[GH-ISSUE #5365] Hugin: missing GPS EXIF data in panorama output

gitea-mirror commented

2026-05-05 09:38:00 -06:00

Owner

Originally created by @jose1711 on GitHub (Sep 12, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5365

Description

Hugin is not saving GPS exifdata unless started outside of firejail.

Steps to Reproduce

Run in bash LC_ALL=C firejail hugin
Add a few images containing EXIF data, stitch panorama, save result to JPG
Open the result in an image viewer.

Expected behavior

GPS EXIF data should be present.

Actual behavior

GPS EXIF data is missing from the final render.

Behavior without a profile

LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

Additional context

Hugin uses exiftool to take care of reading/writing EXIF information and I am not seeing it listed in private-bin so that may be related.

Originally created by @jose1711 on GitHub (Sep 12, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5365 ### Description Hugin is not saving GPS exifdata unless started outside of `firejail`. ### Steps to Reproduce 1. Run in bash `LC_ALL=C firejail hugin` 2. Add a few images containing EXIF data, stitch panorama, save result to JPG 3. Open the result in an image viewer. ### Expected behavior GPS EXIF data should be present. ### Actual behavior GPS EXIF data is missing from the final render. ### Behavior without a profile `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ### Additional context Hugin uses `exiftool` to take care of reading/writing EXIF information and I am not seeing it listed in `private-bin` so that may be related.

gitea-mirror

2026-05-05 09:38:00 -06:00

closed this issue
added the
workaround
label

gitea-mirror commented

2026-05-05 09:38:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 12, 2022):

Did you tried private-bin exiftool in hugin.local? If it does not work, try ignore private-bin as well.

@rusty-snake commented on GitHub (Sep 12, 2022): Did you tried `private-bin exiftool` in `hugin.local`? If it does not work, try `ignore private-bin` as well.

gitea-mirror commented

2026-05-05 09:38:02 -06:00

Author

Owner

@ghost commented on GitHub (Sep 12, 2022):

For exiftool you need to add perl to private-bin too, besides include allow-perl.inc. At least on arch linux it's a perl script, which is blocked in hugin.profile by include disable-interpreters.inc.

@ghost commented on GitHub (Sep 12, 2022): For `exiftool` you need to add `perl` to `private-bin` too, besides `include allow-perl.inc`. At least on arch linux it's a perl script, which is blocked in hugin.profile by `include disable-interpreters.inc`.

gitea-mirror commented

2026-05-05 09:38:03 -06:00

Author

Owner

@jose1711 commented on GitHub (Sep 15, 2022):

Thank you for correction, but it actually requires even more steps on Arch because exiftool lives in /usr/bin/vendor_perl/exiftool. From exiftool.profile:

# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool
# to /usr/bin/exiftool and add the below to your exiftool.local.
# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening.
#private-bin exiftool,perl

@jose1711 commented on GitHub (Sep 15, 2022): Thank you for correction, but it actually requires even more steps on Arch because `exiftool` lives in `/usr/bin/vendor_perl/exiftool`. From `exiftool.profile`: ``` # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool # to /usr/bin/exiftool and add the below to your exiftool.local. # Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. #private-bin exiftool,perl ```

gitea-mirror commented

2026-05-05 09:38:03 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 15, 2022):

@jose1711 commented on Sep 15:

Thank you for correction, but it actually requires even more steps on Arch
because exiftool lives in /usr/bin/vendor_perl/exiftool. From
exiftool.profile:
# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool
# to /usr/bin/exiftool and add the below to your exiftool.local.
# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening.
#private-bin exiftool,perl

As you mentioned, exiftool is a program that lives in
/usr/bin/vendor_perl/exiftool on Arch. And it provides a CLI, but there is
no symlink to it in /usr/bin.

private-bin only considers /usr/bin and similar paths when searching for
binaries (see paths in fs_bin.c), as usually any binary that is
intended to be called directly by end users or other programs will live (or at
least provide a symlink) in /usr/bin or a similar path.

For example, see the following binaries:

$ command -v go gofmt jar java qmake6 | xargs file
/usr/bin/go:     symbolic link to /usr/lib/go/bin/go
/usr/bin/gofmt:  symbolic link to /usr/lib/go/bin/gofmt
/usr/bin/jar:    symbolic link to /usr/lib/jvm/default/bin/jar
/usr/bin/java:   symbolic link to /usr/lib/jvm/default-runtime/bin/java
/usr/bin/qmake6: symbolic link to /usr/lib/qt6/bin/qmake
$ pacman -Qo go gofmt jar java qmake6
/usr/bin/go is owned by go 2:1.19-1
/usr/bin/gofmt is owned by go 2:1.19-1
/usr/bin/jar is owned by java-environment-common 3-3.1
/usr/bin/java is owned by java-runtime-common 3-3.1
/usr/bin/qmake6 is owned by qt6-base 6.3.1-1

So IMO the proper fix would be for the exiftool package to provide a symlink in
/usr/bin.

