github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4930] `nogroups` + wrc prints confusing messages #2826

New issue

Closed

opened 2026-05-05 09:28:46 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:28:46 -06:00

Owner

Originally created by @rusty-snake on GitHub (Feb 11, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4930

Description

nogroups + wrc prints confusing messages.

Steps to Reproduce

Create test.profile (ordering doesn't matter)

include whitelist-run-common.inc
nogroups

test, run and see

$ firejail --profile=./test.profile groups
Reading profile ./test.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Parent pid 1234, child pid 1235
Warning: logind not detected, nogroups command ignored     <--- is a lie
Warning: cleaning all supplementary groups
Child process initialized in 30.00 ms
rusty-snake    <---- running `groups` outside of the sandbox shows more so groups are actually cleaned

Parent is shutting down, bye...

Expected behavior

Warning: logind not detected is only shown when there is no logind
Warning: nogroups command ignored is only shown when it is relly ignored

Actual behavior

Warning: logind not detected is shown on logind systems
Warning: nogroups command ignored; cleaning all supplementary groups makes no sense and confuses users.

Additional context

#4725
#4732

Environment

Fedora Linux 35 (of course with systemd/logind)

firejail version 0.9.69 (03395e1)

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is disabled
	- D-BUS proxy support is enabled
	- file transfer support is disabled
	- firetunnel support is disabled
	- networking support is disabled
	- output logging is disabled
	- overlayfs support is disabled
	- private-home support is disabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is disabled

Edit by @kmk3: Formatting.

Originally created by @rusty-snake on GitHub (Feb 11, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4930 ### Description `nogroups` + wrc prints confusing messages. ### Steps to Reproduce 1. Create test.profile (ordering doesn't matter) ``` include whitelist-run-common.inc nogroups ``` 2. test, run and see ```console $ firejail --profile=./test.profile groups Reading profile ./test.profile Reading profile /etc/firejail/whitelist-run-common.inc Parent pid 1234, child pid 1235 Warning: logind not detected, nogroups command ignored <--- is a lie Warning: cleaning all supplementary groups Child process initialized in 30.00 ms rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned Parent is shutting down, bye... ``` ### Expected behavior 1. `Warning: logind not detected` is only shown when there is no logind 2. `Warning: nogroups command ignored` is only shown when it is relly ignored ### Actual behavior 1. `Warning: logind not detected` is shown on logind systems 2. `Warning: nogroups command ignored; cleaning all supplementary groups` makes no sense and confuses users. ### Additional context * #4725 * #4732 ### Environment - Fedora Linux 35 (of course with systemd/logind) ``` firejail version 0.9.69 (03395e1) Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is disabled - D-BUS proxy support is enabled - file transfer support is disabled - firetunnel support is disabled - networking support is disabled - output logging is disabled - overlayfs support is disabled - private-home support is disabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is disabled ``` --- Edit by @kmk3: Formatting.

gitea-mirror

2026-05-05 09:28:46 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:28:49 -06:00

Author

Owner

@ghost commented on GitHub (Feb 11, 2022):

Reproduced on Arch Linux. I can definately agree on Expected behavior as described above. Nice find 👍.

@ghost commented on GitHub (Feb 11, 2022): Reproduced on Arch Linux. I can definately agree on `Expected behavior` as described above. Nice find :+1:.

gitea-mirror commented

2026-05-05 09:28:50 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 11, 2022):

@rusty-snake commented on Feb 11:

Description

nogroups + wrc prints confusing messages.

Steps to Reproduce

Create test.profile (ordering doesn't matter)

include whitelist-run-common.inc
nogroups

test, run and see

$ firejail --profile=./test.profile groups
Reading profile ./test.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Parent pid 1234, child pid 1235
Warning: logind not detected, nogroups command ignored     <--- is a lie
Warning: cleaning all supplementary groups
Child process initialized in 30.00 ms
rusty-snake    <---- running `groups` outside of the sandbox shows more so groups are actually cleaned

Parent is shutting down, bye...

Good catch.

I think this probably happens because check_can_drop_all_groups is called
multiple times and at different places (so it probably runs both before and
after the whitelisting).

IIRC I had tried originally to make the checks run only once a startup, which
would be less likely to fail, but it didn't work for some reason.

I think I'll just comment these messages for now until a better solution is
found.

@kmk3 commented on GitHub (Feb 11, 2022): @rusty-snake commented [on Feb 11](https://github.com/netblue30/firejail/issues/4930#issue-1132297908): > ### Description > > `nogroups` + wrc prints confusing messages. > ### Steps to Reproduce > > 1. Create test.profile (ordering doesn't matter) > > ``` > include whitelist-run-common.inc > nogroups > ``` > > 2. test, run and see > > ``` > $ firejail --profile=./test.profile groups > Reading profile ./test.profile > Reading profile /etc/firejail/whitelist-run-common.inc > Parent pid 1234, child pid 1235 > Warning: logind not detected, nogroups command ignored <--- is a lie > Warning: cleaning all supplementary groups > Child process initialized in 30.00 ms > rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned > > Parent is shutting down, bye... > ``` Good catch. I think this probably happens because `check_can_drop_all_groups` is called multiple times and at different places (so it probably runs both before and after the whitelisting). IIRC I had tried originally to make the checks run only once a startup, which would be less likely to fail, but it didn't work for some reason. I think I'll just comment these messages for now until a better solution is found.

gitea-mirror referenced this issue

2026-05-05 10:22:11 -06:00

[PR #2827] [MERGED] Fix #2826 #4547

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2826

No description provided.

Rows
Columns

[GH-ISSUE #4930] nogroups + wrc prints confusing messages #2826

Description

Steps to Reproduce

Expected behavior

Actual behavior

Additional context

Environment

Description

Steps to Reproduce

[GH-ISSUE #4930] `nogroups` + wrc prints confusing messages #2826