github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5877] nextcloud: cannot access ~/Nextcloud/Notes #3120

New issue
Closed
opened 2026-05-05 09:45:16 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 09:45:16 -06:00
Owner
Copy link

Originally created by @Sadoon-AlBader on GitHub (Jul 2, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5877

Description

The default settings allow NC to only access the parent directory ${HOME}/Nextcloud and not any of its subdirs.

Steps to Reproduce

No errors, in command line, Nextcloud complains that it cannot access i.e. "{HOME}/Nextcloud/Notes"
Verified that it can access {HOME}/Nextcloud by commenting out "noblacklist {HOME}/Nextcloud" and it gives a different error.

Expected behavior

It should have access to all subdirs by default

Actual behavior

No access to any subdirs.

Behavior without a profile

Works just fine.

Environment

  • Debian Bookworm on x86_64 with AppArmor Firejail profile enabled.
  • firejail version 0.9.72 (from repo)

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Not necessary, no log errors.

I think all we need is a * after the Nextcloud, either that or my configuration is hopelessly broken. All other programs seems to work fine though and I have no custom settings from what I can tell. Thanks for this software btw!

Originally created by @Sadoon-AlBader on GitHub (Jul 2, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5877 ### Description The default settings allow NC to only access the parent directory ${HOME}/Nextcloud and not any of its subdirs. ### Steps to Reproduce No errors, in command line, Nextcloud complains that it cannot access i.e. "{HOME}/Nextcloud/Notes" Verified that it can access {HOME}/Nextcloud by commenting out "noblacklist {HOME}/Nextcloud" and it gives a different error. ### Expected behavior It should have access to all subdirs by default ### Actual behavior No access to any subdirs. ### Behavior without a profile Works just fine. ### Environment - Debian Bookworm on x86_64 with AppArmor Firejail profile enabled. - firejail version 0.9.72 (from repo) ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log Not necessary, no log errors. I think all we need is a * after the Nextcloud, either that or my configuration is hopelessly broken. All other programs seems to work fine though and I have no custom settings from what I can tell. Thanks for this software btw!
gitea-mirror 2026-05-05 09:45:16 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 09:45:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 2, 2023):

I think all we need is a * after the Nextcloud

Just test and know.

<!-- gh-comment-id:1616771828 --> @rusty-snake commented on GitHub (Jul 2, 2023): > **I think** all we need is a * after the Nextcloud Just test and know.
gitea-mirror commented 2026-05-05 09:45:20 -06:00
Author
Owner
Copy link

@Sadoon-AlBader commented on GitHub (Jul 2, 2023):

I think all we need is a * after the Nextcloud

Just test and know.

Ah my bad, forgot to mention I already tried the solution I mentioned in a nextcloud.local config and it works fine.
I'd send a patch but I want to make sure this is not just affecting me before messing with it everyone else's configs :)

<!-- gh-comment-id:1616805578 --> @Sadoon-AlBader commented on GitHub (Jul 2, 2023): > > **I think** all we need is a * after the Nextcloud > > Just test and know. Ah my bad, forgot to mention I already tried the solution I mentioned in a nextcloud.local config and it works fine. I'd send a patch but I want to make sure this is not just affecting me before messing with it everyone else's configs :)
gitea-mirror commented 2026-05-05 09:45:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 2, 2023):

Actually you only need to noblacklist

33c75b8932/etc/inc/disable-programs.inc (L1189)

<!-- gh-comment-id:1616809777 --> @rusty-snake commented on GitHub (Jul 2, 2023): Actually you only need to `noblacklist` https://github.com/netblue30/firejail/blob/33c75b89328df03ef3245c7ec6f30759f9619223/etc/inc/disable-programs.inc#L1189
gitea-mirror commented 2026-05-05 09:45:22 -06:00
Author
Owner
Copy link

@Sadoon-AlBader commented on GitHub (Jul 2, 2023):

Actually you only need to noblacklist

33c75b8932/etc/inc/disable-programs.inc (L1189)

Ah strange, I'd never assumed that /Notes specifically would be blacklisted in a general include file, my bad.

Edit: Although it does make perfect sense to not blacklist that folder in Nextcloud's config by default.

<!-- gh-comment-id:1616813042 --> @Sadoon-AlBader commented on GitHub (Jul 2, 2023): > Actually you only need to `noblacklist` > > https://github.com/netblue30/firejail/blob/33c75b89328df03ef3245c7ec6f30759f9619223/etc/inc/disable-programs.inc#L1189 Ah strange, I'd never assumed that /Notes specifically would be blacklisted in a general include file, my bad. Edit: Although it does make perfect sense to not blacklist that folder in Nextcloud's config by default.
gitea-mirror commented 2026-05-05 09:45:22 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 4, 2023):

Edit: Nevermind this comment, the diff looks OK:

@rusty-snake on Jul 2:

Actually you only need to noblacklist

33c75b8932/etc/inc/disable-programs.inc (L1189)

