github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4973] rmenv looks broken #2839

New issue

Closed

opened 2026-05-05 09:29:40 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:29:40 -06:00

Owner

Originally created by @ghost on GitHub (Feb 24, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4973

I have a few custom profiles that use the rmenv option for applications I don't use that often. Yesterday I did and noticed that the environment variables I wanted removed from the sandbox are still there. It happens with Firejail from master (my regular setup) and a quick test shows the same (broken) behaviour with 0.9.68 (installed via pacman from Arch Linux repo). See STR below. Can anyone reproduce?


$ firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP"
$XDG_CURRENT_DESKTOP --> GNOME


$ firejail --quiet --profile=noprofile --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP"
$XDG_CURRENT_DESKTOP --> GNOME

Also seeing it with DISPLAY, although that has some special status in the codebase and I might be wrong here.


$ grep -i "x11" /etc/firejail/firejail.config | grep -v Screen
# Enable or disable X11 sandboxing support, default enabled.
x11 no


$ firejail --quiet --rmenv=DISPLAY echo "\$DISPLAY --> $DISPLAY"
$DISPLAY --> :0.0


$ firejail --quiet --profile=noprofile --rmenv=DISPLAY echo "\$DISPLAY --> $DISPLAY"
$DISPLAY --> :0.0

Originally created by @ghost on GitHub (Feb 24, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4973 I have a few custom profiles that use the `rmenv` option for applications I don't use that often. Yesterday I did and noticed that the environment variables I wanted removed from the sandbox are still there. It happens with Firejail from master (my regular setup) and a quick test shows the same (broken) behaviour with 0.9.68 (installed via pacman from Arch Linux repo). See STR below. Can anyone reproduce? ```console $ firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP" $XDG_CURRENT_DESKTOP --> GNOME ``` ```console $ firejail --quiet --profile=noprofile --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP" $XDG_CURRENT_DESKTOP --> GNOME ``` Also seeing it with `DISPLAY`, although that has some special status in the codebase and I might be wrong here. ```console $ grep -i "x11" /etc/firejail/firejail.config | grep -v Screen # Enable or disable X11 sandboxing support, default enabled. x11 no ``` ```console $ firejail --quiet --rmenv=DISPLAY echo "\$DISPLAY --> $DISPLAY" $DISPLAY --> :0.0 ``` ```console $ firejail --quiet --profile=noprofile --rmenv=DISPLAY echo "\$DISPLAY --> $DISPLAY" $DISPLAY --> :0.0 ```

gitea-mirror

2026-05-05 09:29:40 -06:00

closed this issue
added the
invalid

notabug
labels

gitea-mirror commented

2026-05-05 09:29:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 24, 2022):

If you double-quote the string you want to echo the parameter and variable expansion is done by your interactive non-sandboxed shell.

@rusty-snake commented on GitHub (Feb 24, 2022): If you double-quote the string you want to echo the parameter and variable expansion is done by your interactive non-sandboxed shell.

gitea-mirror commented

2026-05-05 09:29:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 24, 2022):

To inspect environment variables inside the sandbox (with an oneliner) you can use printenv:

$ firejail --quiet printenv XDG_CURRENT_DESKTOP 
GNOME
$ firejail --quiet --rmenv=XDG_CURRENT_DESKTOP printenv XDG_CURRENT_DESKTOP
zsh: exit 1     firejail --quiet --rmenv=XDG_CURRENT_DESKTOP printenv XDG_CURRENT_DESKTOP

@rusty-snake commented on GitHub (Feb 24, 2022): To inspect environment variables inside the sandbox (with an oneliner) you can use `printenv`: ```console $ firejail --quiet printenv XDG_CURRENT_DESKTOP GNOME $ firejail --quiet --rmenv=XDG_CURRENT_DESKTOP printenv XDG_CURRENT_DESKTOP zsh: exit 1 firejail --quiet --rmenv=XDG_CURRENT_DESKTOP printenv XDG_CURRENT_DESKTOP ```

gitea-mirror commented

2026-05-05 09:29:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 24, 2022):

If you double-quote the string you want to echo the parameter and variable expansion is done by your interactive non-sandboxed shell.

$ bash -x
% firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP"
+ firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo '$XDG_CURRENT_DESKTOP --> GNOME'
$XDG_CURRENT_DESKTOP --> GNOME
++ __vte_prompt_command stuff, ignore

@rusty-snake commented on GitHub (Feb 24, 2022): > If you double-quote the string you want to echo the parameter and variable expansion is done by your interactive non-sandboxed shell. ```console $ bash -x % firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo "\$XDG_CURRENT_DESKTOP --> $XDG_CURRENT_DESKTOP" + firejail --quiet --rmenv=XDG_CURRENT_DESKTOP echo '$XDG_CURRENT_DESKTOP --> GNOME' $XDG_CURRENT_DESKTOP --> GNOME ++ __vte_prompt_command stuff, ignore ```

gitea-mirror commented

2026-05-05 09:29:45 -06:00

Author

Owner

@ghost commented on GitHub (Feb 24, 2022):

@rusty-snake Thanks for the tips on printenv. I had put some things in default.local, forgot about doing so and confused myself :-) All good, closing here.

@ghost commented on GitHub (Feb 24, 2022): @rusty-snake Thanks for the tips on printenv. I had put some things in default.local, forgot about doing so and confused myself :-) All good, closing here.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2839

No description provided.

Rows
Columns