[GH-ISSUE #4780] private-cwd leaks access to the entire filesystem #2778

New issue

Closed

opened 2026-05-05 09:26:19 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented 2026-05-05 09:26:19 -06:00

Owner

Copy link

Originally created by @WhyNotHugo on GitHub (Dec 16, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4780

Description

Using firejail --private --private-cwd=. /usr/bin/sh leaks access to the entire filesystem.

Steps to Reproduce

1. cd into some subdirectory of $HOME.
2. `firejail --private --private-cwd=. /usr/bin/sh
3. ls ../../some-file (for a relative path that exists). cat also works.

Expected behavior

Access to these files should not be possible.

Actual behavior

Access to files using relative paths is permitted, allowing access to the entire filesystem.

Note: changing directory into those locations does not work, but reading files without changing directory does.

Behavior without a profile

n/a

Additional context

Environment

➜ uname -sro
Linux 5.15.8-arch1-1 GNU/Linux

➜ firejail --version
firejail version 0.9.67

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

(removed some non-applicable items)

• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Originally created by @WhyNotHugo on GitHub (Dec 16, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4780 ### Description Using `firejail --private --private-cwd=. /usr/bin/sh` leaks access to the entire filesystem. ### Steps to Reproduce 1. `cd` into some subdirectory of `$HOME`. 2. `firejail --private --private-cwd=. /usr/bin/sh 3. `ls ../../some-file` (for a relative path that exists). `cat` also works. ### Expected behavior Access to these files should not be possible. ### Actual behavior Access to files using relative paths is permitted, allowing access to the entire filesystem. Note: changing directory into those locations does not work, but reading files without changing directory does. ### Behavior without a profile n/a ### Additional context - ### Environment ``` ➜ uname -sro Linux 5.15.8-arch1-1 GNU/Linux ➜ firejail --version firejail version 0.9.67 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist (removed some non-applicable items) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.

gitea-mirror 2026-05-05 09:26:19 -06:00

• closed this issue
• added the
  bug
  security
  labels

gitea-mirror commented 2026-05-05 09:26:22 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Dec 17, 2021):

@WhyNotHugo Nice find! Thanks for reporting.

@rusty-snake I'm new to marking issues to a milestone. Any thoughts on adding this to 0.9.68? Even when this isn't fixed by then (whenever it comes), it's a nice way to keep track of things.

<!-- gh-comment-id:996410812 --> @ghost commented on GitHub (Dec 17, 2021): @WhyNotHugo Nice find! Thanks for reporting. @rusty-snake I'm new to marking issues to a `milestone`. Any thoughts on adding this to [0.9.68](https://github.com/netblue30/firejail/milestone/1)? Even when this isn't fixed by then (whenever it comes), it's a nice way to keep track of things.

gitea-mirror commented 2026-05-05 09:26:23 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 19, 2021):

Fixed: d2e10f8b72

Very cool bug, thanks!

<!-- gh-comment-id:997453217 --> @netblue30 commented on GitHub (Dec 19, 2021): Fixed: https://github.com/netblue30/firejail/commit/d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f Very cool bug, thanks!

gitea-mirror commented 2026-05-05 09:26:24 -06:00

Author

Owner

Copy link

@WhyNotHugo commented on GitHub (Dec 20, 2021):

The command in the example above no longer works:

$ firejail --private --private-cwd=. /usr/bin/sh
Error: invalid private working directory

<!-- gh-comment-id:998114942 --> @WhyNotHugo commented on GitHub (Dec 20, 2021): The command in the example above no longer works: ```console $ firejail --private --private-cwd=. /usr/bin/sh Error: invalid private working directory ```

gitea-mirror commented 2026-05-05 09:26:25 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Dec 23, 2021):

@WhyNotHugo commented on Dec 20:

The command in the example above no longer works:

$ firejail --private --private-cwd=. /usr/bin/sh
Error: invalid private working directory

Hello, could you open a new issue for this?

<!-- gh-comment-id:1000099038 --> @kmk3 commented on GitHub (Dec 23, 2021): @WhyNotHugo commented [on Dec 20](https://github.com/netblue30/firejail/issues/4780#issuecomment-998114942): > The command in the example above no longer works: > > ``` > $ firejail --private --private-cwd=. /usr/bin/sh > Error: invalid private working directory > ``` Hello, could you open a new issue for this?

gitea-mirror commented 2026-05-05 09:26:25 -06:00

Author

Owner

Copy link

@Ding-yixia commented on GitHub (Dec 25, 2023):

这个问题还没有修复

<!-- gh-comment-id:1868857151 --> @Ding-yixia commented on GitHub (Dec 25, 2023): 这个问题还没有修复

gitea-mirror referenced this issue 2026-05-05 10:21:43 -06:00

[PR #2778] [MERGED] Sort private-lib #4523

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2778

No description provided.