[GH-ISSUE #6161] Permissions curious behaviour with private home #3207

New issue

Open

opened 2026-05-05 09:49:21 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 09:49:21 -06:00

Owner

Copy link

Originally created by @esp13 on GitHub (Jan 18, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6161

Hi,

Description

I think I have some permissions issues when I use private home folder.

Steps to Reproduce

In my firejail profile file:
private /home/myusername/fakehome/

When I run this profile for the first time:

ls -al
ls -al#twice to get file created with any command
-rw------- 1 myusername myusername         19 janv. 17 09:51  .bash_history
exit

When I exit it and run it again:

ls -al
-r-------- 1 nobody nogroup         0 janv. 17 09:03  .bash_history

And something strange, the minutes changed too.

Expected behavior

file permissions shouldn't change between separate run.

Actual behavior

file permission changed

Behavior without a profile

didn't try without profile as it is related to private home folder

Additional context

Environment

• Linux Mint 20.3
• Firejail version 0.9.62

Checklist

• [x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [? ] I can reproduce the issue without custom modifications (e.g. globals.local).
• [NR ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [NR ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x ] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [NR ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [NR ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Originally created by @esp13 on GitHub (Jan 18, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6161 Hi, ### Description I think I have some permissions issues when I use private home folder. ### Steps to Reproduce In my firejail profile file: `private /home/myusername/fakehome/` When I run this profile for the first time: ``` ls -al ls -al#twice to get file created with any command -rw------- 1 myusername myusername 19 janv. 17 09:51 .bash_history exit ``` When I exit it and run it again: ``` ls -al -r-------- 1 nobody nogroup 0 janv. 17 09:03 .bash_history ``` And something strange, the minutes changed too. ### Expected behavior file permissions shouldn't change between separate run. ### Actual behavior file permission changed ### Behavior without a profile didn't try without profile as it is related to private home folder ### Additional context - ### Environment - Linux Mint 20.3 - Firejail version 0.9.62 ### Checklist - [x ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [? ] I can reproduce the issue without custom modifications (e.g. globals.local). - [NR ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [NR ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x ] I have performed a short search for similar issues (to avoid opening a duplicate). - [NR ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [NR ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log -

gitea-mirror added the

needinfo

label 2026-05-05 09:49:21 -06:00

gitea-mirror commented 2026-05-05 09:49:22 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 18, 2024):

Linux Mint 20.3
Firejail version 0.9.62

https://github.com/netblue30/firejail#ubuntu
Please upgrade your firejail installation and re-check if you're still see this behaviour on 0.9.72.

<!-- gh-comment-id:1899368957 --> @ghost commented on GitHub (Jan 18, 2024): > Linux Mint 20.3 Firejail version 0.9.62 https://github.com/netblue30/firejail#ubuntu Please upgrade your firejail installation and re-check if you're still see this behaviour on 0.9.72.

gitea-mirror commented 2026-05-05 09:49:24 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 19, 2024):

didn't try without profile as it is related to private home folder

This is relevant, as it reduces the possible error sources.

Is only .bash_history affected or other files as well?

How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command.

<!-- gh-comment-id:1900735844 --> @rusty-snake commented on GitHub (Jan 19, 2024): > didn't try without profile as it is related to private home folder This is relevant, as it reduces the possible error sources. Is only .bash_history affected or other files as well? How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command.

gitea-mirror commented 2026-05-05 09:49:25 -06:00

Author

Owner

Copy link

@esp13 commented on GitHub (Jan 19, 2024):

Please upgrade your firejail installation and re-check if you're still see this behaviour on 0.9.72.

Tried 0.9.72, same result

Something strange, since I upgraded, the tab key doesn't complete command anymore, it only write a tab space

<!-- gh-comment-id:1900953434 --> @esp13 commented on GitHub (Jan 19, 2024): > Please upgrade your firejail installation and re-check if you're still see this behaviour on 0.9.72. Tried 0.9.72, same result Something strange, since I upgraded, the tab key doesn't complete command anymore, it only write a tab space

gitea-mirror commented 2026-05-05 09:49:26 -06:00

Author

Owner

Copy link

@esp13 commented on GitHub (Jan 19, 2024):

This is relevant, as it reduces the possible error sources.