$ git log --pretty='%h %ai %s' -S/Nextcloud/Notes master
590f66171 2019-04-24 12:25:36 -0400 Revert "Merge branch 'master' of github.com:netblue30/firejail"
7c481eb43 2018-10-20 22:13:13 -0500 Add QOwnNotes profile

That line The noblacklist line existed but it seems to have been removed
in a merge commit that accidentally truncated some files. The merge commit was
followed by its revert, which did not restore the affected line:

  • 7c481eb43 ("Add QOwnNotes profile", 2018-10-20) by @Fred-Barclay
  • 0d42e12f1 ("Merge branch 'master' of github.com:netblue30/firejail",
    2019-04-24) by @rusty-snake
  • 590f66171 ("Revert "Merge branch 'master' of github.com:netblue30/firejail"",
    2019-04-24) by @SkewedZeppelin
$ git log --oneline --graph 78f1e3a035..590f661715
* 590f66171 Revert "Merge branch 'master' of github.com:netblue30/firejail"
*   0d42e12f1 Merge branch 'master' of github.com:netblue30/firejail
|\
| * 6e8ba04da blacklist .git-credential & .config/git (#2663) …
* | 63efb454a blacklist .git-credentials & .config/git (#2663) …
|/
* bb5e52040 Arch Linux fixes

This seems a bit worrying, as more changes might have been lost.

Does anyone remember what happened there?

I might look into this later.

<!-- gh-comment-id:1620578098 --> @kmk3 commented on GitHub (Jul 4, 2023): **Edit**: Nevermind this comment, the diff looks OK: * <https://github.com/netblue30/firejail/issues/5877#issuecomment-1620645804> --- @rusty-snake [on Jul 2](https://github.com/netblue30/firejail/issues/5877#issuecomment-1616809777): > Actually you only need to `noblacklist` > > https://github.com/netblue30/firejail/blob/33c75b89328df03ef3245c7ec6f30759f9619223/etc/inc/disable-programs.inc#L1189 ```console $ git log --pretty='%h %ai %s' -S/Nextcloud/Notes master 590f66171 2019-04-24 12:25:36 -0400 Revert "Merge branch 'master' of github.com:netblue30/firejail" 7c481eb43 2018-10-20 22:13:13 -0500 Add QOwnNotes profile ``` ~~That line~~ The `noblacklist` line existed but it seems to have been removed in a merge commit that accidentally truncated some files. The merge commit was followed by its revert, which did not restore the affected line: * 7c481eb43 ("Add QOwnNotes profile", 2018-10-20) by @Fred-Barclay * 0d42e12f1 ("Merge branch 'master' of github.com:netblue30/firejail", 2019-04-24) by @rusty-snake * 590f66171 ("Revert "Merge branch 'master' of github.com:netblue30/firejail"", 2019-04-24) by @SkewedZeppelin ```console $ git log --oneline --graph 78f1e3a035..590f661715 * 590f66171 Revert "Merge branch 'master' of github.com:netblue30/firejail" * 0d42e12f1 Merge branch 'master' of github.com:netblue30/firejail |\ | * 6e8ba04da blacklist .git-credential & .config/git (#2663) … * | 63efb454a blacklist .git-credentials & .config/git (#2663) … |/ * bb5e52040 Arch Linux fixes ``` This seems a bit worrying, as more changes might have been lost. Does anyone remember what happened there? I might look into this later.
gitea-mirror commented 2026-05-05 09:45:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 4, 2023):

I don't know what your talking about the line was restored in the revert (590f661715 (diff-de6116e8cecbb92d4cb33c3294352b83db4bf33a48306f6f862e51d4c7181f91R7)) and it exists on current master (https://github.com/netblue30/firejail/blob/master/etc/inc/disable-programs.inc#L1189).

<!-- gh-comment-id:1620582163 --> @rusty-snake commented on GitHub (Jul 4, 2023): I don't know what your talking about the line was restored in the revert (https://github.com/netblue30/firejail/commit/590f661715c991af40fb2de8b5bfe3b2bf2a606c#diff-de6116e8cecbb92d4cb33c3294352b83db4bf33a48306f6f862e51d4c7181f91R7) and it exists on current master (https://github.com/netblue30/firejail/blob/master/etc/inc/disable-programs.inc#L1189).
gitea-mirror commented 2026-05-05 09:45:25 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 4, 2023):

I don't know what your talking about the line was restored in the revert
(590f661#diff-de6116e8cecbb92d4cb33c3294352b83db4bf33a48306f6f862e51d4c7181f91R7)
and it exists on current master
(https://github.com/netblue30/firejail/blob/master/etc/inc/disable-programs.inc#L1189).

