[GH-ISSUE #5745] steam: crashes with private-tmp (dbus)

gitea-mirror commented

2026-05-05 09:43:17 -06:00

Owner

Originally created by @amano-kenji on GitHub (Mar 21, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5745

Steps to Reproduce

LC_ALL=C firejail /usr/bin/steam
Wait for segmentation fault.

Expected behavior

No segmentation fault.

Actual behavior

/home/user/.local/share/Steam/steam.sh: line 798: 184 Segmentation fault "$STEAMROOT/$STEAMEXEPATH" "$@"

Behavior without a profile

It works without an issue.

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux"): Gentoo Linux
Firejail version (firejail --version).

firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

[2023-03-21 04:24:45] Verifying installation...
[2023-03-21 04:24:45] Verification complete
Loaded SDL version 3.0.0-1117-g727c7d4e2
XRRGetOutputInfo Workaround: initialized with override: 0 real: 0xea47c590
XRRGetCrtcInfo Workaround: initialized with override: 0 real: 0xea47af60
GetWin32Stats: display was not open yet, good
No minidump written, nothing to upload.
/home/user/.local/share/Steam/steam.sh: line 798:   184 Segmentation fault      "$STEAMROOT/$STEAMEXEPATH" "$@"

Output of LC_ALL=C firejail --debug /path/to/program

steam.log

Originally created by @amano-kenji on GitHub (Mar 21, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5745 ### Steps to Reproduce 1. `LC_ALL=C firejail /usr/bin/steam` 2. Wait for segmentation fault. ### Expected behavior No segmentation fault. ### Actual behavior > /home/user/.local/share/Steam/steam.sh: line 798: 184 Segmentation fault "$STEAMROOT/$STEAMEXEPATH" "$@" ### Behavior without a profile It works without an issue. ### Environment - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux"): Gentoo Linux - Firejail version (`firejail --version`). ``` firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` [2023-03-21 04:24:45] Verifying installation... [2023-03-21 04:24:45] Verification complete Loaded SDL version 3.0.0-1117-g727c7d4e2 XRRGetOutputInfo Workaround: initialized with override: 0 real: 0xea47c590 XRRGetCrtcInfo Workaround: initialized with override: 0 real: 0xea47af60 GetWin32Stats: display was not open yet, good No minidump written, nothing to upload. /home/user/.local/share/Steam/steam.sh: line 798: 184 Segmentation fault "$STEAMROOT/$STEAMEXEPATH" "$@" ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> [steam.log](https://github.com/netblue30/firejail/files/11025010/steam.log) </p> </details>

gitea-mirror added the

needinfo

label 2026-05-05 09:43:17 -06:00

gitea-mirror commented

2026-05-05 09:43:19 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 21, 2023):

/home/user/.local/share/Steam/steam.sh: line 798: 184 Segmentation fault "$STEAMROOT/$STEAMEXEPATH" "$@"

What is the output of the following?

LC_ALL=C firejail --ignore=quiet --ignore='include globals.local' \
  --ignore='include steam.local' steam

Make sure to include the output of firejail as well.

@kmk3 commented on GitHub (Mar 21, 2023): > > /home/user/.local/share/Steam/steam.sh: line 798: 184 Segmentation fault "$STEAMROOT/$STEAMEXEPATH" "$@" What is the output of the following? ```sh LC_ALL=C firejail --ignore=quiet --ignore='include globals.local' \ --ignore='include steam.local' steam ``` Make sure to include the output of firejail as well.

gitea-mirror commented

2026-05-05 09:43:20 -06:00

Author

Owner

@amano-kenji commented on GitHub (Mar 22, 2023):

steam.log

@amano-kenji commented on GitHub (Mar 22, 2023): [steam.log](https://github.com/netblue30/firejail/files/11035016/steam.log)

gitea-mirror commented

2026-05-05 09:43:21 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 22, 2023):

I can't think of anything in particular that might be causing this, so I'd
suggest commenting out lines in the profile until you find the offending
line.

Does it work with --noprofile?

@kmk3 commented on GitHub (Mar 22, 2023): I can't think of anything in particular that might be causing this, so I'd suggest commenting out lines in the profile until you find the offending line. Does it work with `--noprofile`?

gitea-mirror commented

2026-05-05 09:43:22 -06:00

Author

Owner

@amano-kenji commented on GitHub (Mar 22, 2023):

It worked with --noprofile.