Tried:
firejail --private=/home/myusername/fakehome/
Same result.

It does not do this on your side?

Is only .bash_history affected or other files as well?

If I create a test file the permissions doesn't change when I exit and came back

How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command.

# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
#HISTSIZE=1000
#HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
	# We have color support; assume it's compliant with Ecma-48
	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
	# a case would tend to support setf rather than setaf.)
	color_prompt=yes
    else
	color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'

# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi


#Personnalisation
export HISTFILESIZE=
export HISTSIZE=
export HISTTIMEFORMAT="[%F %T] "
PROMPT_COMMAND="history -a; $PROMPT_COMMAND"

<!-- gh-comment-id:1900955536 --> @esp13 commented on GitHub (Jan 19, 2024): > This is relevant, as it reduces the possible error sources. Tried: `firejail --private=/home/myusername/fakehome/` Same result. It does not do this on your side? > Is only .bash_history affected or other files as well? If I create a test file the permissions doesn't change when I exit and came back > How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command. ``` # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples # If not running interactively, don't do anything case $- in *i*) ;; *) return;; esac # don't put duplicate lines or lines starting with space in the history. # See bash(1) for more options HISTCONTROL=ignoreboth # append to the history file, don't overwrite it shopt -s histappend # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) #HISTSIZE=1000 #HISTFILESIZE=2000 # check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize # If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar # make less more friendly for non-text input files, see lesspipe(1) [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" # set variable identifying the chroot you work in (used in the prompt below) if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi # set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in xterm-color|*-256color) color_prompt=yes;; esac # uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt # If this is an xterm set the title to user@host:dir case "$TERM" in xterm*|rxvt*) PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" ;; *) ;; esac # enable color support of ls and also add handy aliases if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto' alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi # colored GCC warnings and errors #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' # some more ls aliases alias ll='ls -alF' alias la='ls -A' alias l='ls -CF' # Add an "alert" alias for long running commands. Use like so: # sleep 10; alert alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' # Alias definitions. # You may want to put all your additions into a separate file like # ~/.bash_aliases, instead of adding them here directly. # See /usr/share/doc/bash-doc/examples in the bash-doc package. if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi # enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi #Personnalisation export HISTFILESIZE= export HISTSIZE= export HISTTIMEFORMAT="[%F %T] " PROMPT_COMMAND="history -a; $PROMPT_COMMAND" ```

gitea-mirror commented 2026-05-05 09:49:27 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 19, 2024):

Something strange, since I upgraded, the tab key doesn't complete command anymore, it only write a tab space

That's a feature. See --tab.

<!-- gh-comment-id:1901218405 --> @rusty-snake commented on GitHub (Jan 19, 2024): > Something strange, since I upgraded, the tab key doesn't complete command anymore, it only write a tab space That's a feature. See `--tab`.

gitea-mirror commented 2026-05-05 09:49:27 -06:00

Author

Owner

Copy link

@esp13 commented on GitHub (Feb 2, 2024):

didn't try without profile as it is related to private home folder

This is relevant, as it reduces the possible error sources.

Is only .bash_history affected or other files as well?

How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command.

Hello,

Any feedback for the bash config I provided?

<!-- gh-comment-id:1923352595 --> @esp13 commented on GitHub (Feb 2, 2024): > > didn't try without profile as it is related to private home folder > > This is relevant, as it reduces the possible error sources. > > Is only .bash_history affected or other files as well? > > How does your (manjaro default) bash config look like. Because my (Fedora) bash does not create .bash_history after every command. Hello, Any feedback for the bash config I provided?

gitea-mirror referenced this issue 2026-05-05 10:24:41 -06:00

[PR #3207] [MERGED] Fixing the bug in 189772034b211578aca59540d7277f45da4f45d2 breaking meld #4685

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3207

No description provided.