github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5222] firefox-esr: util.c:931: create_empty_file_as_root: Assertion `s.st_uid == 0' failed #2920

New issue
Open
opened 2026-05-05 09:35:12 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 09:35:12 -06:00
Owner
Copy link

Originally created by @wonbug on GitHub (Jun 25, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5222

Description

After updating two of Debian 11.3 machines with the latest firejail release, Firefox no longer starts.

Steps to Reproduce

apt update to get firejail (0.9.64.4-2+deb11u1) over (0.9.64.4-2)

Expected behavior

Firefox starts

Actual behavior

Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 4836, child pid 4839
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 158.02 ms
firefox-esr: util.c:931: create_empty_file_as_root: Assertion `s.st_uid == 0' failed.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

Firefox launches with noprofile but lacks firejail protections.

Additional context

Any other detail that may help to understand/debug the problem

Environment

firejail version 0.9.64.4 on Debian 11.3. no custom firefox profiles in ~/.config/firejail

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)
Originally created by @wonbug on GitHub (Jun 25, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5222 ### Description After updating two of Debian 11.3 machines with the latest firejail release, Firefox no longer starts. ### Steps to Reproduce `apt update` to get `firejail (0.9.64.4-2+deb11u1) over (0.9.64.4-2)` ### Expected behavior Firefox starts ### Actual behavior ``` Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 4836, child pid 4839 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 158.02 ms firefox-esr: util.c:931: create_empty_file_as_root: Assertion `s.st_uid == 0' failed. ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Firefox launches with `noprofile` but lacks firejail protections. ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment firejail version 0.9.64.4 on Debian 11.3. no custom firefox profiles in `~/.config/firejail` ### Checklist - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [X] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
gitea-mirror commented 2026-05-05 09:35:14 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Jun 25, 2022):

(removed wrong analysis)

<!-- gh-comment-id:1166331990 --> @reinerh commented on GitHub (Jun 25, 2022): (removed wrong analysis)
gitea-mirror commented 2026-05-05 09:35:15 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Jun 25, 2022):

(removed wrong analysis)

<!-- gh-comment-id:1166332326 --> @reinerh commented on GitHub (Jun 25, 2022): (removed wrong analysis)
gitea-mirror commented 2026-05-05 09:35:15 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Jun 25, 2022):

The assertion happens in this chunk of the CVE-2022-31214 patch (ASSET_PERMS):

@@ -1033,12 +920,15 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
                        printf("Creating empty %s file\n", fname);
 
                /* coverity[toctou] */
-               FILE *fp = fopen(fname, "w");
-               if (!fp)
-                       errExit("fopen");
-               SET_PERMS_STREAM(fp, 0, 0, mode);
-               fclose(fp);
+               mode_t tmp = umask(~mode); // let's avoid an extra chmod race
+               int fd = open(fname, O_RDONLY|O_CREAT|O_CLOEXEC, mode);
+               umask(tmp);
+               if (fd < 0)
+                       errExit("open");
+               close(fd);
        }
+
+       ASSERT_PERMS(fname, 0, 0, mode);
 }
 
 // return 1 if error

But it's called from several places, so I have no idea which feature is triggering it.

<!-- gh-comment-id:1166332599 --> @reinerh commented on GitHub (Jun 25, 2022): The assertion happens in this chunk of the CVE-2022-31214 patch (`ASSET_PERMS`): ``` @@ -1033,12 +920,15 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { printf("Creating empty %s file\n", fname); /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); - if (!fp) - errExit("fopen"); - SET_PERMS_STREAM(fp, 0, 0, mode); - fclose(fp); + mode_t tmp = umask(~mode); // let's avoid an extra chmod race + int fd = open(fname, O_RDONLY|O_CREAT|O_CLOEXEC, mode); + umask(tmp); + if (fd < 0) + errExit("open"); + close(fd); } + + ASSERT_PERMS(fname, 0, 0, mode); } // return 1 if error ``` But it's called from several places, so I have no idea which feature is triggering it.
gitea-mirror commented 2026-05-05 09:35:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 25, 2022):

But it's called from several places, so I have no idea which feature is triggering it.

--noprofile works per OP so you can add features for firefox.profile one by one to find it.

