github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5107] [Website Text Amends] What is SUID, and how does it affect me? #2881

New issue
Closed
opened 2026-05-05 09:32:31 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 09:32:31 -06:00
Owner
Copy link

Originally created by @Foemass on GitHub (Apr 15, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5107

Originally assigned to: @netblue30 on GitHub.

Is your feature request related to a problem? Please describe.

The following line of text in What is SUID, and how does it affect me could be misleading:

"If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file."

I'm informed (by this discussion here: https://github.com/netblue30/firejail/discussions/5106) that Chromium actually works fine with force-nonewprivs yes set. UNLESS you've set kernel.unprivileged_userns_clone=0 or are on one of the very few distros which have it configured like that by default. So for many people there's no reason to be warned off simply because they use Chromium.

Describe the solution you'd like

I don't really know what I'm talking about, but in the interest of trying to be helpful here's how I'd restructure the text.

3. Set force-nonewprivs flag

Turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line:

force-nonewprivs yes

The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail.

Note you should avoid doing this if you use a Chromium-based browser and have set kernel.unprivileged_userns_clone=0 (or are on one of the few distros which do this by default.) Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox.

Describe alternatives you've considered

As previously mentioned I basically don't know what I'm talking about, so consider this with a HUGE handful of salt.

But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?

Originally created by @Foemass on GitHub (Apr 15, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5107 Originally assigned to: @netblue30 on GitHub. ### Is your feature request related to a problem? Please describe. The following line of text in [What is SUID, and how does it affect me](https://firejail.wordpress.com/documentation-2/basic-usage/#suid) could be misleading: > "If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file." I'm informed (by this discussion here: https://github.com/netblue30/firejail/discussions/5106) that Chromium actually works fine with force-nonewprivs yes set. UNLESS you've set `kernel.unprivileged_userns_clone=0` or are on one of the very few distros which have it configured like that by default. So for many people there's no reason to be warned off simply because they use Chromium. ### Describe the solution you'd like I don't really know what I'm talking about, but in the interest of trying to be helpful here's how I'd restructure the text. > **3. Set force-nonewprivs flag** > > Turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line: > > > `force-nonewprivs yes` > > The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail. > > Note you should avoid doing this if you use a Chromium-based browser and have set kernel.unprivileged_userns_clone=0 (or are on one of the few distros which do this by default.) Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox. ### Describe alternatives you've considered As previously mentioned I basically don't know what I'm talking about, so consider this with a HUGE handful of salt. But I'm getting the impression that for most users, setting `force-nonewprivs yes` provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?
gitea-mirror 2026-05-05 09:32:31 -06:00
  • closed this issue
  • added the
    wordpress
         label
gitea-mirror commented 2026-05-05 09:32:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 15, 2022):

Suggestion for the last paragraph, the rest looks good:

Note that this breaks Chromium-based software on systems where kernel.unprivileged_userns_clone=0 is set and other programs which need to raise privileges such as wireshark or virtualbox.

<!-- gh-comment-id:1100284889 --> @rusty-snake commented on GitHub (Apr 15, 2022): Suggestion for the last paragraph, the rest looks good: > Note that this breaks Chromium-based software on systems where `kernel.unprivileged_userns_clone=0` is set and other programs which need to raise privileges such as wireshark or virtualbox.
gitea-mirror commented 2026-05-05 09:32:36 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 15, 2022):

But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?

We would need to remove programs like wireshark from firecfg.config and detect ernel.unprivileged_userns_clone=0.

If we do so we should use force-nonewprivs auto-yes for this detection and force-nonewprivs yes to set it unconditional.

<!-- gh-comment-id:1100286289 --> @rusty-snake commented on GitHub (Apr 15, 2022): > But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default? We would need to remove programs like wireshark from firecfg.config and detect `ernel.unprivileged_userns_clone=0`. If we do so we should use `force-nonewprivs auto-yes` for this detection and `force-nonewprivs yes` to set it unconditional.
gitea-mirror commented 2026-05-05 09:32:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 15, 2022):

As a FYI, firejail-welcome.sh ask to set force-nonewprivs yes when asking for "advanced options".

<!-- gh-comment-id:1100287169 --> @rusty-snake commented on GitHub (Apr 15, 2022): As a FYI, [firejail-welcome.sh](https://github.com/netblue30/firejail/blob/master/contrib/firejail-welcome.sh) ask to set `force-nonewprivs yes` when asking for "advanced options".
gitea-mirror commented 2026-05-05 09:32:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 17, 2022):

Fixed on the web page, thanks!

<!-- gh-comment-id:1100906533 --> @netblue30 commented on GitHub (Apr 17, 2022): Fixed on the web page, thanks!
gitea-mirror commented 2026-05-05 09:32:38 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 17, 2022):

ITurn on force-nonewprivs flag …

typo: remove leading I

<!-- gh-comment-id:1100907996 --> @rusty-snake commented on GitHub (Apr 17, 2022): > ITurn on force-nonewprivs flag … typo: remove leading `I`
gitea-mirror commented 2026-05-05 09:32:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 21, 2022):

Found it, thanks!

<!-- gh-comment-id:1105382007 --> @netblue30 commented on GitHub (Apr 21, 2022): Found it, thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2881
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?