github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

not working. #3049

New issue

Open

opened 2026-05-05 09:41:48 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:41:48 -06:00

Owner

Originally created by @slush0 on GitHub (Jan 27, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5625

Description

Hello, I have remote smb mounts in /home//shares (over the internet). I've been successfully using firejail for weeks, but now I realized when my machine is disconnected and those shares are not working, I cannot use ssh at all (to reach local network machines, for example), because it fails on Mounting noexec /home/.

I don't know exactly how "mounting noexec" works internally and why it is necessary for ssh, but I suppose this is rather issue of firejail to block ssh from starting. Strangely enough, other firejail apps working fine for me (for example Firefox start normally even when my internet connection is down.

Steps to Reproduce

Mount directory in home folder with SMB over Internet.
Try to run "ssh " on local network
The ssh fails on:

Error fstat: fs.c:536 fs_remount_simple: Host is down
Error: proc 348893 cannot sync with peer: unexpected EOF
Peer 348894 unexpectedly exited with status 1

Expected behavior

ssh should work normally even when it cannot remount non-working mounts in home dir. ssh works as expected when I call directly /usr/bin/ssh (without firejail).

Actual behavior

ssh doesn't work with default ssh.profile.

Behavior without a profile

/usr/bin/ssh works as expected.

Environment

Latest Linux Mint
firejail version 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).

Log

After running "firejail --debug ssh ", I see following lines at the end of the run:

$ ssh <machine_on_local_network>
....
Mounting noexec /home/marekp
2750 2716 0:25 /firejail/firejail.ro.file /home/marekp/.local/share/flatpak/.changed ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=6563620k,mode=755,inode64
mountid=2750 fsname=/firejail/firejail.ro.file dir=/home/marekp/.local/share/flatpak/.changed fstype=tmpfs
Mounting noexec /home/marekp/shares/nas01.lan
2752 2751 0:62 / /home/marekp/shares/nas01.lan/home rw,relatime master:361 - cifs //192.168.69.4/home rw,vers=3.1.1,cache=strict,username=marekp,uid=1000,noforceuid,gid=1000,noforcegid,addr=192.168.69.4,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1
mountid=2752 fsname=/ dir=/home/marekp/shares/nas01.lan/home fstype=cifs
Error fstat: fs.c:536 fs_remount_simple: Host is down
Error: proc 345411 cannot sync with peer: unexpected EOF
Peer 345412 unexpectedly exited with status 1

Originally created by @slush0 on GitHub (Jan 27, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5625 ### Description Hello, I have remote smb mounts in /home/<homedir>/shares (over the internet). I've been successfully using firejail for weeks, but now I realized when my machine is disconnected and those shares are not working, I cannot use ssh at all (to reach local network machines, for example), because it fails on Mounting noexec /home/<homedir>. I don't know exactly how "mounting noexec" works internally and why it is necessary for ssh, but I suppose this is rather issue of firejail to block ssh from starting. Strangely enough, other firejail apps working fine for me (for example Firefox start normally even when my internet connection is down. ### Steps to Reproduce 1. Mount directory in home folder with SMB over Internet. 2. Try to run "ssh <somemachine>" on local network 3. The ssh fails on: ``` Error fstat: fs.c:536 fs_remount_simple: Host is down Error: proc 348893 cannot sync with peer: unexpected EOF Peer 348894 unexpectedly exited with status 1 ``` ### Expected behavior ssh should work normally even when it cannot remount non-working mounts in home dir. ssh works as expected when I call directly ```/usr/bin/ssh``` (without firejail). ### Actual behavior ssh doesn't work with default ssh.profile. ### Behavior without a profile /usr/bin/ssh works as expected. ### Environment - Latest Linux Mint - firejail version 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log After running "firejail --debug ssh <params>", I see following lines at the end of the run: ``` $ ssh <machine_on_local_network> .... Mounting noexec /home/marekp 2750 2716 0:25 /firejail/firejail.ro.file /home/marekp/.local/share/flatpak/.changed ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=6563620k,mode=755,inode64 mountid=2750 fsname=/firejail/firejail.ro.file dir=/home/marekp/.local/share/flatpak/.changed fstype=tmpfs Mounting noexec /home/marekp/shares/nas01.lan 2752 2751 0:62 / /home/marekp/shares/nas01.lan/home rw,relatime master:361 - cifs //192.168.69.4/home rw,vers=3.1.1,cache=strict,username=marekp,uid=1000,noforceuid,gid=1000,noforcegid,addr=192.168.69.4,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1 mountid=2752 fsname=/ dir=/home/marekp/shares/nas01.lan/home fstype=cifs Error fstat: fs.c:536 fs_remount_simple: Host is down Error: proc 345411 cannot sync with peer: unexpected EOF Peer 345412 unexpectedly exited with status 1 ```

