github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

#2976

New issue

Closed

opened 2026-05-05 09:38:05 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:38:05 -06:00

Owner

Originally created by @JulienPalard on GitHub (Sep 23, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5378

Description

Depending on how I set --private-etc, /etc/alternatives/cc is sometimes a symlink, sometimes a copy:

Steps to Reproduce

If I whitelist /etc/alternatives/cc alone, I get a copy of cc instead of its symlink:

$ ls -lah /etc/alternatives/cc
lrwxrwxrwx 1 root root 12 Oct 14  2019 /etc/alternatives/cc -> /usr/bin/gcc
$ firejail --quiet --private-etc=alternatives/cc ls -lah /etc/alternatives/cc
-rwxr-xr-x 1 65534 65534 1.3M Sep 23 12:22 /etc/alternatives/cc

Which is bad (cc is not happy to be here). On the other hand, if I just whielist the whole alternatives directory:

$ firejail --quiet --private-etc=alternatives ls -lah /etc/alternatives/cc
Error fcopy: size limit of 500 MB reached
lrwxrwxrwx 1 65534 65534 32 Sep 23 12:22 /etc/alternatives/cc -> /usr/bin/x86_64-linux-gnu-gcc-12

this time /etc/alternatives/cc is a symlink (and cc is happy). But fcopy whines about a 500MB limit being reached, which is probably wrong as /etc/alternatives only contains symlinks:

$ du -sh /etc/
4.0K	/etc/

Expected behavior

I know that symlink is a security issue magnet, so I may miss something obvious, but as there's already a way to have the symlink I quickly though "what about the other way also giving a symlink ?".

Environment

Debian testing (bookworm)
Firejail 0.9.70

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @JulienPalard on GitHub (Sep 23, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5378 ### Description Depending on how I set --private-etc, `/etc/alternatives/cc` is sometimes a symlink, sometimes a copy: ### Steps to Reproduce If I whitelist `/etc/alternatives/cc` alone, I get a copy of `cc` instead of its symlink: ```text $ ls -lah /etc/alternatives/cc lrwxrwxrwx 1 root root 12 Oct 14 2019 /etc/alternatives/cc -> /usr/bin/gcc $ firejail --quiet --private-etc=alternatives/cc ls -lah /etc/alternatives/cc -rwxr-xr-x 1 65534 65534 1.3M Sep 23 12:22 /etc/alternatives/cc ``` Which is bad (cc is not happy to be here). On the other hand, if I just whielist the whole `alternatives` directory: ```text $ firejail --quiet --private-etc=alternatives ls -lah /etc/alternatives/cc Error fcopy: size limit of 500 MB reached lrwxrwxrwx 1 65534 65534 32 Sep 23 12:22 /etc/alternatives/cc -> /usr/bin/x86_64-linux-gnu-gcc-12 ``` this time `/etc/alternatives/cc` is a symlink (and `cc` is happy). But `fcopy` whines about a 500MB limit being reached, which is probably wrong as /etc/alternatives only contains symlinks: ``` $ du -sh /etc/ 4.0K /etc/ ``` ### Expected behavior I know that symlink is a security issue magnet, so I may miss something obvious, but as there's already a way to have the symlink I quickly though "what about the other way also giving a symlink ?". ### Environment - Debian testing (bookworm) - Firejail 0.9.70 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror closed this issue

2026-05-05 09:38:06 -06:00

gitea-mirror commented

2026-05-05 09:38:07 -06:00

Author

Owner

@gerasiov commented on GitHub (Aug 13, 2023):

The problem is in the logic used for size calculation: for symlinks fcopy looks at target file, not at the symlink itself.

@gerasiov commented on GitHub (Aug 13, 2023): The problem is in the logic used for size calculation: for symlinks fcopy looks at target file, not at the symlink itself.

gitea-mirror commented

2026-05-05 09:38:09 -06:00

Author

Owner

@ghost commented on GitHub (Aug 13, 2023):

Yet another... FYI, there's been quite a few PR's marked as drafts due to the private-etc refactoring. Most importantly IMO is #5645. Somewhere along the line this should be decided upon. IMO best before the next release.

Just my $ 0.02

@ghost commented on GitHub (Aug 13, 2023): Yet another... `FYI`, there's been quite a few PR's marked as drafts due to the private-etc refactoring. Most importantly IMO is #5645. Somewhere along the line this should be decided upon. IMO best before the next release. Just my $ 0.02

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2976

No description provided.

Rows
Columns