[GH-ISSUE #4668] Chasing SUID executables #2745

New issue

Closed

opened 2026-05-05 09:24:25 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 09:24:25 -06:00

Owner

Copy link

Originally created by @netblue30 on GitHub (Nov 4, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4668

I am looking for SUID executables still visible inside the sandbox. Most of them are cleaned up by disable-common.inc. I added some more:

 ssh-keysign (from openssh)
/usr/bin/passwd
Xorg.wrap
polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

I'm not sure about some of them, so things could break!

Let's look for some more SUID (it kind of depends on what you have installed on your computer):

Start a browser (firejail --name=browser firefox) and join the sandbox from another terminal (firejail --join=browser). Then, run the find command and add them to the list:

$ find / -perm -u=s -type f 2>/dev/null

Thanks!

Originally created by @netblue30 on GitHub (Nov 4, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4668 I am looking for SUID executables still visible inside the sandbox. Most of them are cleaned up by disable-common.inc. I added some more: ````` ssh-keysign (from openssh) /usr/bin/passwd Xorg.wrap polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device ````` I'm not sure about some of them, so things could break! Let's look for some more SUID (it kind of depends on what you have installed on your computer): Start a browser (firejail --name=browser firefox) and join the sandbox from another terminal (firejail --join=browser). Then, run the find command and add them to the list: ````` $ find / -perm -u=s -type f 2>/dev/null ````` Thanks!

gitea-mirror closed this issue 2026-05-05 09:24:26 -06:00

gitea-mirror commented 2026-05-05 09:24:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 4, 2021):

Fedora 34:

$ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null
/home/rusty-snake/.local/share/containers/storage/overlay/<hash>/diff/usr/bin/*  <-- `blacklist ${HOME}/.local/share/containers` in OCI-Containers / Podman
/usr/bin/fusermount-glusterfs
/usr/bin/fusermount3
/usr/bin/passwd
/usr/bin/firejail
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/Xorg.wrap
/usr/libexec/qemu-bridge-helper
/usr/local/rootdir/bin/firejail  <-- just testing

TBH suid binaries are already mitigated by nnp.

<!-- gh-comment-id:961335933 --> @rusty-snake commented on GitHub (Nov 4, 2021): Fedora 34: ``` $ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null /home/rusty-snake/.local/share/containers/storage/overlay/<hash>/diff/usr/bin/* <-- `blacklist ${HOME}/.local/share/containers` in OCI-Containers / Podman /usr/bin/fusermount-glusterfs /usr/bin/fusermount3 /usr/bin/passwd /usr/bin/firejail /usr/lib/polkit-1/polkit-agent-helper-1 /usr/libexec/dbus-1/dbus-daemon-launch-helper /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/Xorg.wrap /usr/libexec/qemu-bridge-helper /usr/local/rootdir/bin/firejail <-- just testing ``` TBH suid binaries are already mitigated by nnp.

gitea-mirror commented 2026-05-05 09:24:29 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 4, 2021):

Arch Linux

$ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null | sort

/usr/bin/firejail
/usr/bin/fusermount3
/usr/bin/mount.cifs
/usr/bin/passwd
/usr/bin/physlock
/usr/bin/suexec
/usr/bin/wshowkeys
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/electron13/chrome-sandbox
/usr/lib/mail-dotlock
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/squid/basic_pam_auth
/usr/lib/ssh/ssh-keysign
/usr/lib/Xorg.wrap

<!-- gh-comment-id:961468359 --> @ghost commented on GitHub (Nov 4, 2021): Arch Linux `$ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null | sort` ``` /usr/bin/firejail /usr/bin/fusermount3 /usr/bin/mount.cifs /usr/bin/passwd /usr/bin/physlock /usr/bin/suexec /usr/bin/wshowkeys /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/electron13/chrome-sandbox /usr/lib/mail-dotlock /usr/lib/polkit-1/polkit-agent-helper-1 /usr/lib/squid/basic_pam_auth /usr/lib/ssh/ssh-keysign /usr/lib/Xorg.wrap ```

gitea-mirror commented 2026-05-05 09:24:30 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Nov 4, 2021):