gitea-mirror commented

2026-05-05 09:41:49 -06:00

Author

Owner

@slush0 commented on GitHub (Jan 27, 2023):

To avoid confusion, 192.168.69.x is on a remote VPN (unavailable at the time of trying ssh), not a local network, despite the host being names nas01.lan.

@slush0 commented on GitHub (Jan 27, 2023): To avoid confusion, 192.168.69.x is on a remote VPN (unavailable at the time of trying ssh), not a local network, despite the host being names nas01.lan.

gitea-mirror commented

2026-05-05 09:41:50 -06:00

Author

Owner

@ghost commented on GitHub (Jan 27, 2023):

I don't know exactly how "mounting noexec" works internally and why it is necessary for ssh, but I suppose this is rather issue of firejail to block ssh from starting. Strangely enough, other firejail apps working fine for me (for example Firefox start normally even when my internet connection is down.

Having include disable-exec.inc in a Firejail profile is just another option to create a tight sandbox. IMO there's nothing special about having it in ssh.profile. Firefox without active network connection being able to start has nothing to do with files under ${HOME} being mounted noexec so I wouldn't call that 'strange'.

Have you tried using an override like the below yet to check if that solves your SMB shares isue?

$ cat ~/.config/firejail/ssh.local
ignore noexec ${HOME}

@ghost commented on GitHub (Jan 27, 2023): > I don't know exactly how "mounting noexec" works internally and why it is necessary for ssh, but I suppose this is rather issue of firejail to block ssh from starting. Strangely enough, other firejail apps working fine for me (for example Firefox start normally even when my internet connection is down. Having `include disable-exec.inc` in a Firejail profile is just another option to create a tight sandbox. IMO there's nothing special about having it in ssh.profile. Firefox without active network connection being able to start has nothing to do with files under ${HOME} being mounted noexec so I wouldn't call that 'strange'. Have you tried using an override like the below yet to check if that solves your SMB shares isue? ```console $ cat ~/.config/firejail/ssh.local ignore noexec ${HOME} ```

gitea-mirror commented

2026-05-05 09:41:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 27, 2023):

Firefox, in contrast to ssh, can start because it has a whitelisting profile and ~/shares does not have to be remounted I guess. You can try with firejail --whitelist=~/shares /usr/bin/firefox.

@rusty-snake commented on GitHub (Jan 27, 2023): Firefox, in contrast to ssh, can start because it has a whitelisting profile and `~/shares` does not have to be remounted I guess. You can try with `firejail --whitelist=~/shares /usr/bin/firefox`.

gitea-mirror commented

2026-05-05 09:41:52 -06:00

Author

Owner

@slush0 commented on GitHub (Feb 1, 2023):

I'm not sure if we're on the same page. My primary concern is if mounting/remounting shares in $HOME is necessary/ok in ssh profile. I don't understand firejail deep enough to tell this, but my feedback is that the default ssh profile is crashing ssh on something it should not crash on. I'm not experiencing this issue with any other firejail-protected app.

@slush0 commented on GitHub (Feb 1, 2023): I'm not sure if we're on the same page. My primary concern is if mounting/remounting shares in $HOME is necessary/ok in ssh profile. I don't understand firejail deep enough to tell this, but my feedback is that the default ssh profile is crashing ssh on something it should not crash on. I'm not experiencing this issue with any other firejail-protected app.

gitea-mirror commented

2026-05-05 09:41:53 -06:00

Author

Owner

@slush0 commented on GitHub (Feb 1, 2023):

That said, adding ignore noexec ${HOME} into ssh.local fixes my issue.

@slush0 commented on GitHub (Feb 1, 2023): That said, adding ```ignore noexec ${HOME}``` into ssh.local fixes my issue.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3049

No description provided.

Rows
Columns