github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5816] ssh: sftp fails in nautilus with GNOME gvfs 1.53+ (ControlMaster, ControlPath) #3100

New issue

Closed

opened 2026-05-05 09:44:16 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:44:16 -06:00

Owner

Originally created by @Saren-Arterius on GitHub (May 4, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5816

Description

Since GNOME gvfs 1.53+, the SSH client option ControlMaster=auto and ControlPath=/run/user/$UID/gvfsd-sftp/%C is used to mount SFTP.

Since firejail did not whitelist /run/user/$UID/gvfsd-sftp by default, gvfs SFTP mount with nautilus will fail with a meaningless error message shown in UI, and gvfs binary spawned with GVFS_DEBUG=1 will output the following log:

sftp: Added new job source 0x5557c0a4a740 (GVfsBackendSftp)
sftp: Queued new job 0x5557c0a54a40 (GVfsJobMount)
sftp: spawn_ssh: ssh -oForwardX11 no -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -protocol 2 -oNoHostAuthenticationForLocalhost yes -oControlMaster auto -oControlPath=/run/user/1000/gvfsd-sftp/%C -s {HOST} sftp 
sftp: handle_login #1 initial_connection = 1 - user: (null), host: {HOST}, port: -1
sftp: handle_login #1 - password_save: 0
sftp: handle_login #1 - ret_val: 1
sftp: stderr: Pseudo-terminal will not be allocated because stdin is not a terminal.
sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/a1e578f57192356953828abeb0bb9df9b19ee10c.C5KhYALng3tYdUFE: No such file or directory
sftp: send_reply(0x5557c0a54a40), failed=1 (Connection Failed)

Steps to Reproduce

Steps to reproduce the behavior

Prepare a SSH server or localhost
ssh -o"ForwardX11 no" -o"ForwardAgent no" -o"PermitLocalCommand no" -o"ClearAllForwardings yes" -o"NoHostAuthenticationForLocalhost yes" -o"ControlMaster auto" -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" -s {SSH_HOST} sftp
The stderr gives unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory, and SSH exits with error code 255

Expected behavior

GVFS/SSHFS connects successfully

Actual behavior

GVFS/SSHFS fail to connect because of firejail has not whitelisted the ControlPath specified by GVFS.

Workaround/Solution

Create /etc/firejail/ssh.local with the following content

whitelist ${RUNUSER}/gvfsd-sftp

Originally created by @Saren-Arterius on GitHub (May 4, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5816  ### Description Since GNOME gvfs 1.53+, the SSH client option `ControlMaster=auto` and `ControlPath=/run/user/$UID/gvfsd-sftp/%C` is used to mount SFTP. Since firejail did not whitelist `/run/user/$UID/gvfsd-sftp` by default, gvfs SFTP mount with nautilus will fail with a meaningless error message shown in UI, and gvfs binary spawned with `GVFS_DEBUG=1` will output the following log: sftp: Added new job source 0x5557c0a4a740 (GVfsBackendSftp) sftp: Queued new job 0x5557c0a54a40 (GVfsJobMount) sftp: spawn_ssh: ssh -oForwardX11 no -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -protocol 2 -oNoHostAuthenticationForLocalhost yes -oControlMaster auto -oControlPath=/run/user/1000/gvfsd-sftp/%C -s {HOST} sftp sftp: handle_login #1 initial_connection = 1 - user: (null), host: {HOST}, port: -1 sftp: handle_login #1 - password_save: 0 sftp: handle_login #1 - ret_val: 1 sftp: stderr: Pseudo-terminal will not be allocated because stdin is not a terminal. sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/a1e578f57192356953828abeb0bb9df9b19ee10c.C5KhYALng3tYdUFE: No such file or directory sftp: send_reply(0x5557c0a54a40), failed=1 (Connection Failed) ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Prepare a SSH server or localhost 2. `ssh -o"ForwardX11 no" -o"ForwardAgent no" -o"PermitLocalCommand no" -o"ClearAllForwardings yes" -o"NoHostAuthenticationForLocalhost yes" -o"ControlMaster auto" -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" -s {SSH_HOST} sftp` 3. The stderr gives `unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory`, and SSH exits with error code 255 ### Expected behavior GVFS/SSHFS connects successfully ### Actual behavior GVFS/SSHFS fail to connect because of firejail has not whitelisted the ControlPath specified by GVFS. ### Workaround/Solution Create `/etc/firejail/ssh.local` with the following content whitelist ${RUNUSER}/gvfsd-sftp

gitea-mirror

2026-05-05 09:44:16 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:44:19 -06:00

Author

Owner

@kmk3 commented on GitHub (May 4, 2023):

@Saren-Arterius on May 4:

Description

Since GNOME gvfs 1.53+, the SSH client option ControlMaster=auto and
ControlPath=/run/user/$UID/gvfsd-sftp/%C is used to mount SFTP.

Since firejail did not whitelist /run/user/$UID/gvfsd-sftp by default, gvfs
SFTP mount with nautilus will fail with a meaningless error message shown in
UI, and gvfs binary spawned with GVFS_DEBUG=1 will output the following
log:

Workaround/Solution

Create /etc/firejail/ssh.local with the following content
whitelist ${RUNUSER}/gvfsd-sftp

Nicely done.

Could you open a PR to add it to ssh.profile?

@kmk3 commented on GitHub (May 4, 2023): @Saren-Arterius [on May 4](https://github.com/netblue30/firejail/issues/5816#issue-1695295931): > ### Description > > Since GNOME gvfs 1.53+, the SSH client option `ControlMaster=auto` and > `ControlPath=/run/user/$UID/gvfsd-sftp/%C` is used to mount SFTP. > > Since firejail did not whitelist `/run/user/$UID/gvfsd-sftp` by default, gvfs > SFTP mount with nautilus will fail with a meaningless error message shown in > UI, and gvfs binary spawned with `GVFS_DEBUG=1` will output the following > log: > ### Workaround/Solution > > Create `/etc/firejail/ssh.local` with the following content > > ``` > whitelist ${RUNUSER}/gvfsd-sftp > ``` Nicely done. Could you open a PR to add it to ssh.profile?

gitea-mirror commented

2026-05-05 09:44:21 -06:00

Author

Owner

@ghost commented on GitHub (May 4, 2023):

Why not add it to sftp.profile instead?

@ghost commented on GitHub (May 4, 2023): Why not add it to `sftp.profile` instead?

gitea-mirror commented

2026-05-05 09:44:21 -06:00

Author

Owner

@kmk3 commented on GitHub (May 4, 2023):

Why not add it to sftp.profile instead?

Yes, that's probably better.

@kmk3 commented on GitHub (May 4, 2023): > Why not add it to `sftp.profile` instead? Yes, that's probably better.

gitea-mirror commented

2026-05-05 09:44:22 -06:00

Author

Owner

@mirko commented on GitHub (Sep 14, 2024):

Why not add it to sftp.profile instead?

Yes, that's probably better.

Tried adding it to .config/firejail/sftp.local-> doesn't work. Adding to .config/firejail/ssh.local does, though.

@mirko commented on GitHub (Sep 14, 2024): > > Why not add it to `sftp.profile` instead? > > Yes, that's probably better. Tried adding it to `.config/firejail/sftp.local`-> doesn't work. Adding to `.config/firejail/ssh.local` does, though.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3100

No description provided.

Rows
Columns