github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5558] Unexpected TAB-completion behaviour in GDB that's hard to trace to the .inputrc and --tab options. #3028

New issue

Open

opened 2026-05-05 09:40:43 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:40:43 -06:00

Owner

Originally created by @blaa on GitHub (Dec 26, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5558

Description

GDB within firejail (I use jails for many things, including development) doesn't have working TAB-completion.
Still, completion works in ZSH, Emacs, IPython, or the same GDB outside the jail.

Steps to Reproduce

Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir
firejail out of thin air creates .inputrc file with a single line
set disable-completion on
This causes GDB (readline in general) to drop TAB-completion.

Expected behavior

Tab-completion in GDB within jail and outside working the same unless I explicitly ask to alter behaviour.

I'd expect jail software to not mess with readline configuration. I wasn't expecting this, didn't turn it on (with profile, option or anything else) and was flabbergasted for over 3 hours trying to solve it. I've checked various TERM options, stty, straced gdb process, etc.

My main problem was how to "find" the culprit. I was mostly searching for GDB related information which was a mistake. I should have searched for readline. But GDB was the only thing that didn't work (zsh worked, ipython, emacs every other thing I used was OK).

Manual doesn't have IMHO good description of the case:

--tab  Enable shell tab completion in sandboxes using private or whitelisted home directories.

Why doesn't it speak about .inputrc? Readline? Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

Why is "notab" a default? Does it impact "security"? How?

Actual behavior

GDB doesn't auto-complete and instead of coding I'm debugging gdb. It's difficult issue to google. It should "just work". I was trying for 3 hours various TERM= options, stty, stracing GDB behaviour to no avail. Only after copying /etc/inputrc to ~/.inputrc (in jail) I fixed that, and later noticed that the file WAS THERE BEFORE COPYING, although I haven't created it. I've never messed with this file before so I didn't expect that.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
NO: The program has a profile. (I don't need profiles here)
I have performed a short search for similar issues (to avoid opening a duplicate). (I DID!)

Log

bla@rix ~/_jails λ mkdir xxx; firejail --noprofile --disable-mnt --private=./xxx --hostname=xxx --name=xxx --private-tmp zsh
Parent pid 141434, child pid 141435
Warning: not remounting /var/lib/docker/btrfs
Warning: not remounting /var/lib/docker/btrfs
Child process initialized in 31.64 ms
bla@xxx ~ λ cat .inputrc   
set disable-completion on

Originally created by @blaa on GitHub (Dec 26, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5558 ### Description GDB within firejail (I use jails for many things, including development) doesn't have working TAB-completion. Still, completion works in ZSH, Emacs, IPython, or the same GDB outside the jail. ### Steps to Reproduce 1. Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir 2. firejail out of thin air creates .inputrc file with a single line set disable-completion on 3. This causes GDB (readline in general) to drop TAB-completion. ### Expected behavior Tab-completion in GDB within jail and outside working the same unless I explicitly ask to alter behaviour. I'd expect jail software to not mess with readline configuration. I wasn't expecting this, didn't turn it on (with profile, option or anything else) and was flabbergasted for over 3 hours trying to solve it. I've checked various TERM options, stty, straced gdb process, etc. My main problem was how to "find" the culprit. I was mostly searching for GDB related information which was a mistake. I should have searched for readline. But GDB was the only thing that didn't work (zsh worked, ipython, emacs every other thing I used was OK). Manual doesn't have IMHO good description of the case: --tab Enable shell tab completion in sandboxes using private or whitelisted home directories. Why doesn't it speak about .inputrc? Readline? Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option. Why is "notab" a default? Does it impact "security"? How? ### Actual behavior GDB doesn't auto-complete and instead of coding I'm debugging gdb. It's difficult issue to google. It should "just work". I was trying for 3 hours various TERM= options, stty, stracing GDB behaviour to no avail. Only after copying /etc/inputrc to ~/.inputrc (in jail) I fixed that, and later noticed that the file WAS THERE BEFORE COPYING, although I haven't created it. I've never messed with this file before so I didn't expect that. ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] NO: The program has a profile. (I don't need profiles here) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). (I DID!) ### Log ``` bla@rix ~/_jails λ mkdir xxx; firejail --noprofile --disable-mnt --private=./xxx --hostname=xxx --name=xxx --private-tmp zsh Parent pid 141434, child pid 141435 Warning: not remounting /var/lib/docker/btrfs Warning: not remounting /var/lib/docker/btrfs Child process initialized in 31.64 ms bla@xxx ~ λ cat .inputrc set disable-completion on ```

gitea-mirror added the

notabug

documentation

labels 2026-05-05 09:40:43 -06:00

gitea-mirror commented

2026-05-05 09:40:46 -06:00

Author

Owner

@ghost commented on GitHub (Dec 26, 2022):

Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir

The --tab option works with --private but not with --private=foo. This could be made more clear in the man page, I agree.

