[GH-ISSUE #4927] broken man.profile in 0.9.68

gitea-mirror commented

2026-05-05 09:28:27 -06:00

Owner

Originally created by @hyder365 on GitHub (Feb 10, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4927

Description

Using firejail 0.9.68 on Arch Linux with "firecfg" run after the upgrade, I'm no longer able to view man pages with the man command. The issue is likely that "man" can no longer spawn the PAGER process. "man ls" prints the man page all at once without piping it to more/less. Running "man ls | less" works fine.

Steps to Reproduce

Install firejail, use the mandoc package (rather than GNU man, may be related) for the "man" command, and run it.

Expected behavior

Paging through a man page.

Actual behavior

Man page is printed all at once.

Behavior without a profile

Works normally.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).

Originally created by @hyder365 on GitHub (Feb 10, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4927  ### Description Using firejail 0.9.68 on Arch Linux with "firecfg" run after the upgrade, I'm no longer able to view man pages with the man command. The issue is likely that "man" can no longer spawn the PAGER process. "man ls" prints the man page all at once without piping it to more/less. Running "man ls | less" works fine. ### Steps to Reproduce Install firejail, use the mandoc package (rather than GNU man, may be related) for the "man" command, and run it. ### Expected behavior Paging through a man page. ### Actual behavior Man page is printed all at once. ### Behavior without a profile Works normally. ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate).

gitea-mirror closed this issue

2026-05-05 09:28:28 -06:00

gitea-mirror commented

2026-05-05 09:28:29 -06:00

Author

Owner

@reinerh commented on GitHub (Feb 10, 2022):

Hm, I can't reproduce this with firejail 0.9.68 in Debian.

I tried it with man from man-db and mman from mandoc (I used firejail man ls).

firecfg.config contains a comment that less breaks man. Are you sure less is not firejailed by default in your setup?

The man profile also contains no private-bin, which would prevent spawning binaries that are not listed. Do you have a man.local file?

@reinerh commented on GitHub (Feb 10, 2022): Hm, I can't reproduce this with firejail 0.9.68 in Debian. I tried it with man from man-db and mman from mandoc (I used `firejail man ls`). firecfg.config contains a comment that `less` breaks man. Are you sure less is not firejailed by default in your setup? The man profile also contains no `private-bin`, which would prevent spawning binaries that are not listed. Do you have a `man.local` file?

gitea-mirror commented

2026-05-05 09:28:30 -06:00

Author

Owner

@hyder365 commented on GitHub (Feb 10, 2022):

There's no "less" symlink in /usr/local/bin with the other firejailed programs, and "which less" returns /sbin/less.

Nothing in ~/.config/firejail is related to less or man.

I just confirmed the same problem on a separate but similar Arch laptop with mandoc and no ~/.config/firejail directory.

edit to add: I get an error like this too:

man: /usr/share/man/man8/ntpd.8.gz: SYSERR: mkstemp: /tmp/man.XXXXrVTZqh: Read-only file system

But /tmp is of course not read-only, and calling "man" from the installed binary path rather than with firejail works fine.

@hyder365 commented on GitHub (Feb 10, 2022): There's no "less" symlink in /usr/local/bin with the other firejailed programs, and "which less" returns /sbin/less. Nothing in ~/.config/firejail is related to less or man. I just confirmed the same problem on a separate but similar Arch laptop with mandoc and no ~/.config/firejail directory. edit to add: I get an error like this too: man: /usr/share/man/man8/ntpd.8.gz: SYSERR: mkstemp: /tmp/man.XXXXrVTZqh: Read-only file system But /tmp is of course not read-only, and calling "man" from the installed binary path rather than with firejail works fine.

gitea-mirror commented

2026-05-05 09:28:31 -06:00

Author

Owner

@reinerh commented on GitHub (Feb 10, 2022):

Ah, the man.profile has read-only /tmp. It looks like your man program tries to save a temporary file in /tmp.
You can fix this by adding ignore read-only /tmp to man.local.
But I'm wondering why this happens on your system and not on mine.
I tested with mandoc 1.14.6 and man-db 2.10.0.

