[GH-ISSUE #6171] tesseract: output contains firejail messages #3208

New issue

Closed

opened 2026-05-05 09:49:28 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented 2026-05-05 09:49:28 -06:00

Owner

Copy link

Originally created by @kmille on GitHub (Jan 26, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6171

Hey, I'm using firejail on Arch Linux. My problem: --version shows version of firejail and not of the actual program (and/or some additional debug output).

What I expect:

kmille@linbox:~ /usr/bin/evince --version
GNOME Document Viewer 45.0

What I get

kmille@linbox:~ evince --version         
Reading profile /etc/firejail/evince.profile
Reading profile /home/kmille/.config/firejail/evince.local
Reading profile /home/kmille/.config/firejail/globals.local
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/kmille/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: private-lib feature is disabled in Firejail configuration file
firejail version 0.9.73

Parent pid 276776, child pid 276781
5 programs installed in 14.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 27.18 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 84.60 ms
Child process initialized in 231.19 ms
GNOME Document Viewer 45.0

Parent is shutting down, bye...

kmille@linbox:~ which -a evince
/usr/local/bin/evince
/usr/bin/evince
/bin/evince

I'm using

kmille@linbox:scans firejail --version                            
firejail version 0.9.73

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-lib support is disabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Originally created by @kmille on GitHub (Jan 26, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6171 Hey, I'm using firejail on Arch Linux. My problem: `--version` shows version of firejail and not of the actual program (and/or some additional debug output). What I expect: ``` kmille@linbox:~ /usr/bin/evince --version GNOME Document Viewer 45.0 ``` What I get ``` kmille@linbox:~ evince --version Reading profile /etc/firejail/evince.profile Reading profile /home/kmille/.config/firejail/evince.local Reading profile /home/kmille/.config/firejail/globals.local Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /home/kmille/.config/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: private-lib feature is disabled in Firejail configuration file firejail version 0.9.73 Parent pid 276776, child pid 276781 5 programs installed in 14.25 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 27.18 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 84.60 ms Child process initialized in 231.19 ms GNOME Document Viewer 45.0 Parent is shutting down, bye... kmille@linbox:~ which -a evince /usr/local/bin/evince /usr/bin/evince /bin/evince ``` I'm using ```bash kmille@linbox:scans firejail --version firejail version 0.9.73 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror 2026-05-05 09:49:28 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:49:31 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 26, 2024):

This is expected/intended behaviour. You can add quite to evince.profile or set quiet-by-default yes in firejail.config to make firejail quite for evince/global.

<!-- gh-comment-id:1912764657 --> @rusty-snake commented on GitHub (Jan 26, 2024): This is expected/intended behaviour. You can add `quite` to `evince.profile` or set `quiet-by-default yes` in `firejail.config` to make firejail quite for evince/global.

gitea-mirror commented 2026-05-05 09:49:31 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 26, 2024):

Reopening, there's a regression from f019f0ec3f (@kmk3).

$ file-roller --version 2>/dev/null
firejail version 0.9.73

file-roller 43.1, Copyright © 2001-2012 Free Software Foundation, Inc.

<!-- gh-comment-id:1912768721 --> @rusty-snake commented on GitHub (Jan 26, 2024): Reopening, there's a regression from f019f0ec3f (@kmk3). ```console $ file-roller --version 2>/dev/null firejail version 0.9.73 file-roller 43.1, Copyright © 2001-2012 Free Software Foundation, Inc. ```

gitea-mirror commented 2026-05-05 09:49:32 -06:00

Author

Owner

Copy link

@kmille commented on GitHub (Jan 27, 2024):

Thanks for the explanation! Not sure what you mean with the regression thing. I tried quiet, there is still an issue:

What I'm actually trying to do is (I guess ocrmypdf calls tesseract --version):

kmille@linbox:tmp ocrmypdf test.pdf 123.pdf
                                                                                                                                                                                                                                __init__.py:277
The program 'tesseract' could not be executed or was not found on your
system PATH.

                                                                                                                                                                                                                                __init__.py:263
On systems with the aptitude package manager (Debian, Ubuntu), try these
commands:
    sudo apt update
    sudo apt install tesseract-ocr

On RPM-based systems (Red Hat, Fedora), try this command:
    sudo dnf install tesseract-ocr

The program 'tesseract' did not report its version. Message was:                                                                                                                                                                 __main__.py:69
Reading profile /etc/firejail/tesseract.profile
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
 Found AVX2
 Found AVX
 Found FMA
 Found SSE4.1
 Found OpenMP 201511
 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5
 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0

So now, there is still this one line Reading profile /etc/firejail/tesseract.profile.

