[GH-ISSUE #5196] Remove shell command (Weechat and Irssi cannot work with firejail if you use fish shell)

gitea-mirror commented

2026-05-05 09:34:35 -06:00

Owner

Originally created by @v1k7-992 on GitHub (Jun 12, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5196

Description

Weechat and irssi cannot work with firejail if you are using fish shell. I think the problem occurs if you are using fish shell. It might be related to fish shell itself, but it seems cleaning out all the profiles using firecfg --clean makes them both working again, even under fish shell. I haven't tested if this makes an impact or not, but I do have a bunch of aliases configured under my fish shell ~/.config/fish/config.fish, so adding a dummy alias might help.

Steps to Reproduce

Steps to reproduce the behavior

Be sure you are running fish shell.
Run in terminal, using the fish shell, weechat or irssi

Expected behavior

If you ran either weechat or irssi, they should be working

Actual behavior

Both of the IRC clients refuse to work at all, ie. terminal output displays nothing except if you have configured your fish shell in ~/.config/fish/config.fish you might get some error messages telling you, that that file cannot be sourced.

Switching in the terminal emulator, to bash, does not make this problem go away. Probably because my users $SHELL variable is set to `/bin/fish'.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /usr/bin/weechat in a terminal?
Nothing.

Running firecfg --clean fixes the problem. Or running the weechat directly using `/usr/bin/weechat'
Same applies to irssi.

Additional context

Any other detail that may help to understand/debug the problem

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
Firejail version (firejail --version).
If you use a development version of firejail, also the commit from which it was compiled (git rev-parse HEAD).

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail weechat

~/.config/fish/config.fish (line 3): Unknown command: alias
alias config '/usr/bin/git --git-dir=$HOME/dotfiles/ --work-tree=$HOME'
^
from sourcing file ~/.config/fish/config.fish
	called during startup
~/.config/fish/config.fish (line 4): Unknown command: alias
alias config='/usr/bin/git --git-dir=$HOME/dotfiles/ --work-tree=$HOME'
^
from sourcing file ~/.config/fish/config.fish
	called during startup

Originally created by @v1k7-992 on GitHub (Jun 12, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5196 ### Description Weechat and irssi cannot work with firejail if you are using fish shell. I think the problem occurs if you are using fish shell. It might be related to fish shell itself, but it seems cleaning out all the profiles using `firecfg --clean` makes them both working again, even under fish shell. I haven't tested if this makes an impact or not, but I do have a bunch of aliases configured under my fish shell `~/.config/fish/config.fish`, so adding a dummy alias might help. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Be sure you are running fish shell. 2. Run in terminal, using the fish shell, `weechat` or `irssi` ### Expected behavior If you ran either weechat or irssi, they should be working ### Actual behavior Both of the IRC clients refuse to work at all, ie. terminal output displays nothing except if you have configured your fish shell in `~/.config/fish/config.fish` you might get some error messages telling you, that that file cannot be sourced. Switching in the terminal emulator, to bash, does not make this problem go away. Probably because my users $SHELL variable is set to `/bin/fish'. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /usr/bin/weechat` in a terminal?_ Nothing. Running `firecfg --clean` fixes the problem. Or running the weechat directly using `/usr/bin/weechat' Same applies to irssi. ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") - Firejail version (`firejail --version`). - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail weechat</code></summary> <p> ``` ~/.config/fish/config.fish (line 3): Unknown command: alias alias config '/usr/bin/git --git-dir=$HOME/dotfiles/ --work-tree=$HOME' ^ from sourcing file ~/.config/fish/config.fish called during startup ~/.config/fish/config.fish (line 4): Unknown command: alias alias config='/usr/bin/git --git-dir=$HOME/dotfiles/ --work-tree=$HOME' ^ from sourcing file ~/.config/fish/config.fish called during startup ``` </p> </details>

gitea-mirror

2026-05-05 09:34:35 -06:00

closed this issue
added the
bug

removal
labels

gitea-mirror commented

2026-05-05 09:34:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 13, 2022):

We should really make shell none the default.

#5195, #3434, #3448, #2934, #2857, NixOS/nixpkgs#160389, ...

@rusty-snake commented on GitHub (Jun 13, 2022): We should really make `shell none` the default. #5195, #3434, #3448, #2934, #2857, NixOS/nixpkgs#160389, ...

gitea-mirror commented

2026-05-05 09:34:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 19, 2022):

I'm in the process of making shell none default. Things will break! I depend in this moment on the CI test after pushing the commit.