@glitsj16 commented on Nov 4:

Arch Linux

$ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null | sort

/usr/bin/firejail
/usr/bin/fusermount3
/usr/bin/mount.cifs
/usr/bin/passwd
/usr/bin/physlock
/usr/bin/suexec
/usr/bin/wshowkeys
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/electron13/chrome-sandbox
/usr/lib/mail-dotlock
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/squid/basic_pam_auth
/usr/lib/ssh/ssh-keysign
/usr/lib/Xorg.wrap

On Artix Linux, new paths compared to the above:

/usr/bin/slock
/usr/lib/qemu/qemu-bridge-helper

<!-- gh-comment-id:961483337 --> @kmk3 commented on GitHub (Nov 4, 2021): @glitsj16 commented [on Nov 4](https://github.com/netblue30/firejail/issues/4668#issuecomment-961468359): > Arch Linux > > `$ firejail --profile=/etc/firejail/disable-common.inc find / -perm -u=s -type f 2>/dev/null | sort` > > ``` > /usr/bin/firejail > /usr/bin/fusermount3 > /usr/bin/mount.cifs > /usr/bin/passwd > /usr/bin/physlock > /usr/bin/suexec > /usr/bin/wshowkeys > /usr/lib/dbus-1.0/dbus-daemon-launch-helper > /usr/lib/electron13/chrome-sandbox > /usr/lib/mail-dotlock > /usr/lib/polkit-1/polkit-agent-helper-1 > /usr/lib/squid/basic_pam_auth > /usr/lib/ssh/ssh-keysign > /usr/lib/Xorg.wrap > ``` On Artix Linux, new paths compared to the above: ``` /usr/bin/slock /usr/lib/qemu/qemu-bridge-helper ```

gitea-mirror commented 2026-05-05 09:24:31 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Nov 5, 2021):

Debian bookworm/sid. I added -xdev so /home, /proc, /var etc are not checked in vain:

# firejail --profile=/etc/firejail/disable-common.inc find / -xdev -perm -u=s -type f 2>/dev/null
/usr/share/code/chrome-sandbox
/usr/share/discord/chrome-sandbox
/usr/libexec/polkit-agent-helper-1
/usr/bin/schroot
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper
/usr/lib/snapd/snap-confine

But none of the above SUID exes are actually able to change UIDs, because all file systems except /setuid are mounted with nosuid flag:

# mount | grep -v nosuid
/dev/mapper/levy-debian_setuid on /setuid type ext4 (ro,nodev,noatime,seclabel,discard,nodelalloc)

Then /setuid is blacklisted in Firejail to disable all SUID exes with one line.

I've used the awesome possibility in Debian to divert selected files elsewhere with dpkg-divert, so for example when I update iputils-ping package containing setuid (actually only setcap) /bin/ping, /setuid/ping gets smoothly updated. I've added a symlink from /usr/bin/ping to /setuid/ping. But I don't care about gst-ptp-helper etc. and nothing seems to be broken due to their lack of SUID either. Do any non .deb distros have also this feature?