Expected output:

kmille@linbox:tmp tesseract --version
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
 Found AVX2
 Found AVX
 Found FMA
 Found SSE4.1
 Found OpenMP 201511
 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5
 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0

<!-- gh-comment-id:1913104724 --> @kmille commented on GitHub (Jan 27, 2024): Thanks for the explanation! Not sure what you mean with the regression thing. I tried `quiet`, there is still an issue: What I'm actually trying to do is (I guess ocrmypdf calls `tesseract --version`): ``` kmille@linbox:tmp ocrmypdf test.pdf 123.pdf __init__.py:277 The program 'tesseract' could not be executed or was not found on your system PATH. __init__.py:263 On systems with the aptitude package manager (Debian, Ubuntu), try these commands: sudo apt update sudo apt install tesseract-ocr On RPM-based systems (Red Hat, Fedora), try this command: sudo dnf install tesseract-ocr The program 'tesseract' did not report its version. Message was: __main__.py:69 Reading profile /etc/firejail/tesseract.profile tesseract 5.3.4 leptonica-1.84.1 libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0 Found AVX2 Found AVX Found FMA Found SSE4.1 Found OpenMP 201511 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0 ``` So now, there is still this one line `Reading profile /etc/firejail/tesseract.profile`. Expected output: ``` kmille@linbox:tmp tesseract --version tesseract 5.3.4 leptonica-1.84.1 libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0 Found AVX2 Found AVX Found FMA Found SSE4.1 Found OpenMP 201511 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0 ```

gitea-mirror commented 2026-05-05 09:49:33 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 27, 2024):

Firejail profiles are imperative, quiet takes effect from the time it is read. If quiet is not the first command in a profile, everything before it may produces some output. Related: #3503

~/.config/firejail/tesseract.profile:

quiet
include ${CFG}/tesseract.profile

<!-- gh-comment-id:1913115885 --> @rusty-snake commented on GitHub (Jan 27, 2024): Firejail profiles are imperative, `quiet` takes effect from the time it is read. If `quiet` is not the first command in a profile, everything before it may produces some output. Related: #3503 `~/.config/firejail/tesseract.profile`: ``` quiet include ${CFG}/tesseract.profile ```

gitea-mirror commented 2026-05-05 09:49:33 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jan 28, 2024):

@kmille on Jan 26:

Hey, I'm using firejail on Arch Linux. My problem: --version shows version
of firejail and not of the actual program (and/or some additional debug
output).

It does show the version of the program. From your log:

What I expect:

kmille@linbox:~ /usr/bin/evince --version
GNOME Document Viewer 45.0

What I get

kmille@linbox:~ evince --version         
Reading profile /etc/firejail/evince.profile
[...]
firejail version 0.9.73

[...]
Child process initialized in 231.19 ms
GNOME Document Viewer 45.0

Parent is shutting down, bye...

GNOME Document Viewer 45.0

The firejail version is just part of the normal firejail output.

evince is a GUI program (and is not used as a CLI as far as I know), so it is
not quiet by default.

This is working as intended.

@kmille on Jan 27:

I tried quiet, there is still an issue:

What I'm actually trying to do is (I guess ocrmypdf calls tesseract --version):

kmille@linbox:tmp ocrmypdf test.pdf 123.pdf
                                                                                                                                                                                                                                __init__.py:277
The program 'tesseract' could not be executed or was not found on your
system PATH.
[...]
The program 'tesseract' did not report its version. Message was:                                                                                                                                                                 __main__.py:69
Reading profile /etc/firejail/tesseract.profile
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
[...]

So now, there is still this one line Reading profile /etc/firejail/tesseract.profile.

Expected output:

kmille@linbox:tmp tesseract --version
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
[...]

So it seems that the actual issue is that tesseract is a CLI program but its
profile does not contain quiet. That can be easily fixed.

<!-- gh-comment-id:1913679649 --> @kmk3 commented on GitHub (Jan 28, 2024): @kmille [on Jan 26](https://github.com/netblue30/firejail/issues/6171#issue-2102879350): > Hey, I'm using firejail on Arch Linux. My problem: `--version` shows version > of firejail and not of the actual program (and/or some additional debug > output). It does show the version of the program. From your log: > What I expect: > > ``` > kmille@linbox:~ /usr/bin/evince --version > GNOME Document Viewer 45.0 > ``` > > What I get > > ``` > kmille@linbox:~ evince --version > Reading profile /etc/firejail/evince.profile > [...] > firejail version 0.9.73 > > [...] > Child process initialized in 231.19 ms > GNOME Document Viewer 45.0 > > Parent is shutting down, bye... > ``` > GNOME Document Viewer 45.0 The firejail version is just part of the normal firejail output. `evince` is a GUI program (and is not used as a CLI as far as I know), so it is not `quiet` by default. This is working as intended. @kmille [on Jan 27](https://github.com/netblue30/firejail/issues/6171#issuecomment-1913104724): > I tried `quiet`, there is still an issue: > > What I'm actually trying to do is (I guess ocrmypdf calls `tesseract --version`): > > ``` > kmille@linbox:tmp ocrmypdf test.pdf 123.pdf > __init__.py:277 > The program 'tesseract' could not be executed or was not found on your > system PATH. > [...] > The program 'tesseract' did not report its version. Message was: __main__.py:69 > Reading profile /etc/firejail/tesseract.profile > tesseract 5.3.4 > leptonica-1.84.1 > libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0 > [...] > ``` > > So now, there is still this one line `Reading profile /etc/firejail/tesseract.profile`. > > Expected output: > > ``` > kmille@linbox:tmp tesseract --version > tesseract 5.3.4 > leptonica-1.84.1 > libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0 > [...] > ``` So it seems that the actual issue is that tesseract is a CLI program but its profile does not contain `quiet`. That can be easily fixed.

gitea-mirror referenced this issue 2026-05-05 10:24:42 -06:00

[PR #3208] [MERGED] Fixes for fix_private-bin.py #4686

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3208

No description provided.