github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5939] inconsistent behavior when PATH in not set #3136

New issue

Open

opened 2026-05-05 09:46:21 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:46:21 -06:00

Owner

Originally created by @arenevier on GitHub (Aug 2, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5939

Description

When PATH is not set, the behavior depends on whether the profile contains a ${PATH} variable
Describe the bug

Steps to Reproduce

# create an empty profile
$ rm -f firejail.profile && touch firejail.profile 
# unset PATH
$ unset PATH
$ /usr/bin/firejail --profile=./firejail.profile ls
# shows: Error: no suitable ls executable found

# Now, writes a directive that references PATH in the profile
$ echo 'blacklist ${PATH}/systemctl' > firejail.profile
$ /usr/bin/firejail --profile=./firejail.profile ls
# now, the ls command is executed properly

Expected behavior

I expect the behavior to be coherent. Either a default PATH is always set, either it is never set.

Checklist

[x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[ x] I can reproduce the issue without custom modifications (e.g. globals.local).
[ x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
[ x] I have performed a short search for similar issues (to avoid opening a duplicate).
- [ x] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[ x] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @arenevier on GitHub (Aug 2, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5939 ### Description When PATH is not set, the behavior depends on whether the profile contains a ${PATH} variable _Describe the bug_ ### Steps to Reproduce ``` # create an empty profile $ rm -f firejail.profile && touch firejail.profile # unset PATH $ unset PATH $ /usr/bin/firejail --profile=./firejail.profile ls # shows: Error: no suitable ls executable found # Now, writes a directive that references PATH in the profile $ echo 'blacklist ${PATH}/systemctl' > firejail.profile $ /usr/bin/firejail --profile=./firejail.profile ls # now, the ls command is executed properly ``` ### Expected behavior I expect the behavior to be coherent. Either a default PATH is always set, either it is never set. ### Checklist  - [x ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror added the

bug

label 2026-05-05 09:46:21 -06:00

gitea-mirror commented

2026-05-05 09:46:23 -06:00

Author

Owner

@ghost commented on GitHub (Aug 2, 2023):

I expect the behavior to be coherent. Either a default PATH is always set, either it is never set.

Not sure if Firejail can do much about this if the OS or its user(s) decide to unset PATH. Besides the whole desktop integration feature/logic breaking without PATH being set (maybe we could handle such a case in firecfg) there's bound to be heaps of trouble outside of sandboxing when running a system in such a way.

I might be missing things in this context, but why would one want to unset a vital environment variable like PATH?

@ghost commented on GitHub (Aug 2, 2023): > I expect the behavior to be coherent. Either a default PATH is always set, either it is never set. Not sure if Firejail can do much about this if the OS or its user(s) decide to unset PATH. Besides the whole `desktop integration` feature/logic breaking without PATH being set (maybe we could handle such a case in firecfg) there's bound to be heaps of trouble outside of sandboxing when running a system in such a way. I might be missing things in this context, but why would one want to unset a vital environment variable like PATH?

gitea-mirror commented

2026-05-05 09:46:24 -06:00

Author

Owner

@arenevier commented on GitHub (Aug 2, 2023):

I agree that PATH should be set.

But when it is not set, firejail will set a default value in init_paths. And that method might or might not be called depending on the content of the profile.
https://github.com/netblue30/firejail/blob/master/src/firejail/paths.c#L29

@arenevier commented on GitHub (Aug 2, 2023): I agree that PATH should be set. But when it is not set, firejail will set a default value in ```init_paths```. And that method might or might not be called depending on the content of the profile. https://github.com/netblue30/firejail/blob/master/src/firejail/paths.c#L29

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3136

No description provided.

Rows
Columns