[GH-ISSUE #5692] rsync-download_only: private-bin is broken

gitea-mirror commented

2026-05-05 09:42:30 -06:00

Owner

Originally created by @ghost on GitHub (Feb 27, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5692

Today I found my first ever use case for rsync-download_only.profile. But private-bin rsync is broken on my Arch Linux box (running firejail from git):

$ /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

$ firejail --quiet --noprofile /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version
Error: no suitable /usr/bin/rsync executable found

$ firejail --quiet --ignore=private-bin --profile=rsync-download_only /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

Obviously ignore private-bin fixes this. But I can't explain why private-bin rsync reports an error. Testing other apps using private-bin confirm it seems to work as expected. I'll do some more digging but I don't think Arch Linux does anything out of the ordinary packaging rsync compared to other distro's. If anyone can check this on a different distribution that would be helpful. @rusty-snake As you contributed this, can you double-check if private-bin works for you on Fedora please (if that's still your main distro)?

[Side note] foo.local refers to rsync.local although the hardening comment uses rsync-download_only.local - which can be easily fixed

854e54fb59/etc/profile-m-z/rsync-download_only.profile (L6)

854e54fb59/etc/profile-m-z/rsync-download_only.profile (L25)

Originally created by @ghost on GitHub (Feb 27, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5692 Today I found my first ever use case for [rsync-download_only.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/rsync-download_only.profile). But `private-bin rsync` is broken on my Arch Linux box (running firejail from git): ```console $ /usr/bin/rsync --version | grep version rsync version 3.2.7 protocol version 31 ``` ```console $ firejail --quiet --noprofile /usr/bin/rsync --version | grep version rsync version 3.2.7 protocol version 31 ``` ```console $ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version Error: no suitable /usr/bin/rsync executable found ``` ```console $ firejail --quiet --ignore=private-bin --profile=rsync-download_only /usr/bin/rsync --version | grep version rsync version 3.2.7 protocol version 31 ``` Obviously `ignore private-bin` fixes this. But I can't explain why `private-bin rsync` reports an error. Testing other apps using private-bin confirm it seems to work as expected. I'll do some more digging but I don't think Arch Linux does anything out of the ordinary packaging rsync compared to other distro's. If anyone can check this on a different distribution that would be helpful. @rusty-snake As you contributed this, can you double-check if private-bin works for you on Fedora please (if that's still your main distro)? [Side note] foo.local refers to rsync.local although the hardening comment uses rsync-download_only.local - which can be easily fixed https://github.com/netblue30/firejail/blob/854e54fb59abc4474a9f8555330715baf0064d99/etc/profile-m-z/rsync-download_only.profile#L6 https://github.com/netblue30/firejail/blob/854e54fb59abc4474a9f8555330715baf0064d99/etc/profile-m-z/rsync-download_only.profile#L25

gitea-mirror added the

needinfo

label 2026-05-05 09:42:30 -06:00

gitea-mirror commented

2026-05-05 09:42:32 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 27, 2023):

Works for me on Artix:

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version |
  grep version
rsync  version 3.2.7  protocol version 31

$ firejail --ignore='include rsync.local' --ignore='include globals.local' \
  --profile=rsync-download_only /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

[Side note] foo.local refers to rsync.local although the hardening comment
uses rsync-download_only.local - which can be easily fixed

+1

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version
Error: no suitable /usr/bin/rsync executable found

By the way, you can probably keep the | grep version here since the errors
usually go to stderr.

@kmk3 commented on GitHub (Feb 27, 2023): Works for me on Artix: ```console $ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version | grep version rsync version 3.2.7 protocol version 31 $ firejail --ignore='include rsync.local' --ignore='include globals.local' \ --profile=rsync-download_only /usr/bin/rsync --version | grep version rsync version 3.2.7 protocol version 31 ``` > [Side note] foo.local refers to rsync.local although the hardening comment > uses rsync-download_only.local - which can be easily fixed +1 > ``` > $ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version > Error: no suitable /usr/bin/rsync executable found > ``` By the way, you can probably keep the `| grep version` here since the errors usually go to stderr.

gitea-mirror commented

2026-05-05 09:42:32 -06:00

Author

Owner

@ghost commented on GitHub (Feb 28, 2023):

Works for me on Artix

@kmk3 Thanks for your response. I do use an additional patch for #5650, but even when I take that out I'm seeing the breakage as posted above. Will have to do more debugging...