<!-- gh-comment-id:1166339186 --> @rusty-snake commented on GitHub (Jun 25, 2022): > But it's called from several places, so I have no idea which feature is triggering it. `--noprofile` works per OP so you can add features for firefox.profile one by one to find it.
gitea-mirror commented 2026-05-05 09:35:16 -06:00
Author
Owner
Copy link

@daradib commented on GitHub (Jun 28, 2022):

Perhaps the culprit is noroot? Test by adding this to ~/.config/firejail/firefox-common.local in lieu of disabling the profile entirely:

ignore noroot
<!-- gh-comment-id:1168063455 --> @daradib commented on GitHub (Jun 28, 2022): Perhaps the culprit is noroot? Test by adding this to `~/.config/firejail/firefox-common.local` in lieu of disabling the profile entirely: ignore noroot
gitea-mirror commented 2026-05-05 09:35:16 -06:00
Author
Owner
Copy link

@wonbug commented on GitHub (Jun 28, 2022):

Indeed that directive got Firefox working again - thank you @daradib

<!-- gh-comment-id:1168303371 --> @wonbug commented on GitHub (Jun 28, 2022): Indeed that directive got Firefox working again - thank you @daradib
gitea-mirror commented 2026-05-05 09:35:17 -06:00
Author
Owner
Copy link

@Alex-Farol commented on GitHub (Jul 2, 2022):

After this last update, I can't launch firefox using local dns (fdns) by issuing the command
firejail --dns=127.1.1.1 --private firefox

Always get this:
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
firejail: util.c:910: create_empty_dir_as_root: Assertion (s.st_mode & 07777) == (mode)' failed.
Error: proc 4650 cannot sync with peer: unexpected EOF
Peer 4653 unexpectedly killed (Segmentation fault)

<!-- gh-comment-id:1172925721 --> @Alex-Farol commented on GitHub (Jul 2, 2022): After this last update, I can't launch firefox using local dns (fdns) by issuing the command `firejail --dns=127.1.1.1 --private firefox` Always get this: `Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.` `firejail: util.c:910: create_empty_dir_as_root: Assertion (s.st_mode & 07777) == (mode)' failed.` `Error: proc 4650 cannot sync with peer: unexpected EOF` `Peer 4653 unexpectedly killed (Segmentation fault)`
gitea-mirror commented 2026-05-05 09:35:17 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 7, 2022):

diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 5d6fddf8e..e857e052c 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -140,9 +140,9 @@ void fs_resolvconf(void) {
symlink_done = 1;
}
else if (S_ISDIR(s.st_mode))
-                       create_empty_dir_as_root(dest, s.st_mode);
+                       create_empty_dir_as_root(dest, S_IRWXU);
else
-                       create_empty_file_as_root(dest, s.st_mode);
+                       create_empty_file_as_root(dest, S_IRUSR | S_IWUSR);

// bind-mount src on top of dest
if (!symlink_done) {

I missed this one, probably because the function was moved to fs_etc.c in the meantime. The underlying problem is that setuid and sticky bits must be set by an explicit call to chmod, substracting mode from the umask is not enough.

As these files are overmounted anyways, it is probably easiest to use some fixed mode instead, like 0600 and 0700.

<!-- gh-comment-id:1177823704 --> @smitsohu commented on GitHub (Jul 7, 2022): ``` diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 5d6fddf8e..e857e052c 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -140,9 +140,9 @@ void fs_resolvconf(void) { symlink_done = 1; } else if (S_ISDIR(s.st_mode)) - create_empty_dir_as_root(dest, s.st_mode); + create_empty_dir_as_root(dest, S_IRWXU); else - create_empty_file_as_root(dest, s.st_mode); + create_empty_file_as_root(dest, S_IRUSR | S_IWUSR); // bind-mount src on top of dest if (!symlink_done) { ``` I missed this one, probably because the function was moved to fs_etc.c in the meantime. The underlying problem is that setuid and sticky bits must be set by an explicit call to chmod, substracting mode from the umask is not enough. As these files are overmounted anyways, it is probably easiest to use some fixed mode instead, like 0600 and 0700.
gitea-mirror commented 2026-05-05 09:35:18 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 7, 2022):

This should fix firejail --dns=127.1.1.1 --private firefox.

I don't know at the moment what's going on with noroot. Unfortunately I'm having difficulties in reproducing it.

<!-- gh-comment-id:1177832333 --> @smitsohu commented on GitHub (Jul 7, 2022): This should fix `firejail --dns=127.1.1.1 --private firefox`. I don't know at the moment what's going on with `noroot`. Unfortunately I'm having difficulties in reproducing it.
gitea-mirror commented 2026-05-05 09:35:18 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Jul 17, 2022):

The issue has also been reported here, also with --dns (and --net=).
I'll try to reproduce it and check your fix.

<!-- gh-comment-id:1186478535 --> @reinerh commented on GitHub (Jul 17, 2022): The issue has also been reported [here](https://bugs.debian.org/1015151), also with `--dns` (and `--net=`). I'll try to reproduce it and check your fix.
gitea-mirror commented 2026-05-05 09:35:19 -06:00
Author
Owner
Copy link

@davew-fj commented on GitHub (Aug 5, 2022):

I have symptoms similar to those described in this thread.
My OS is Linux Antix21, 64 bit (Bullseye debian), on a Dell e5430. Firejail 0.9.64.4-2+deb11u1

Below are warnings received when opening various browsers in firejail.
Some complain but open anyway. Others do not open. A common thread is that "networking feature is disabled in firejail configuration file." However, I don't see that in /etc/firejail/firejail.config. Two parameters were not the defaults. This warning disappeared after changing "cgroups No" to yes, and "restricted network yes" to no. But this did not restore Firefox function.

