[GH-ISSUE #5120] Unable to use tcpdump with -Z 'username'

gitea-mirror commented

2026-05-05 09:32:39 -06:00

Owner

Originally created by @BogdanAriton on GitHub (Apr 26, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5120

Description

I'm trying to use tcpdump with firejail.
The original command we were using was: .-s 0 -C 512 -W 1 -Z 'tcpdump'. -e -i int0 (where 'tcpdump' is a local user)
When running this with firejail I'm getting: tcpdump: Couldn't find user 'tcpdump'.
This makes sense as /etc/passwd wouldn't be present in the sandbox.

Steps to Reproduce

This happens on a centos 7.9.
This is how my tcpdump profile looks like:

# Firejail profile for tcpdump

quiet

noblacklist /usr/bin/tcpdump

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

ipc-namespace
noinput
seccomp.32 _llseek,access,alarm,bind,brk,close,connect,execve,fcntl64,flock,fstat64,futex,getdents64,getgid32,getsockname,getsockopt,g
ettimeofday,getuid32,ioctl,lstat64,mmap2,mprotect,munmap,open,openat,poll,read,readlink,recv,recvfrom,recvmsg,rt_sigaction,rt_sigprocm
ask,send,sendto,set_robust_list,set_thread_area,set_tid_address,setgid32,setsockopt,setuid32,sigreturn,socket,stat64,time,ugetrlimit,u
mask,uname,write

disable-mnt
private-dev
private-tmp

memory-deny-write-execute

The command is:
/usr/local/bin/firejail /usr/bin/tcpdump -s 0 -C 512 -W 1 -Z 'tcpdump' -e -i int0

Expected behavior

Is there some setting that I couldn't find that would be able to update the and empty /etc/passwd with just the needed user for tcpdump? (and this would happen only for tcpdump)

Actual behavior

Mentioned in the description.

Additional context

I'm adding the non-quite print out:

-bash-4.2# /usr/local/bin/firejail /usr/bin/tcpdump -s 0 -C 512 -W 1 -Z 'tcpdump' -e -i int0
Reading profile /usr/local/etc/firejail/tcpdump.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 8342, child pid 8343
The new log directory is /proc/8343/root/var/log
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
ild process initialized in 26.22 ms
tcpdump: Couldn't find user 'tcpdump'

Parent is shutting down, bye...

Environment

Linux distribution and version: CentOS 7.9
firejail version 0.9.68

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @BogdanAriton on GitHub (Apr 26, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5120  ### Description I'm trying to use tcpdump with firejail. The original command we were using was: .-s 0 -C 512 -W 1 -Z 'tcpdump'. -e -i int0 (where 'tcpdump' is a local user) When running this with firejail I'm getting: tcpdump: Couldn't find user 'tcpdump'. This makes sense as /etc/passwd wouldn't be present in the sandbox. ### Steps to Reproduce This happens on a centos 7.9. This is how my tcpdump profile looks like: ``` # Firejail profile for tcpdump quiet noblacklist /usr/bin/tcpdump include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc ipc-namespace noinput seccomp.32 _llseek,access,alarm,bind,brk,close,connect,execve,fcntl64,flock,fstat64,futex,getdents64,getgid32,getsockname,getsockopt,g ettimeofday,getuid32,ioctl,lstat64,mmap2,mprotect,munmap,open,openat,poll,read,readlink,recv,recvfrom,recvmsg,rt_sigaction,rt_sigprocm ask,send,sendto,set_robust_list,set_thread_area,set_tid_address,setgid32,setsockopt,setuid32,sigreturn,socket,stat64,time,ugetrlimit,u mask,uname,write disable-mnt private-dev private-tmp memory-deny-write-execute ``` The command is: /usr/local/bin/firejail /usr/bin/tcpdump -s 0 -C 512 -W 1 -Z 'tcpdump' -e -i int0 ### Expected behavior Is there some setting that I couldn't find that would be able to update the and empty /etc/passwd with just the needed user for tcpdump? (and this would happen only for tcpdump) ### Actual behavior Mentioned in the description. ### Additional context I'm adding the non-quite print out: ``` -bash-4.2# /usr/local/bin/firejail /usr/bin/tcpdump -s 0 -C 512 -W 1 -Z 'tcpdump' -e -i int0 Reading profile /usr/local/etc/firejail/tcpdump.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 8342, child pid 8343 The new log directory is /proc/8343/root/var/log Warning: /var/lock not mounted Warning: cannot find /var/run/utmp ild process initialized in 26.22 ms tcpdump: Couldn't find user 'tcpdump' Parent is shutting down, bye... ``` ### Environment - Linux distribution and version: CentOS 7.9 - firejail version 0.9.68 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details>

gitea-mirror closed this issue

2026-05-05 09:32:40 -06:00

gitea-mirror commented

2026-05-05 09:32:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 26, 2022):