@amano-kenji commented on GitHub (Mar 22, 2023): It worked with `--noprofile`.

gitea-mirror commented

2026-05-05 09:43:23 -06:00

Author

Owner

@amano-kenji commented on GitHub (Mar 23, 2023):

Adding ignore private-tmp to steam.local eliminated segmentation fault.

Why does private-tmp cause segmentation fault?

@amano-kenji commented on GitHub (Mar 23, 2023): Adding `ignore private-tmp` to `steam.local` eliminated segmentation fault. Why does `private-tmp` cause segmentation fault?

gitea-mirror commented

2026-05-05 09:43:24 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 5, 2023):

Adding ignore private-tmp to steam.local eliminated segmentation fault.

Why does private-tmp cause segmentation fault?

Doing the following might help narrow it down:

https://github.com/netblue30/firejail/issues/5773#issuecomment-1493306798

@kmk3 commented on GitHub (Apr 5, 2023): > Adding `ignore private-tmp` to `steam.local` eliminated segmentation fault. > > Why does `private-tmp` cause segmentation fault? Doing the following might help narrow it down: * <https://github.com/netblue30/firejail/issues/5773#issuecomment-1493306798>

gitea-mirror commented

2026-05-05 09:43:24 -06:00

Author

Owner

@amano-kenji commented on GitHub (Apr 6, 2023):

$ firejail --profile=steam bash
bash-5.1$ cd /tmp
bash-5.1$ ls -alh
total 8.5K
drwxrwxrwt  3 nobody nobody 60 Apr  6 05:10 .
drwxr-xr-x 21 nobody nobody 21 Apr  6 01:23 ..
drwxrwxrwt  2 nobody nobody 60 Apr  6 01:24 .X11-unix

@amano-kenji commented on GitHub (Apr 6, 2023): ``` $ firejail --profile=steam bash bash-5.1$ cd /tmp bash-5.1$ ls -alh total 8.5K drwxrwxrwt 3 nobody nobody 60 Apr 6 05:10 . drwxr-xr-x 21 nobody nobody 21 Apr 6 01:23 .. drwxrwxrwt 2 nobody nobody 60 Apr 6 01:24 .X11-unix ```

gitea-mirror commented

2026-05-05 09:43:25 -06:00

Author

Owner

@amano-kenji commented on GitHub (Apr 6, 2023):

Adding

whitelist /tmp/dbus-*

instead of

ignore private-tmp

to steam.local also fixed the crash.

@amano-kenji commented on GitHub (Apr 6, 2023): Adding ``` whitelist /tmp/dbus-* ``` instead of ``` ignore private-tmp ``` to `steam.local` also fixed the crash.

gitea-mirror commented

2026-05-05 09:43:25 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 6, 2023):

Reading profile /etc/firejail/globals.local

Are there any changes in this file?

Does steam work with firejail --ignore='include globals.local'?

Adding
whitelist /tmp/dbus-*
instead of
ignore private-tmp
to steam.local also fixed the crash.

Interesting; do you have dbus running?

IBUS_ADDRESS=unix:path=/tmp/dbus-UpYaUzl9WE,guid=ee88449e871a24a21a327841641904da;unix:path=/tmp/dbus-mYSRxloZ2B,guid=36e6b2ca99e97a1fea3dbffa641904da,fcitx_random_string=fd657fbffa8d4a7b98eb65bab815fb8d

Does anything change if this is unset when running steam?

Does anything change if you set the DBUS_SESSION_BUS_ADDRESS env var to the
socket path in /tmp when running steam?

Does anything change when using only the following modifications in
steam.local?

