[GH-ISSUE #4646] private-bin throws fopen: Permission denied after latest related commits #2738

New issue

Closed

opened 2026-05-05 09:24:13 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 09:24:13 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Oct 27, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4646

Profiles with private-bin recently started to throw fopen: Permission denied for me with firejail built from git:

$ firejail --ignore=quiet --private-bin=bash
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local

** Note: you can use --noprofile to disable default.profile **

Parent pid 3823180, child pid 3823200
fopen: Permission denied
1 program installed in 23.09 ms
Child process initialized in 778.53 ms

Compare that to:

$ firejail --ignore=quiet
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local

** Note: you can use --noprofile to disable default.profile **

Parent pid 3828120, child pid 3828125
Child process initialized in 342.88 ms

Bisecting points to these commits:

7f0b5ddd88
ee1d5d7c8c
98df98e998

@smitsohu Any insights on why this could be happening?

Originally created by @ghost on GitHub (Oct 27, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4646 Profiles with `private-bin` recently started to throw `fopen: Permission denied` for me with firejail built from git: ``` $ firejail --ignore=quiet --private-bin=bash Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.local ** Note: you can use --noprofile to disable default.profile ** Parent pid 3823180, child pid 3823200 fopen: Permission denied 1 program installed in 23.09 ms Child process initialized in 778.53 ms ``` Compare that to: ``` $ firejail --ignore=quiet Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.local ** Note: you can use --noprofile to disable default.profile ** Parent pid 3828120, child pid 3828125 Child process initialized in 342.88 ms ``` Bisecting points to these commits: https://github.com/netblue30/firejail/commit/7f0b5ddd8881c5276138b061109ab48eb5165201 https://github.com/netblue30/firejail/commit/ee1d5d7c8cb2f7b3ab81125168881040f5d17d48 https://github.com/netblue30/firejail/commit/98df98e9987357f893cdd1b0f5c9aa8d93ae8d23 @smitsohu Any insights on why this could be happening?

gitea-mirror closed this issue 2026-05-05 09:24:13 -06:00

gitea-mirror commented 2026-05-05 09:24:15 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 27, 2021):

Minimal STR: firejail --noprofile --private-bin=true true

Snipped from --debug:

Copying files in the new bin directory
Checking /usr/local/bin/true
Checking /usr/bin/true
sbox run: /run/firejail/lib/fcopy /usr/bin/true /run/firejail/mnt/bin 
Relabeling /run/firejail/mnt/bin/true as /usr/bin/true (system_u:object_r:bin_t:s0)
fopen: Permission denied
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Relabeling /run/firejail/mnt/bin as /bin (system_u:object_r:bin_t:s0)
1 program installed in 8.21 ms

<!-- gh-comment-id:952720310 --> @rusty-snake commented on GitHub (Oct 27, 2021): Minimal STR: `firejail --noprofile --private-bin=true true` Snipped from `--debug`: ``` Copying files in the new bin directory Checking /usr/local/bin/true Checking /usr/bin/true sbox run: /run/firejail/lib/fcopy /usr/bin/true /run/firejail/mnt/bin Relabeling /run/firejail/mnt/bin/true as /usr/bin/true (system_u:object_r:bin_t:s0) fopen: Permission denied Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Relabeling /run/firejail/mnt/bin as /bin (system_u:object_r:bin_t:s0) 1 program installed in 8.21 ms ```

gitea-mirror commented 2026-05-05 09:24:16 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 27, 2021):

Thanks!

The message is coming from here:
efbf74e124/src/firejail/fs_logger.c (L91-L100)

If private-bin is the first to call fs_logger_print() it must be root to create the file. I'll push a fix shortly.

<!-- gh-comment-id:952886837 --> @smitsohu commented on GitHub (Oct 27, 2021): Thanks! The message is coming from here: https://github.com/netblue30/firejail/blob/efbf74e12421c97d8a1756649422f83f4a0b7e50/src/firejail/fs_logger.c#L91-L100 If `private-bin` is the first to call fs_logger_print() it must be root to create the file. I'll push a fix shortly.

gitea-mirror commented 2026-05-05 09:24:17 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 27, 2021):

I'll push a fix shortly.

Ah sorry, I didn't see that @glitsj16 already wanted to work on it. It's yours :)

<!-- gh-comment-id:952895865 --> @smitsohu commented on GitHub (Oct 27, 2021): > I'll push a fix shortly. Ah sorry, I didn't see that @glitsj16 already wanted to work on it. It's yours :)

gitea-mirror commented 2026-05-05 09:24:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Oct 27, 2021):

Ah sorry, I didn't see that @glitsj16 already wanted to work on it. It's yours :)

I'm not sure what happened, but I think GitHub assigned me automatically somehow.
@smitsohu I don't want to break things, please push your fix :)

<!-- gh-comment-id:953170716 --> @ghost commented on GitHub (Oct 27, 2021): > Ah sorry, I didn't see that @glitsj16 already wanted to work on it. It's yours :) I'm not sure what happened, but I think GitHub assigned me automatically somehow. @smitsohu I don't want to break things, please push your fix :)

gitea-mirror commented 2026-05-05 09:24:18 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 28, 2021):

Well... it looks like I am breaking things, too ;)

<!-- gh-comment-id:953865839 --> @smitsohu commented on GitHub (Oct 28, 2021): Well... it looks like I am breaking things, too ;)

gitea-mirror commented 2026-05-05 09:24:18 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 29, 2021):

Fixed!

<!-- gh-comment-id:954610484 --> @smitsohu commented on GitHub (Oct 29, 2021): Fixed!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2738

No description provided.