Firefox (91esr) was working properly in Firejail, for several days (this is a new computer to me, and software is being added slowly).

I think the problem may have started with an attempted installation of Lutris. But the problem did not resolve, after complete removal. It might also be related to attempted install of AirVPN (eddie-ui, not yet working) and NordVPN (cli software, working). The VPN was NOT activated when using the browsers in firejail.

In terminal: firejail firefox (After restoring defaults in firejail.config the Warning disappears, but the Seccomp problem apparently prevents Firefox from opening.)
Dialog ends with:
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DBus user socket was not found.
No proxies specified

The problem is also present with Waterfox browser (but different):
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 4800, child pid 4801
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 91.60 ms
Error: no suitable waterfox executable found

The Seamonkey browser works in firejail, but in terminal produces this warning:
Warning: networking feature is disabled in Firejail configuration file

Librewolf produces the following in firejail:
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 5383, child pid 5384
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 90.24 ms
JavaScript error: resource://gre/modules/XULStore.jsm, line 68: Error: Can't find profile directory.

I apologize for the long post. Perhaps it provides a clue to folks more knowledgable than me.

<!-- gh-comment-id:1205985119 --> @davew-fj commented on GitHub (Aug 5, 2022): I have symptoms similar to those described in this thread. My OS is Linux Antix21, 64 bit (Bullseye debian), on a Dell e5430. Firejail 0.9.64.4-2+deb11u1 Below are warnings received when opening various browsers in firejail. Some complain but open anyway. Others do not open. A common thread is that "networking feature is disabled in firejail configuration file." However, I don't see that in /etc/firejail/firejail.config. Two parameters were not the defaults. This warning disappeared after changing "cgroups No" to yes, and "restricted network yes" to no. But this did not restore Firefox function. Firefox (91esr) was working properly in Firejail, for several days (this is a new computer to me, and software is being added slowly). I think the problem may have started with an attempted installation of Lutris. But the problem did not resolve, after complete removal. It might also be related to attempted install of AirVPN (eddie-ui, not yet working) and NordVPN (cli software, working). The VPN was NOT activated when using the browsers in firejail. In terminal: firejail firefox (After restoring defaults in firejail.config the Warning disappears, but the Seccomp problem apparently prevents Firefox from opening.) Dialog ends with: Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, DBus user socket was not found. No proxies specified The problem is also present with Waterfox browser (but different): Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 4800, child pid 4801 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 91.60 ms Error: no suitable waterfox executable found The Seamonkey browser works in firejail, but in terminal produces this warning: Warning: networking feature is disabled in Firejail configuration file Librewolf produces the following in firejail: Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 5383, child pid 5384 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 90.24 ms JavaScript error: resource://gre/modules/XULStore.jsm, line 68: Error: Can't find profile directory. I apologize for the long post. Perhaps it provides a clue to folks more knowledgable than me.
gitea-mirror commented 2026-05-05 09:35:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 5, 2022):

You have at least 4 issues/questions but non of them is caused by create_empty_file_as_root.

<!-- gh-comment-id:1206596115 --> @rusty-snake commented on GitHub (Aug 5, 2022): You have at least 4 issues/questions but non of them is caused by create_empty_file_as_root.
gitea-mirror commented 2026-05-05 09:35:20 -06:00
Author
Owner
Copy link

@davew-fj commented on GitHub (Aug 15, 2022):

I apologize for my lack of technical knowledge (represented in my previous post). I wanted to report that all problems mentioned have been corrected. Firefox and Waterfox function properly in Firejail, again (following re-installation of the operating system).

For what it's worth, I believe my problem was caused by a failed attempt to install lutris (the package included bubblewrap). Uninstalling those components did not fix things. Firefox was running in firejail at the time of the attempted installation.

All is well now. Thank you.

<!-- gh-comment-id:1214569468 --> @davew-fj commented on GitHub (Aug 15, 2022): I apologize for my lack of technical knowledge (represented in my previous post). I wanted to report that all problems mentioned have been corrected. Firefox and Waterfox function properly in Firejail, again (following re-installation of the operating system). For what it's worth, I believe my problem was caused by a failed attempt to install lutris (the package included bubblewrap). Uninstalling those components did not fix things. Firefox was running in firejail at the time of the attempted installation. All is well now. Thank you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2920
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?