The idea is to use the user shell stored in /etc/passwd if --shell=whatever is not on the command line. SHELL env variable will be disregarded. After that we'll move to fix all fish problems.

@netblue30 commented on GitHub (Jun 19, 2022): I'm in the process of making shell none default. Things will break! I depend in this moment on the CI test after pushing the commit. The idea is to use the user shell stored in /etc/passwd if --shell=whatever is not on the command line. SHELL env variable will be disregarded. After that we'll move to fix all fish problems.

gitea-mirror commented

2026-05-05 09:34:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 19, 2022):

But why do we run a shell in the sandbox? 99% of the profile have shell none (there are 57 non-redirect *.profiles w/t shell none; firefox-common-addons.profile and similiar included) and work just fine but if you drop shell none from them things can get compilcated. I just don't get why it is necessary to run a shell instead of a plain execve. If a program needs a shell for any reasons we can still use shell /bin/sh.

@rusty-snake commented on GitHub (Jun 19, 2022): But why do we run a shell in the sandbox? 99% of the profile have `shell none` (there are 57 non-redirect `*.profile`s w/t `shell none`; `firefox-common-addons.profile` and similiar included) and work just fine but if you drop `shell none` from them things can get compilcated. I just don't get why it is necessary to run a shell instead of a plain execve. If a program needs a shell for any reasons we can still use `shell /bin/sh`.

gitea-mirror commented

2026-05-05 09:34:40 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 19, 2022):

Some corner cases:

the user request a different shell; we run it under execve(/bin/shell-name -c program-name) - apparently there is some additional checking the shell does before starting the program.
running firejail as an equivalent for "firejail /bin/bash" - it has been there from day one, we cannot change it.

But at the end of the day most programs will run directly under execve(program-name).

99% of the profile have shell none

You are right. Yesterday I instrumented profstats to count it and got 1124 shell none programs out of 1191. Most of them should work fine under shell none, we just forgot to put it in.

@netblue30 commented on GitHub (Jun 19, 2022): Some corner cases: * the user request a different shell; we run it under execve(/bin/shell-name -c program-name) - apparently there is some additional checking the shell does before starting the program. * running firejail as an equivalent for "firejail /bin/bash" - it has been there from day one, we cannot change it. But at the end of the day most programs will run directly under execve(program-name). > 99% of the profile have shell none You are right. Yesterday I instrumented profstats to count it and got 1124 shell none programs out of 1191. Most of them should work fine under shell none, we just forgot to put it in.

gitea-mirror commented

2026-05-05 09:34:40 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 20, 2022):

I've just removed --shell. Some of the tests are still failing, but mostly is working fine.

@netblue30 commented on GitHub (Jun 20, 2022): I've just removed --shell. Some of the tests are still failing, but mostly is working fine.

gitea-mirror commented

2026-05-05 09:34:41 -06:00

Author

Owner

@Rosika2 commented on GitHub (May 26, 2023):

Hi all, 👋

my system: Linux Lite 6.2, 64 bit

I experienced the same issue with weechat as I´m using fish as my default shell.
After reading through this thread, especially noticing what VikB92 came up with I seem to getweechat running in firejail by prefixing the command with the bash environment variable.

From a terminal running fish as the default shell:

env SHELL=/usr/bin/bash firejail weechat

For me it seems to be a practical solution.
Any thoughts about that?

Many greetings from Rosika 🙂

@Rosika2 commented on GitHub (May 26, 2023): Hi all, :wave: my system: Linux Lite 6.2, 64 bit I experienced the same issue with `weechat` as I´m using `fish` as my default shell. After reading through this thread, especially noticing what [VikB92](https://github.com/VikB92) came up with I seem to get`weechat` running in firejail by prefixing the command with the bash environment variable. From a terminal running `fish` as the default shell: `env SHELL=/usr/bin/bash firejail weechat` For me it seems to be a practical solution. Any thoughts about that? Many greetings from Rosika :slightly_smiling_face:

gitea-mirror commented

2026-05-05 09:34:41 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 11, 2023):

Closing this as it shipped in 0.9.72.

For any new issues, please test with the latest git version as there were more
related changes.

@kmk3 commented on GitHub (Jul 11, 2023): Closing this as it shipped in 0.9.72. For any new issues, please test with the latest git version as there were more related changes.

gitea-mirror referenced this issue

2026-05-05 10:22:46 -06:00

[PR #2913] [MERGED] Prevent quiet option output leakage #4581

Rows
Columns

[GH-ISSUE #5196] Remove shell command (Weechat and Irssi cannot work with firejail if you use fish shell) #2913

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log