Sorry, I meant the noblacklist ${HOME}/Nextcloud/Notes that you suggested:

<!-- gh-comment-id:1620592640 --> @kmk3 commented on GitHub (Jul 4, 2023): > I don't know what your talking about the line was restored in the revert > ([590f661#diff-de6116e8cecbb92d4cb33c3294352b83db4bf33a48306f6f862e51d4c7181f91R7](https://github.com/netblue30/firejail/commit/590f661715c991af40fb2de8b5bfe3b2bf2a606c#diff-de6116e8cecbb92d4cb33c3294352b83db4bf33a48306f6f862e51d4c7181f91R7)) > and it exists on current master > (https://github.com/netblue30/firejail/blob/master/etc/inc/disable-programs.inc#L1189). Sorry, I meant the `noblacklist ${HOME}/Nextcloud/Notes` that you suggested: * <https://github.com/netblue30/firejail/commit/7c481eb43c3a737eeb5a0e4fc089efa281549e4c#diff-3c43e1d54bf310a5825d2fa517bcff3ac1de5eb97415c12e62104658f75939feR10>
gitea-mirror commented 2026-05-05 09:45:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 4, 2023):

Neither nextcloud.profile nor QOwnNotes.profile are touched in the commits above.

<!-- gh-comment-id:1620598271 --> @rusty-snake commented on GitHub (Jul 4, 2023): Neither nextcloud.profile nor QOwnNotes.profile are touched in the commits above.
gitea-mirror commented 2026-05-05 09:45:26 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 4, 2023):

Neither nextcloud.profile nor QOwnNotes.profile are touched in the commits
above.

Sorry, please disregard all that. It seems that I confused the
commands/outputs. The diff from before the merge/after the revert looks
normal:

git diff 

$ git diff --stat bb5e52040c..590f661715
 etc/android-studio.profile | 2 ++
 etc/aosp.profile           | 2 ++
 etc/atom.profile           | 2 ++
 etc/brackets.profile       | 2 ++
 etc/clion.profile          | 2 ++
 etc/code.profile           | 2 ++
 etc/disable-programs.inc   | 2 ++
 etc/geany.profile          | 2 ++
 etc/gedit.profile          | 2 ++
 etc/git.profile            | 2 ++
 etc/gitg.profile           | 2 ++
 etc/github-desktop.profile | 4 +++-
 etc/gnome-builder.profile  | 2 ++
 etc/idea.sh.profile        | 2 ++
 etc/meld.profile           | 2 ++
 etc/webstorm.profile       | 2 ++
 16 files changed, 33 insertions(+), 1 deletion(-)

The git log -S command was wrong; the search also counted the blacklist
command. This is more accurate:

$ git log --pretty='%h %ai %s' -S'noblacklist ${HOME}/Nextcloud/Notes' master
f43382f1e 2021-07-18 20:39:14 -0300 Revert "move whitelist/blacklist to allow/deny"
fe0f975f4 2021-07-05 07:23:31 -0400 move whitelist/blacklist to allow/deny
7c481eb43 2018-10-20 22:13:13 -0500 Add QOwnNotes profile

The noblacklist ${HOME}/Nextcloud/Notes line is still in that profile:

So I suppose that it only needs to be copied to nextcloud.profile then.

<!-- gh-comment-id:1620645804 --> @kmk3 commented on GitHub (Jul 4, 2023): > Neither nextcloud.profile nor QOwnNotes.profile are touched in the commits > above. Sorry, please disregard all that. It seems that I confused the commands/outputs. The diff from before the merge/after the revert looks normal: <details> <summary>git diff</summary> <p> ```console $ git diff --stat bb5e52040c..590f661715 etc/android-studio.profile | 2 ++ etc/aosp.profile | 2 ++ etc/atom.profile | 2 ++ etc/brackets.profile | 2 ++ etc/clion.profile | 2 ++ etc/code.profile | 2 ++ etc/disable-programs.inc | 2 ++ etc/geany.profile | 2 ++ etc/gedit.profile | 2 ++ etc/git.profile | 2 ++ etc/gitg.profile | 2 ++ etc/github-desktop.profile | 4 +++- etc/gnome-builder.profile | 2 ++ etc/idea.sh.profile | 2 ++ etc/meld.profile | 2 ++ etc/webstorm.profile | 2 ++ 16 files changed, 33 insertions(+), 1 deletion(-) ``` </p> </details> The `git log -S` command was wrong; the search also counted the `blacklist` command. This is more accurate: ```console $ git log --pretty='%h %ai %s' -S'noblacklist ${HOME}/Nextcloud/Notes' master f43382f1e 2021-07-18 20:39:14 -0300 Revert "move whitelist/blacklist to allow/deny" fe0f975f4 2021-07-05 07:23:31 -0400 move whitelist/blacklist to allow/deny 7c481eb43 2018-10-20 22:13:13 -0500 Add QOwnNotes profile ``` The `noblacklist ${HOME}/Nextcloud/Notes` line is still in that profile: * <https://github.com/netblue30/firejail/blob/5d0822c52c9a5e631676899e9642911d9143dba8/etc/profile-m-z/QOwnNotes.profile#L10> So I suppose that it only needs to be copied to nextcloud.profile then.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3120
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?