Can you try with allusers (IDK if this applies to /etc/passwd as well but it is my first idea).

@rusty-snake commented on GitHub (Apr 26, 2022): Can you try with `allusers` (IDK if this applies to /etc/passwd as well but it is my first idea).

gitea-mirror commented

2026-05-05 09:32:43 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 26, 2022):

Can you try with allusers (IDK if this applies to /etc/passwd as well but it is my first idea).

Not sure what you mean

@BogdanAriton commented on GitHub (Apr 26, 2022): > Can you try with `allusers` (IDK if this applies to /etc/passwd as well but it is my first idea). Not sure what you mean

gitea-mirror commented

2026-05-05 09:32:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 26, 2022):

Run firejail --allusers ... or add allusers to tcpdump.profile.

@rusty-snake commented on GitHub (Apr 26, 2022): Run `firejail --allusers ...` or add `allusers` to tcpdump.profile.

gitea-mirror commented

2026-05-05 09:32:43 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 26, 2022):

Run firejail --allusers ... or add allusers to tcpdump.profile.

It seems to be the same issue (I've tried both):

Reading profile /usr/local/etc/firejail/tcpdump.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 11679, child pid 11680
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Child process initialized in 22.52 ms
tcpdump: Couldn't find user 'tcpdump'

I think there might be a problem because tcpdump is set as: 103:
tcpdump:x:103:103:TCPDump User:/:

@BogdanAriton commented on GitHub (Apr 26, 2022): > Run `firejail --allusers ...` or add `allusers` to tcpdump.profile. It seems to be the same issue (I've tried both): ``` Reading profile /usr/local/etc/firejail/tcpdump.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 11679, child pid 11680 Warning: /var/lock not mounted Warning: cannot find /var/run/utmp Child process initialized in 22.52 ms tcpdump: Couldn't find user 'tcpdump' ``` I think there might be a problem because tcpdump is set as: 103: `tcpdump:x:103:103:TCPDump User:/:`

gitea-mirror commented

2026-05-05 09:32:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 26, 2022):

Then try it with --noprofile (and if this does not help with noprofile.profile) first.

@rusty-snake commented on GitHub (Apr 26, 2022): Then try it with `--noprofile` (and if this does not help with `noprofile.profile`) first.

gitea-mirror commented

2026-05-05 09:32:45 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 27, 2022):

@BogdanAriton commented on Apr 26:

Run firejail --allusers ... or add allusers to tcpdump.profile.

It seems to be the same issue (I've tried both):

Reading profile /usr/local/etc/firejail/tcpdump.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 11679, child pid 11680
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Child process initialized in 22.52 ms
tcpdump: Couldn't find user 'tcpdump'

I think there might be a problem because tcpdump is set as: 103:
tcpdump:x:103:103:TCPDump User:/:

What is the output of the following commands:

groups | grep -q tcpdump && echo yes || echo "$?"
getent group tcpdump || echo "$?"
getent passwd tcpdump || echo "$?"
firejail --noprofile getent passwd tcpdump || echo "$?"
firejail --profile=tcpdump getent passwd tcpdump || echo "$?"
firejail --allusers --profile=tcpdump getent passwd tcpdump || echo "$?"
firejail --ignore=nogroups --ignore=noroot --allusers --profile=tcpdump \
  getent passwd tcpdump || echo "$?"

