/bin/firejail make[1]: Leaving directory '/<<PKGBUILDDIR>>' dh_fixperms -Nfirejail debian/rules override_dh_missing ```

gitea-mirror commented

2026-05-05 09:23:43 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 23, 2021):

I have little idea about deb/dpkg/... but this looks to me to be in the wrong order (i.e. set suid -> remove suid)

make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   debian/rules override_dh_fixperms-arch
make[1]: Entering directory '/<<PKGBUILDDIR>>'
dh_fixperms -Xfshaper.sh -Xfcopy -Xfldd -Xfnet -Xfnetfilter -Xfsec-optimize -Xfsec-print -Xfseccomp
chmod 4755 debian/firejail/usr/bin/firejail
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   dh_fixperms -Nfirejail
   debian/rules override_dh_missing

This should be fine. The second call is for binary packages other than firejail (which was already handled by the override_dh_fixperms-arch override. And as there is no override_dh_missing target, this should not do anything.

@reinerh commented on GitHub (Oct 23, 2021): > I have little idea about deb/dpkg/... but this looks to me to be in the wrong order (i.e. set suid -> remove suid) > > ``` > make[1]: Leaving directory '/<<PKGBUILDDIR>>' > debian/rules override_dh_fixperms-arch > make[1]: Entering directory '/<<PKGBUILDDIR>>' > dh_fixperms -Xfshaper.sh -Xfcopy -Xfldd -Xfnet -Xfnetfilter -Xfsec-optimize -Xfsec-print -Xfseccomp > chmod 4755 debian/firejail/usr/bin/firejail > make[1]: Leaving directory '/<<PKGBUILDDIR>>' > dh_fixperms -Nfirejail > debian/rules override_dh_missing > ``` This *should* be fine. The second call is for binary packages other than firejail (which was already handled by the `override_dh_fixperms-arch` override. And as there is no `override_dh_missing` target, this should not do anything.

gitea-mirror commented

2026-05-05 09:23:44 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 23, 2021):

The Ubuntu 21.10 PPA is also affected. sigh

@reinerh commented on GitHub (Oct 23, 2021): The Ubuntu 21.10 PPA is also affected. *sigh*

gitea-mirror commented

2026-05-05 09:23:45 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 23, 2021):

I have asked a Ubuntu dev and he took care of it. A simple rebuild will fix it, as it was affected by some toolchain problem.
I will later also update the PPA (Update: PPA now has a working version in 21.10).

@reinerh commented on GitHub (Oct 23, 2021): I have asked a Ubuntu dev and he took care of it. A simple rebuild will fix it, as it was affected by some toolchain problem. I will later also update the PPA (Update: PPA now has a working version in 21.10).

gitea-mirror commented

2026-05-05 09:23:45 -06:00

Author

Owner

@pseudofunizer commented on GitHub (Oct 26, 2021):

I have asked a Ubuntu dev and he took care of it. A simple rebuild will fix it, as it was affected by some toolchain problem. I will later also update the PPA (Update: PPA now has a working version in 21.10).

Can you point a link to the PPA? I just updated to 21.10 and realized firejail is broken. :(

EDIT: OK, this is just in; 1hr ago: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4 -- will try those instructions for the time being.

@pseudofunizer commented on GitHub (Oct 26, 2021): > I have asked a Ubuntu dev and he took care of it. A simple rebuild will fix it, as it was affected by some toolchain problem. I will later also update the PPA (Update: PPA now has a working version in 21.10). Can you point a link to the PPA? I just updated to 21.10 and realized firejail is broken. :( EDIT: OK, this is just in; 1hr ago: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4 -- will try those instructions for the time being.

gitea-mirror commented

2026-05-05 09:23:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 26, 2021):

https://launchpad.net/~deki/+archive/ubuntu/firejail

EDIT: All you need to make it work is sudo chmod u+s /usr/bin/firejail

@rusty-snake commented on GitHub (Oct 26, 2021): https://launchpad.net/~deki/+archive/ubuntu/firejail EDIT: All you need to make it work is `sudo chmod u+s /usr/bin/firejail`

gitea-mirror commented

2026-05-05 09:23:46 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 26, 2021):

EDIT: OK, this is just in; 1hr ago: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4 -- will try those instructions for the time being.

Thanks. When you tested it successfully, can you please leave a comment over there? I think otherwise it will not migrate to "-updates".

@reinerh commented on GitHub (Oct 26, 2021): > EDIT: OK, this is just in; 1hr ago: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1948480/comments/4 -- will try those instructions for the time being. Thanks. When you tested it successfully, can you please leave a comment over there? I think otherwise it will not migrate to "-updates".

gitea-mirror commented

2026-05-05 09:23:47 -06:00

Author

Owner

@reinerh commented on GitHub (Nov 4, 2021):

The fixed version is now released in Ubuntu 21.10.

@reinerh commented on GitHub (Nov 4, 2021): The fixed version is now released in Ubuntu 21.10.

Rows
Columns

[GH-ISSUE #4625] Firejail Incompatible with Ubuntu 21.10 #2730

Description

Steps to Reproduce

Expected behavior

Actual behavior

Additional context

Environment

Description

Steps to Reproduce