In the mean time, as a workaround for hugin.profile, does it work if you add
the following to hugin.local?

ignore private-bin
include allow-perl.inc

@kmk3 commented on GitHub (Sep 15, 2022): @jose1711 commented [on Sep 15](https://github.com/netblue30/firejail/issues/5365#issuecomment-1247950212): > Thank you for correction, but it actually requires even more steps on Arch > because `exiftool` lives in `/usr/bin/vendor_perl/exiftool`. From > `exiftool.profile`: > > ``` > # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool > # to /usr/bin/exiftool and add the below to your exiftool.local. > # Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. > #private-bin exiftool,perl > ``` As you mentioned, `exiftool` is a program that lives in `/usr/bin/vendor_perl/exiftool` on Arch. And it provides a CLI, but there is no symlink to it in /usr/bin. `private-bin` only considers /usr/bin and similar paths when searching for binaries (see [`paths` in `fs_bin.c`][1]), as usually any binary that is intended to be called directly by end users or other programs will live (or at least provide a symlink) in /usr/bin or a similar path. For example, see the following binaries: ```console $ command -v go gofmt jar java qmake6 | xargs file /usr/bin/go: symbolic link to /usr/lib/go/bin/go /usr/bin/gofmt: symbolic link to /usr/lib/go/bin/gofmt /usr/bin/jar: symbolic link to /usr/lib/jvm/default/bin/jar /usr/bin/java: symbolic link to /usr/lib/jvm/default-runtime/bin/java /usr/bin/qmake6: symbolic link to /usr/lib/qt6/bin/qmake $ pacman -Qo go gofmt jar java qmake6 /usr/bin/go is owned by go 2:1.19-1 /usr/bin/gofmt is owned by go 2:1.19-1 /usr/bin/jar is owned by java-environment-common 3-3.1 /usr/bin/java is owned by java-runtime-common 3-3.1 /usr/bin/qmake6 is owned by qt6-base 6.3.1-1 ``` So IMO the proper fix would be for the exiftool package to provide a symlink in /usr/bin. In the mean time, as a workaround for hugin.profile, does it work if you add the following to hugin.local? ```firejail ignore private-bin include allow-perl.inc ``` [1]: https://github.com/netblue30/firejail/blob/eb20f52ef570196e12e715e2a8c002feb103e448/src/firejail/fs_bin.c#L30-L40

gitea-mirror commented

2026-05-05 09:38:03 -06:00

Author

Owner

@jose1711 commented on GitHub (Sep 16, 2022):

ignore private-bin
include allow-perl.inc

Yes, this workaround does the job. Thank you.

@jose1711 commented on GitHub (Sep 16, 2022): > ignore private-bin > include allow-perl.inc Yes, this workaround does the job. Thank you.

gitea-mirror commented

2026-05-05 09:38:04 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 16, 2022):

@jose1711 commented on Sep 16:

ignore private-bin

include allow-perl.inc

Yes, this workaround does the job. Thank you.

Thanks for testing.

I opened #5371, which adds the second line to hugin.profile.

And #5372 to discuss how to deal with the private-bin part.

Marked #5371 as closing this, since it fixes part of the problem and a
workaround was provided for the rest.

Feel free to post any updates or request to reopen if you have more questions.

@kmk3 commented on GitHub (Sep 16, 2022): @jose1711 commented [on Sep 16](https://github.com/netblue30/firejail/issues/5365#issuecomment-1249006353): > > ignore private-bin > > > > include allow-perl.inc > > Yes, this workaround does the job. Thank you. Thanks for testing. I opened #5371, which adds the second line to hugin.profile. And #5372 to discuss how to deal with the `private-bin` part. Marked #5371 as closing this, since it fixes part of the problem and a workaround was provided for the rest. Feel free to post any updates or request to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:23:08 -06:00

[PR #2971] [MERGED] Add allow-debuggers to steam.profile #4601

Rows
Columns

[GH-ISSUE #5365] Hugin: missing GPS EXIF data in panorama output #2971

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context