@kmk3 commented on GitHub (Apr 27, 2022): @BogdanAriton commented [on Apr 26](https://github.com/netblue30/firejail/issues/5120#issuecomment-1109961170): > > Run `firejail --allusers ...` or add `allusers` to tcpdump.profile. > > It seems to be the same issue (I've tried both): > > ``` > Reading profile /usr/local/etc/firejail/tcpdump.profile > Reading profile /usr/local/etc/firejail/disable-common.inc > Reading profile /usr/local/etc/firejail/disable-devel.inc > Reading profile /usr/local/etc/firejail/disable-exec.inc > Reading profile /usr/local/etc/firejail/disable-interpreters.inc > Reading profile /usr/local/etc/firejail/disable-programs.inc > Parent pid 11679, child pid 11680 > Warning: /var/lock not mounted > Warning: cannot find /var/run/utmp > Child process initialized in 22.52 ms > tcpdump: Couldn't find user 'tcpdump' > ``` > > I think there might be a problem because tcpdump is set as: 103: > `tcpdump:x:103:103:TCPDump User:/:` What is the output of the following commands: ```sh groups | grep -q tcpdump && echo yes || echo "$?" getent group tcpdump || echo "$?" getent passwd tcpdump || echo "$?" firejail --noprofile getent passwd tcpdump || echo "$?" firejail --profile=tcpdump getent passwd tcpdump || echo "$?" firejail --allusers --profile=tcpdump getent passwd tcpdump || echo "$?" firejail --ignore=nogroups --ignore=noroot --allusers --profile=tcpdump \ getent passwd tcpdump || echo "$?" ```

gitea-mirror commented

2026-05-05 09:32:45 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 27, 2022):

Unfortunately I'm in a special case where I don't have getent on the box and I can't run most of them.

But I did run the --noprofile and it took on the tcpdump user - I can see that tcpdump managed to drop privilages to tcpdump:

DISPLAY is not set
Parent pid 11410, child pid 11411
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
DISPLAY is not set
Child process initialized in 17.13 ms
dropped privs to tcpdump
tcpdump: /tmp/tcpdump.dump: Permission denied

Parent is shutting down, bye...

Using --noprofile will ignore the current tcpdump.profile.
Perhaps there are some thing that I could do to improve the profile?

And also thank you both so much for the help thus far!

@BogdanAriton commented on GitHub (Apr 27, 2022): Unfortunately I'm in a special case where I don't have getent on the box and I can't run most of them. But I did run the --noprofile and it took on the tcpdump user - I can see that tcpdump managed to drop privilages to tcpdump: ``` DISPLAY is not set Parent pid 11410, child pid 11411 Warning: /var/lock not mounted Warning: cannot find /var/run/utmp DISPLAY is not set Child process initialized in 17.13 ms dropped privs to tcpdump tcpdump: /tmp/tcpdump.dump: Permission denied Parent is shutting down, bye... ``` Using --noprofile will ignore the current tcpdump.profile. Perhaps there are some thing that I could do to improve the profile? And also thank you both so much for the help thus far!

gitea-mirror commented

2026-05-05 09:32:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 27, 2022):

--noprofile works this is good (and means allusers is not needed)
Now it jumps in my face: seccomp.32
IDK why you even want to just it, but you can not use it if tcpdump should switch users.

@rusty-snake commented on GitHub (Apr 27, 2022): 1. `--noprofile` works this is good (and means `allusers` is not needed) 2. Now it jumps in my face: `seccomp.32` IDK why you even want to just it, but you can not use it if tcpdump should switch users.

gitea-mirror commented

2026-05-05 09:32:46 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 27, 2022):

I commented out the seccomp.32 line - but I've removed --noprofile and added back allusers - which brings me back to the same issue. (I don't think I fully understand how this works.)

@BogdanAriton commented on GitHub (Apr 27, 2022): I commented out the seccomp.32 line - but I've removed `--noprofile` and added back `allusers` - which brings me back to the same issue. (I don't think I fully understand how this works.)

gitea-mirror commented

2026-05-05 09:32:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 27, 2022):

Remove seccomp.32 and memory-deny-write-execute (allusers is not needed).