@ghost commented on GitHub (Feb 28, 2023): > Works for me on Artix @kmk3 Thanks for your response. I do use an additional patch for #5650, but even when I take that out I'm seeing the breakage as posted above. Will have to do more debugging...

gitea-mirror commented

2026-05-05 09:42:34 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 28, 2023):

@glitsj16 on Feb 28:

@kmk3 Thanks for your response. I do use an additional patch for #5650, but
even when I take that out I'm seeing the breakage as posted above. Will have
to do more debugging...

No problem; I'd suggest temporarily installing and testing with the non-git
Arch package (community/firejail 0.9.72-1) to rule out it being caused by
custom patches or regressions on master.

@kmk3 commented on GitHub (Feb 28, 2023): @glitsj16 [on Feb 28](https://github.com/netblue30/firejail/issues/5692#issuecomment-1447553097): > @kmk3 Thanks for your response. I do use an additional patch for #5650, but > even when I take that out I'm seeing the breakage as posted above. Will have > to do more debugging... No problem; I'd suggest temporarily installing and testing with the non-git Arch package (community/firejail 0.9.72-1) to rule out it being caused by custom patches or regressions on master.

gitea-mirror commented

2026-05-05 09:42:34 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 23, 2024):

Hello, is this still an issue?

Are you sure that it's not due to modifications in globals.local, etc?

@kmk3 commented on GitHub (Aug 23, 2024): Hello, is this still an issue? Are you sure that it's not due to modifications in globals.local, etc?

gitea-mirror commented

2026-05-05 09:42:35 -06:00

Author

Owner

@ghost commented on GitHub (Aug 23, 2024):

Hello, is this still an issue?
Are you sure that it's not due to modifications in globals.local, etc?

Yes, the issue still shows for me. I've made absolutely sure to temporarily move my *.local files out of the way while testing. It works when I use private-bin rsync*. Baffled, but there it is :)

@ghost commented on GitHub (Aug 23, 2024): > Hello, is this still an issue? Are you sure that it's not due to modifications in globals.local, etc? Yes, the issue still shows for me. I've made absolutely sure to temporarily move my *.local files out of the way while testing. It works when I use `private-bin rsync*`. Baffled, but there it is :)

gitea-mirror commented

2026-05-05 09:42:35 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 23, 2024):

It works when I use private-bin rsync*. Baffled, but there it is :)

$ pacman -Qlq rsync | grep bin
/usr/bin/
/usr/bin/rrsync
/usr/bin/rsync
/usr/bin/rsync-ssl

Does it work with just the following?

private-bin rsync,rsync-ssl

Are you using a wrapper script (such as in ~/bin) for rsync?

Or something that rsync might call, like ssh?

@kmk3 commented on GitHub (Aug 23, 2024): > It works when I use `private-bin rsync*`. Baffled, but there it is :) ```console $ pacman -Qlq rsync | grep bin /usr/bin/ /usr/bin/rrsync /usr/bin/rsync /usr/bin/rsync-ssl ``` Does it work with just the following? ``` private-bin rsync,rsync-ssl ``` Are you using a wrapper script (such as in ~/bin) for rsync? Or something that rsync might call, like ssh?

gitea-mirror commented

2026-05-05 09:42:35 -06:00

Author

Owner

@ghost commented on GitHub (Aug 23, 2024):

I was aware of /usr/bin/rrsync and /usr/bin/rsync-ssl while re-checking this issue. But no, adding rsync-ssl to private-bin does not solve it. Which is to be expected, because that is a shell script and rsync-download_only.profile blocks that via include disable-shell.inc...

Re-checked for wrappers, but again, nothing there either.

@ghost commented on GitHub (Aug 23, 2024): I was aware of /usr/bin/rrsync and /usr/bin/rsync-ssl while re-checking this issue. But no, adding `rsync-ssl` to private-bin does not solve it. Which is to be expected, because that is a shell script and rsync-download_only.profile blocks that via `include disable-shell.inc`... Re-checked for wrappers, but again, nothing there either.

Rows
Columns

[GH-ISSUE #5692] rsync-download_only: private-bin is broken #3066