dbus.user none
dbus.system none

@kmk3 commented on GitHub (Apr 6, 2023): > ``` > Reading profile /etc/firejail/globals.local > ``` Are there any changes in this file? Does steam work with `firejail --ignore='include globals.local'`? > Adding > > ``` > whitelist /tmp/dbus-* > ``` > > instead of > > ``` > ignore private-tmp > ``` > > to `steam.local` also fixed the crash. Interesting; do you have dbus running? > ``` > IBUS_ADDRESS=unix:path=/tmp/dbus-UpYaUzl9WE,guid=ee88449e871a24a21a327841641904da;unix:path=/tmp/dbus-mYSRxloZ2B,guid=36e6b2ca99e97a1fea3dbffa641904da,fcitx_random_string=fd657fbffa8d4a7b98eb65bab815fb8d > ``` Does anything change if this is unset when running steam? Does anything change if you set the `DBUS_SESSION_BUS_ADDRESS` env var to the socket path in /tmp when running steam? Does anything change when using only the following modifications in steam.local? ``` dbus.user none dbus.system none ```

gitea-mirror commented

2026-05-05 09:43:26 -06:00

Author

Owner

@amano-kenji commented on GitHub (Apr 6, 2023):

If I have

dbus-system none
dbus-user none

it crashes.

With

dbus-system none
dbus-user filter

it doesn't crash. It requires access to session dbus, but it uses system dbus to contact (e)logind when system dbus is available.

@amano-kenji commented on GitHub (Apr 6, 2023): If I have ``` dbus-system none dbus-user none ``` it crashes. With ``` dbus-system none dbus-user filter ``` it doesn't crash. It requires access to session dbus, but it uses system dbus to contact (e)logind when system dbus is available.

gitea-mirror commented

2026-05-05 09:43:26 -06:00

Author

Owner

@amano-kenji commented on GitHub (Apr 6, 2023):

/etc/firejail/globals.local

# private and private-cache requires ${HOME} to not be /dev/null
ignore private
ignore private-cache
# firejail-default apparmor profile is not permissive enough for many programs.
ignore apparmor

~/.config/firejail/globals.local

# firejail-default apparmor profile is not permissive enough for many programs.
ignore apparmor

Does steam work with firejail --ignore='include globals.local'?

Yes

Interesting; do you have dbus running?

Yes. system dbus and session dbus.

Does anything change if this is unset when running steam?

After unset DBUS_SESSION_ADDRESS, it doesn't crash because it launches its own dbus. steam's own dbus processes die with steam.

@amano-kenji commented on GitHub (Apr 6, 2023): /etc/firejail/globals.local ``` # private and private-cache requires ${HOME} to not be /dev/null ignore private ignore private-cache # firejail-default apparmor profile is not permissive enough for many programs. ignore apparmor ``` ~/.config/firejail/globals.local ``` # firejail-default apparmor profile is not permissive enough for many programs. ignore apparmor ``` > Does steam work with firejail --ignore='include globals.local'? Yes > Interesting; do you have dbus running? Yes. system dbus and session dbus. > Does anything change if this is unset when running steam? After `unset DBUS_SESSION_ADDRESS`, it doesn't crash because it launches its own dbus. steam's own dbus processes die with steam.

gitea-mirror commented

2026-05-05 09:43:26 -06:00

Author

Owner

@amano-kenji commented on GitHub (Apr 7, 2023):

So, the crash happens if DBUS_SESSION_ADDRESS is set but points to a non-existent user session dbus.

whitelist /tmp/dbus-* fixes the crash by whitelisting dbus sockets in /tmp.

Absence of system dbus doesn't crash steam.profile, but if it is available, steam contacts (e)logind through system dbus which launches (e)logind. This breaks nogroups and noroot for systems that have but don't use (e)logind. My system has elogind but doesn't use it. It uses seatd.

If DBUS_SESSION_ADDRESS is not set, steam launches its own dbus processes and kills them when it dies.

Presenting a session dbus proxy with

dbus-system none
dbus-user filter

prevents crash.

@amano-kenji commented on GitHub (Apr 7, 2023): So, the crash happens if DBUS_SESSION_ADDRESS is set but points to a non-existent user session dbus. `whitelist /tmp/dbus-*` fixes the crash by whitelisting dbus sockets in /tmp. Absence of system dbus doesn't crash steam.profile, but if it is available, steam contacts (e)logind through system dbus which launches (e)logind. This breaks `nogroups` and `noroot` for systems that have but don't use (e)logind. My system has elogind but doesn't use it. It uses seatd. If DBUS_SESSION_ADDRESS is not set, steam launches its own dbus processes and kills them when it dies. Presenting a session dbus proxy with ``` dbus-system none dbus-user filter ``` prevents crash.

Rows
Columns

[GH-ISSUE #5745] steam: crashes with private-tmp (dbus) #3079

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Environment

Checklist

Log