@reinerh commented on GitHub (Feb 10, 2022): Ah, the man.profile has `read-only /tmp`. It looks like your man program tries to save a temporary file in `/tmp`. You can fix this by adding `ignore read-only /tmp` to man.local. But I'm wondering why this happens on your system and not on mine. I tested with mandoc 1.14.6 and man-db 2.10.0.

gitea-mirror commented

2026-05-05 09:28:33 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 10, 2022):

cc @hlein

https://github.com/gentoo/gentoo/pull/24102/commits/1c49f0ec610e8dc66f94756711d15fcb14d28852#diff-95e09230bc946491c552d0240ab3baa07dc9f2a6f4196998d865f3902094b6ff

firecfg.config
-man
+# Breaks: $ man chromium-browser
+# WARNING: terminal is not fully functional
+# Press RETURN to continue 
+# Manual page chromium-browser(1) byte 0/0 (END) (press h for help or q to quit)
+#man

@rusty-snake commented on GitHub (Feb 10, 2022): cc @hlein https://github.com/gentoo/gentoo/pull/24102/commits/1c49f0ec610e8dc66f94756711d15fcb14d28852#diff-95e09230bc946491c552d0240ab3baa07dc9f2a6f4196998d865f3902094b6ff > ```diff > firecfg.config > -man > +# Breaks: $ man chromium-browser > +# WARNING: terminal is not fully functional > +# Press RETURN to continue > +# Manual page chromium-browser(1) byte 0/0 (END) (press h for help or q to quit) > +#man > ```

gitea-mirror commented

2026-05-05 09:28:33 -06:00

Author

Owner

@hlein commented on GitHub (Feb 10, 2022):

Hah, yes I think I had done that or picked it up from somewhere. firejail man does indeed error on Gentoo, but for different reasons than @hyder365 reports on Arch:

$ firejail man ls
WARNING: terminal is not fully functional
Press RETURN to continue

So, I disabled man in Gentoo's firecfg.config in my latest package update. But I hadn't yet investigated to see if I could figure out what changes to man.profile could fix it.

Meanwhile, firejail less works but also doesn't. firejail less largefile does not error, and you can pageup/down, search, etc. But ^C is not caught (causes less to exit). So I suspect again/also, terminal related.

@hlein commented on GitHub (Feb 10, 2022): Hah, yes I think I had done that or picked it up from somewhere. `firejail man` does indeed error on Gentoo, but for different reasons than @hyder365 reports on Arch: ``` $ firejail man ls WARNING: terminal is not fully functional Press RETURN to continue ``` So, I disabled man in Gentoo's `firecfg.config` in my latest package update. But I hadn't yet investigated to see if I could figure out what changes to `man.profile` could fix it. Meanwhile, `firejail less` works but also doesn't. `firejail less largefile` does not error, and you can pageup/down, search, etc. But `^C` is not caught (causes less to exit). So I suspect again/also, terminal related.

gitea-mirror commented

2026-05-05 09:28:35 -06:00

Author

Owner

@hyder365 commented on GitHub (Feb 11, 2022):

Ah, the man.profile has read-only /tmp. It looks like your man program tries to save a temporary file in /tmp. You can fix this by adding ignore read-only /tmp to man.local. But I'm wondering why this happens on your system and not on mine. I tested with mandoc 1.14.6 and man-db 2.10.0.

Thanks. It looks like mandoc creates files in /tmp by default, on OpenBSD as well as Linux.

@hyder365 commented on GitHub (Feb 11, 2022): > Ah, the man.profile has `read-only /tmp`. It looks like your man program tries to save a temporary file in `/tmp`. You can fix this by adding `ignore read-only /tmp` to man.local. But I'm wondering why this happens on your system and not on mine. I tested with mandoc 1.14.6 and man-db 2.10.0. Thanks. It looks like mandoc creates files in /tmp by default, on OpenBSD as well as Linux.

gitea-mirror commented

2026-05-05 09:28:36 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 14, 2022):

Bug/no bug? Would it be a good idea to remove man from firecfg.config, so it is not enabled by default?

@netblue30 commented on GitHub (Feb 14, 2022): Bug/no bug? Would it be a good idea to remove man from firecfg.config, so it is not enabled by default?

gitea-mirror commented

2026-05-05 09:28:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 14, 2022):

At least read-only /tmp should be remove.

@rusty-snake commented on GitHub (Feb 14, 2022): At least `read-only /tmp` should be remove.

gitea-mirror referenced this issue

2026-05-05 10:22:06 -06:00

[PR #2825] [MERGED] Fixes #2821, riot-desktop #4546