<!-- gh-comment-id:961686504 --> @topimiettinen commented on GitHub (Nov 5, 2021): Debian bookworm/sid. I added `-xdev` so `/home`, `/proc`, `/var` etc are not checked in vain: ``` # firejail --profile=/etc/firejail/disable-common.inc find / -xdev -perm -u=s -type f 2>/dev/null /usr/share/code/chrome-sandbox /usr/share/discord/chrome-sandbox /usr/libexec/polkit-agent-helper-1 /usr/bin/schroot /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper /usr/lib/snapd/snap-confine ``` But none of the above SUID exes are actually able to change UIDs, because all file systems except `/setuid` are mounted with `nosuid` flag: ``` # mount | grep -v nosuid /dev/mapper/levy-debian_setuid on /setuid type ext4 (ro,nodev,noatime,seclabel,discard,nodelalloc) ``` Then `/setuid` is blacklisted in Firejail to disable all SUID exes with one line. I've used the awesome possibility in Debian to divert selected files elsewhere with `dpkg-divert`, so for example when I update `iputils-ping` package containing setuid (actually only setcap) `/bin/ping`, `/setuid/ping` gets smoothly updated. I've added a symlink from `/usr/bin/ping` to `/setuid/ping`. But I don't care about `gst-ptp-helper` etc. and nothing seems to be broken due to their lack of SUID either. Do any non .deb distros have also this feature?

gitea-mirror commented 2026-05-05 09:24:32 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 5, 2021):

Do any non .deb distros have also this feature?

Fedora:

• python3-dnf-plugin-post-transaction-actions can be used to code this (e.g. start with *:in:dnf repoquery --list --installed ${name} | xargs …)
• https://github.com/g7/rpm-divert

<!-- gh-comment-id:961690859 --> @rusty-snake commented on GitHub (Nov 5, 2021): > Do any non .deb distros have also this feature? Fedora: - python3-dnf-plugin-post-transaction-actions can be used to code this (e.g. start with `*:in:dnf repoquery --list --installed ${name} | xargs …`) - https://github.com/g7/rpm-divert

gitea-mirror commented 2026-05-05 09:24:33 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Nov 5, 2021):

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/chromium/chrome-sandbox
/usr/lib/openssh/ssh-keysign
/usr/bin/pmount
/usr/bin/firejail
/usr/bin/passwd
/usr/bin/schroot
/usr/bin/pumount

<!-- gh-comment-id:961922285 --> @reinerh commented on GitHub (Nov 5, 2021): ``` /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/chromium/chrome-sandbox /usr/lib/openssh/ssh-keysign /usr/bin/pmount /usr/bin/firejail /usr/bin/passwd /usr/bin/schroot /usr/bin/pumount ```

gitea-mirror commented 2026-05-05 09:24:34 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 6, 2021):

Xubuntu Focal (20.04):

$ firejail --profile=/etc/firejail/disable-common.inc find / -xdev -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/firejail
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/vmware/bin/vmware-vmx-debug
/usr/lib/vmware/bin/vmware-vmx
/usr/lib/vmware/bin/vmware-vmx-stats
/usr/lib/snapd/snap-confine
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/share/discord/chrome-sandbox
/usr/share/atom/chrome-sandbox

<!-- gh-comment-id:962427520 --> @ghost commented on GitHub (Nov 6, 2021): Xubuntu Focal (20.04): ``` $ firejail --profile=/etc/firejail/disable-common.inc find / -xdev -perm -u=s -type f 2>/dev/null /usr/bin/passwd /usr/bin/firejail /usr/lib/xorg/Xorg.wrap /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/vmware/bin/vmware-vmx-debug /usr/lib/vmware/bin/vmware-vmx /usr/lib/vmware/bin/vmware-vmx-stats /usr/lib/snapd/snap-confine /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/share/discord/chrome-sandbox /usr/share/atom/chrome-sandbox ```

gitea-mirror commented 2026-05-05 09:24:34 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Nov 6, 2021):

What if firejail always bind-mounted certain paths with nosuid by default? I
think the base paths below would cover all suid paths posted here:

/usr/bin
/usr/lib
/usr/libexec
/usr/share

Currently, there is only noexec, which disables suid, but also exec. There
could be a new nosuid option to only disable suid.

Then, the base paths could be added on disable-common.inc:

nosuid /usr/bin
nosuid /usr/lib
nosuid /usr/libexec
nosuid /usr/share

And ignored on profiles with:

ignore nosuid /usr/bin
ignore nosuid /usr/lib
ignore nosuid /usr/libexec
ignore nosuid /usr/share

This could be done in addition to blocking individual suid paths, as a sort of
fallback.