@rusty-snake commented on GitHub (Apr 27, 2022): Remove `seccomp.32` and `memory-deny-write-execute` (`allusers` is not needed).

gitea-mirror commented

2026-05-05 09:32:47 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 27, 2022):

OK, I just did. (tcpdump: Couldn't find user 'tcpdump')

By the way, tcpdump can also take as parameter a filename for the content of the dump, I've also tried to whitelist the original location of that file (original in the sense of, before trying to jail tcpdump):

whitelist /home/runtime/tcpdump

I test this by temporarily removing the user parameter and for some reason tcp dump comes back with: tcpdump: /home/runtime/tcpdump/tcpdump.dump: No such file or directory

I could open up a different thread for this problem if needed.

@BogdanAriton commented on GitHub (Apr 27, 2022): OK, I just did. (tcpdump: Couldn't find user 'tcpdump') By the way, tcpdump can also take as parameter a filename for the content of the dump, I've also tried to `whitelist ` the original location of that file (original in the sense of, before trying to jail tcpdump): `whitelist /home/runtime/tcpdump` I test this by temporarily removing the user parameter and for some reason tcp dump comes back with: `tcpdump: /home/runtime/tcpdump/tcpdump.dump: No such file or directory` I could open up a different thread for this problem if needed.

gitea-mirror commented

2026-05-05 09:32:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 27, 2022):

You can only whitelist an existing file/dir.
If you want /home/not-you/... visible/accessible, you need allusers.

So removing seccomp.32 and mdwe isn't enough? Can you then just comment line until it works to find the problem.

@rusty-snake commented on GitHub (Apr 27, 2022): - You can only whitelist an existing file/dir. - If you want `/home/not-you/...` visible/accessible, you need `allusers`. So removing `seccomp.32` and `mdwe` isn't enough? Can you then just comment line until it works to find the problem.

gitea-mirror commented

2026-05-05 09:32:48 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 27, 2022):

/home is not equal to ~ in this case, it's just a dir, and by default the user running the process has access. The user that runs the process has it's home defaulted to /.

So basically whitelisting /home it's like whitelisting /somedir in this case.

This is how the tcpdump.profile looks now (I'll try to remove things one by one to see where the problem resides):

# Firejail profile for tcpdump

#quiet

whitelist /home/runtime/tcpdump

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

ipc-namespace
noinput

disable-mnt
private-dev
private-tmp

@BogdanAriton commented on GitHub (Apr 27, 2022): `/home` is not equal to `~` in this case, it's just a dir, and by default the user running the process has access. The user that runs the process has it's home defaulted to `/`. So basically whitelisting` /home` it's like whitelisting `/somedir` in this case. This is how the tcpdump.profile looks now (I'll try to remove things one by one to see where the problem resides): ``` # Firejail profile for tcpdump #quiet whitelist /home/runtime/tcpdump include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc ipc-namespace noinput disable-mnt private-dev private-tmp ```

gitea-mirror commented

2026-05-05 09:32:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 27, 2022):

/home is not equal to ~ in this case, it's just a dir, and by default the user running the process has access. The user that runs the process has it's home defaulted to /.

Don't know how firejail behaves if ~ == /.

So basically whitelisting /home it's like whitelisting /somedir in this case.

Whitelisting a top level dir make no sense and /home might still be special.

@rusty-snake commented on GitHub (Apr 27, 2022): > /home is not equal to ~ in this case, it's just a dir, and by default the user running the process has access. The user that runs the process has it's home defaulted to /. Don't know how firejail behaves if `~ == /`. > So basically whitelisting /home it's like whitelisting /somedir in this case. Whitelisting a top level dir make no sense and `/home` might still be special.

gitea-mirror commented

2026-05-05 09:32:48 -06:00

Author

Owner

@BogdanAriton commented on GitHub (Apr 27, 2022):

I found out my mistake:
/home/runtime was actually a symbolic link to /data/runtime

Once I've whitelisted /data/runtime everything worked! (Note here that I'm not passing in the -Z username)

The username issue still exists.

@BogdanAriton commented on GitHub (Apr 27, 2022): I found out my mistake: /home/runtime was actually a symbolic link to /data/runtime Once I've whitelisted /data/runtime everything worked! (Note here that I'm not passing in the -Z username) The username issue still exists.

gitea-mirror commented

2026-05-05 09:32:49 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 8, 2022):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

@rusty-snake commented on GitHub (Jun 8, 2022): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

gitea-mirror referenced this issue

2026-05-05 10:22:35 -06:00

[PR #2886] [MERGED] noblacklist but no blacklist #4571