See https://github.com/netblue30/firejail/issues/5204 for discussion and workaround.

@ghost commented on GitHub (Dec 26, 2022): > Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir The `--tab` option works with `--private` but not with `--private=foo`. This could be made more clear in the man page, I agree. See https://github.com/netblue30/firejail/issues/5204 for discussion and workaround.

gitea-mirror commented

2026-05-05 09:40:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 29, 2022):

Why doesn't it speak about .inputrc? Readline?

Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.

Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

The notab behaviour is only triggered if you use whitelist ${HOME}/foo or --private=${HOME}/foo i.e. if the sandbox does not use your real home.

Why is "notab" a default? Does it impact "security"? How?

If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).

@rusty-snake commented on GitHub (Dec 29, 2022): > Why doesn't it speak about .inputrc? Readline? Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation. > Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option. The notab behaviour is only triggered if you use `whitelist ${HOME}/foo` or `--private=${HOME}/foo` i.e. if the sandbox does not use your real home. > Why is "notab" a default? Does it impact "security"? How? If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).

gitea-mirror commented

2026-05-05 09:40:47 -06:00

Author

Owner

@blaa commented on GitHub (Jan 1, 2023):

Why doesn't it speak about .inputrc? Readline?

Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.

.xinputrc might be in fact implementation detail - agreed. The fact that it changes behaviour of all readline-driven applications is not. Man page is not right when it says 'shell tab completion'. Especially since it doesn't alter zsh behaviour.

I'm a user here and have a completely user perspective, wouldn't find it in developer documentation without a hint in a man page.

Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

The notab behaviour is only triggered if you use whitelist ${HOME}/foo or --private=${HOME}/foo i.e. if the sandbox does not use your real home.

Ok! Thanks. I was confused and misread that it alters completion in some whitelisted set of directories.
Maybe instead of sandboxes using private or whitelisted home directories something like: that use private ... ? Still, that's a detail.

Why is "notab" a default? Does it impact "security"? How?

If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).

Especially since it's not enforced. Application can clear the .xinputrc or alter it and revert the behaviour. And it doesn't even work for all shells.

@blaa commented on GitHub (Jan 1, 2023): > > Why doesn't it speak about .inputrc? Readline? > > Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation. `.xinputrc` might be in fact implementation detail - agreed. The fact that it changes behaviour of all readline-driven applications is not. Man page is not right when it says 'shell tab completion'. Especially since it doesn't alter zsh behaviour. I'm a user here and have a completely user perspective, wouldn't find it in developer documentation without a hint in a man page. > > > Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option. > > The notab behaviour is only triggered if you use `whitelist ${HOME}/foo` or `--private=${HOME}/foo` i.e. if the sandbox does not use your real home. Ok! Thanks. I was confused and misread that it alters completion in some whitelisted set of directories. Maybe instead of `sandboxes using private or whitelisted home directories` something like: `that use private ...` ? Still, that's a detail. > > Why is "notab" a default? Does it impact "security"? How? > > If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always). Especially since it's not enforced. Application can clear the .xinputrc or alter it and revert the behaviour. And it doesn't even work for all shells.

gitea-mirror commented

2026-05-05 09:40:48 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Jun 4, 2025):

Steps to Reproduce

Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir

firejail out of thin air creates .inputrc file with a single line
set disable-completion on

I just experienced this today on firejail version 0.9.74.

I was very confused why my terminals were suddenly taking my TAB key-pressing literally instead of auto completing. I ran stat on a newly discovered ~/.inputrc that didn't previously exist and its timestamp was from an hour or so earlier when I was fiddling with a new firejail for some program.

I'm surprised firejail created this file without being asked to.

@ipaqmaster commented on GitHub (Jun 4, 2025): >Steps to Reproduce > Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir > firejail out of thin air creates .inputrc file with a single line > set disable-completion on I just experienced this today on `firejail version 0.9.74`. I was very confused why my terminals were suddenly taking my TAB key-pressing literally instead of auto completing. I ran `stat` on a newly discovered `~/.inputrc` that didn't previously exist and its timestamp was from an hour or so earlier when I was fiddling with a new firejail for some program. I'm surprised firejail created this file without being asked to.

gitea-mirror referenced this issue

2026-05-05 10:23:28 -06:00

[PR #3028] [MERGED] Update QOwnNotes.profile #4618

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3028

No description provided.

Rows
Columns