<!-- gh-comment-id:962492591 --> @kmk3 commented on GitHub (Nov 6, 2021): What if firejail always bind-mounted certain paths with `nosuid` by default? I think the base paths below would cover all suid paths posted here: ``` /usr/bin /usr/lib /usr/libexec /usr/share ``` Currently, there is only `noexec`, which disables suid, but also exec. There could be a new `nosuid` option to only disable suid. Then, the base paths could be added on disable-common.inc: ```firejail nosuid /usr/bin nosuid /usr/lib nosuid /usr/libexec nosuid /usr/share ``` And ignored on profiles with: ```firejail ignore nosuid /usr/bin ignore nosuid /usr/lib ignore nosuid /usr/libexec ignore nosuid /usr/share ``` This could be done in addition to blocking individual suid paths, as a sort of fallback.

gitea-mirror commented 2026-05-05 09:24:35 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Nov 7, 2021):

What if firejail always bind-mounted certain paths with nosuid by default?

I suppose even nosuid / could be default, at least when nnp is active. Though sadly SELinux uses nosuid to determine whether certain domain transitions are allowed (https://github.com/systemd/systemd/pull/19902, https://github.com/systemd/systemd/pull/20023), so suid/nosuid isn't so simple after all.

<!-- gh-comment-id:962673234 --> @topimiettinen commented on GitHub (Nov 7, 2021): > What if firejail always bind-mounted certain paths with `nosuid` by default? I suppose even `nosuid /` could be default, at least when nnp is active. Though sadly SELinux uses `nosuid` to determine whether certain domain transitions are allowed (https://github.com/systemd/systemd/pull/19902, https://github.com/systemd/systemd/pull/20023), so `suid`/`nosuid` isn't so simple after all.

gitea-mirror commented 2026-05-05 09:24:35 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 7, 2021):

@topimiettinen would nosuid make any difference with nnp?

<!-- gh-comment-id:962673707 --> @rusty-snake commented on GitHub (Nov 7, 2021): @topimiettinen would `nosuid` make any difference with nnp?

gitea-mirror commented 2026-05-05 09:24:36 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Nov 7, 2021):

@topimiettinen would nosuid make any difference with nnp?

Not really. There could be an obscure case where something without NNP gets access to the mount namespace and then it could be useful if also nosuid were used. It's also more or less free if mount namespaces are used anyway.

<!-- gh-comment-id:962674270 --> @topimiettinen commented on GitHub (Nov 7, 2021): > @topimiettinen would `nosuid` make any difference with nnp? Not really. There could be an obscure case where something without NNP gets access to the mount namespace and then it could be useful if also `nosuid` were used. It's also more or less free if mount namespaces are used anyway.

gitea-mirror commented 2026-05-05 09:24:37 -06:00

Author

Owner

Copy link

@raphaelr commented on GitHub (Nov 11, 2021):

Debian testing (bookworm):

/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/bin/firejail
/usr/bin/nvidia-modprobe
/usr/bin/passwd
/usr/libexec/spice-client-glib-usb-acl-helper
/usr/libexec/polkit-agent-helper-1
/usr/share/teams/chrome-sandbox

<!-- gh-comment-id:966528227 --> @raphaelr commented on GitHub (Nov 11, 2021): Debian testing (bookworm): ``` /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/xorg/Xorg.wrap /usr/bin/firejail /usr/bin/nvidia-modprobe /usr/bin/passwd /usr/libexec/spice-client-glib-usb-acl-helper /usr/libexec/polkit-agent-helper-1 /usr/share/teams/chrome-sandbox ```

gitea-mirror referenced this issue 2026-05-05 10:21:27 -06:00

[PR #2745] [MERGED] template profile: update private-etc templates #4508

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2745

No description provided.