github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

nologin #3042

New issue

Open

opened 2026-05-05 09:41:17 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:41:17 -06:00

Owner

Originally created by @rusty-snake on GitHub (Jan 21, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5606

Description

End-of-options indicator "--" breaks firejail when login shell is set to /sbin/nologin

Steps to Reproduce

Have a user with /sbin/nologin as login shell
LC_ALL=C firejail --quiet --noprofile -- echo "TARDIS"

Expected behavior

Seeing TARDIS

Actual behavior

This account is currently not available.

Behavior without a profile

N/A

Additional context

Using firejail --quiet --noprofile echo "TARDIS" works.

Relates to #5599.
Relates to #5598.
Relates to #5605.

Environment

Fedora 37
52898f467a

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

logs

$ firejail --quiet --noprofile --debug echo "TARDIS"
Building quoted command line: 'echo' 'TARDIS' 
Command name #echo#
...
Starting application
LD_PRELOAD=(null)
execvp argument 0: echo
execvp argument 1: TARDIS
Child process initialized in 6.44 ms
Searching $PATH for echo
trying #/home/rusty-snake/.config/firecfg.py/overrides/bin/echo#
trying #/etc/firecfg.py/overrides/bin/echo#
trying #/usr/local/bin/echo#
trying #/usr/local/sbin/echo#
trying #/usr/bin/echo#
TARDIS

$ firejail --quiet --noprofile --debug -- echo "TARDIS"
Building quoted command line: 'echo' 'TARDIS' 
Command name #echo#
...
Starting application
LD_PRELOAD=(null)
Running 'echo' 'TARDIS'  command through /sbin/nologin
execvp argument 0: /sbin/nologin
execvp argument 1: -c
execvp argument 2: 'echo' 'TARDIS' 
Child process initialized in 10.51 ms
This account is currently not available.

Originally created by @rusty-snake on GitHub (Jan 21, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5606 ### Description End-of-options indicator "--" breaks firejail when login shell is set to /sbin/nologin ### Steps to Reproduce 1. Have a user with `/sbin/nologin` as login shell 2. `LC_ALL=C firejail --quiet --noprofile -- echo "TARDIS"` ### Expected behavior Seeing `TARDIS` ### Actual behavior `This account is currently not available.` ### Behavior without a profile N/A ### Additional context Using `firejail --quiet --noprofile echo "TARDIS"` works. Relates to #5599. Relates to #5598. Relates to #5605. ### Environment - Fedora 37 - 52898f467a95bb31b54ca90c3de968dc3624af38 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details><summary>logs</summary> ```console $ firejail --quiet --noprofile --debug echo "TARDIS" Building quoted command line: 'echo' 'TARDIS' Command name #echo# ... Starting application LD_PRELOAD=(null) execvp argument 0: echo execvp argument 1: TARDIS Child process initialized in 6.44 ms Searching $PATH for echo trying #/home/rusty-snake/.config/firecfg.py/overrides/bin/echo# trying #/etc/firecfg.py/overrides/bin/echo# trying #/usr/local/bin/echo# trying #/usr/local/sbin/echo# trying #/usr/bin/echo# TARDIS ``` ```console $ firejail --quiet --noprofile --debug -- echo "TARDIS" Building quoted command line: 'echo' 'TARDIS' Command name #echo# ... Starting application LD_PRELOAD=(null) Running 'echo' 'TARDIS' command through /sbin/nologin execvp argument 0: /sbin/nologin execvp argument 1: -c execvp argument 2: 'echo' 'TARDIS' Child process initialized in 10.51 ms This account is currently not available. ``` </details>

gitea-mirror added the

bug

label 2026-05-05 09:41:17 -06:00

gitea-mirror commented

2026-05-05 09:41:19 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 14, 2023):

Looks like this is intentional. 7ad735deaf (diff-767ac3de885e9c994fed6eb2a0f8234fd8d8611a5f817d2b0a37b50f4101b321)

@rusty-snake commented on GitHub (Feb 14, 2023): Looks like this is intentional. https://github.com/netblue30/firejail/commit/7ad735deafa80114a17b20790de63f7e973b1bb4#diff-767ac3de885e9c994fed6eb2a0f8234fd8d8611a5f817d2b0a37b50f4101b321

gitea-mirror commented

2026-05-05 09:41:20 -06:00

Author

Owner

@paladox commented on GitHub (Dec 11, 2023):

We get this when using the www-data user.

@paladox commented on GitHub (Dec 11, 2023): We get this when using the www-data user.

gitea-mirror referenced this issue

2026-05-05 10:34:20 -06:00

[PR #4635] [MERGED] deterministic-shutdown option #5213

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3042

No description provided.

Rows
Columns