github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6206] Shell not starting on login #3220

New issue
Open
opened 2026-05-05 09:49:59 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 09:49:59 -06:00
Owner
Copy link

Originally created by @intereglementet on GitHub (Feb 12, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6206

Description

Trying to use firejail to execute a login shell (for user "service").

Grateful for input on this.

Steps to Reproduce

Firejail is set as shell.

sudo grep service /etc/passwd
service1001:1001:test user,,,:/home/service:/usr/local/bin/firejail

And a shell profile that is included from login.users exists:

cat /usr/local/etc/firejail/service_user.profile | grep -v #
include /usr/local/etc/firejail/default.profile
private-bin bash,ls,sh

If no shell is provided no command is found:

cat /usr/local/etc/firejail/login.users | grep -v #
service: --profile=/usr/local/etc/firejail/service_user.profile

Password:
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
firejail version 0.9.73

Parent pid 1120188, child pid 1120189
4 programs installed in 40.29 ms
Base filesystem installed in 124.87 ms
Child process initialized in 281.18 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

Fair enough, so provide a shell:

cat /usr/local/etc/firejail/login.users | grep -v #
service: --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

su -l service
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
firejail version 0.9.73

Parent pid 1119897, child pid 1119898
4 programs installed in 74.39 ms
Base filesystem installed in 110.83 ms
Child process initialized in 304.28 ms
Error: no suitable SHELL=/usr/local/bin/firejail executable found

Parent is shutting down, bye...

Expected behavior

Bash as login shell

Actual behavior

Firejail is unable to find a working shell path

Behavior without a profile

cat /usr/local/etc/firejail/login.users | grep -v #
service: --noprofile /bin/bash

su -l service
firejail version 0.9.73

Parent pid 1123115, child pid 1123116
Base filesystem installed in 0.22 ms
Child process initialized in 20.72 ms
Error: no suitable SHELL=/usr/local/bin/firejail executable found

Parent is shutting down, bye...

Environment

/usr/local/bin/firejail --version
firejail version 0.9.73

uname -a
Linux ubuntu 5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

git rev-parse HEAD
bb45aa505d

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

cat /usr/local/etc/firejail/login.users | grep -v \#
service: --debug --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

su -l service
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Found disable-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-common.inc
Found disable-programs.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-programs.inc
[profile] combined protocol list: "unix,inet,inet6"
Building quoted command line: '/bin/bash' 
Command name #bash#
firejail version 0.9.73

DISPLAY is not set
Using the local network stack
Parent pid 1123476, child pid 1123477
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
Drop privileges: pid 3, uid 1001, gid 1001, force_nogroups 0
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1418 114 8:5 /etc /etc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1418 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1419 1418 8:5 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1419 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1420 114 8:5 /var /var ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1420 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1421 1420 8:5 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1421 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1422 114 8:5 /usr /usr ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1422 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot open /run/user/1001 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/sr0 file
mounting /run/firejail/mnt/dev/hidraw0 file
Process /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/bash
Checking /usr/bin/bash
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
Checking /usr/local/bin/ls
Checking /usr/bin/ls
sbox run: /run/firejail/lib/fcopy /usr/bin/ls /run/firejail/mnt/bin 
Checking /usr/local/bin/sh
Checking /usr/bin/sh
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
4 programs installed in 53.82 ms
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Creating a new /etc/hostname file
Creating empty /run/firejail/mnt/hostname file
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /proc/kmsg
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /tmp, check owner: no
1381 114 0:71 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=1381 fsname=/ dir=/tmp fstype=tmpfs
Whitelisting /tmp/.X11-unix
1608 1381 8:5 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1608 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Add path entry /usr/local/sbin
Add path entry /usr/local/bin
Add path entry /usr/sbin
Add path entry /usr/bin
Add path entry /sbin
...skip path /bin
Add path entry /usr/games
Add path entry /usr/local/games
Add path entry /snap/bin
Number of path entries: 8
Disable /etc/systemd/network
Disable /etc/systemd/system
Disable /var/lib/systemd
Disable /etc/init.d
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/docker.sock (requested /var/run/docker.sock)
Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/adduser.conf
Disable /etc/anacrontab
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/cron.hourly
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/default
Disable /etc/grub.d
Disable /etc/kernel
Disable /etc/kerneloops.conf
Disable /etc/kernel-img.conf
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/rc.local
Disable /etc/rc3.d
Disable /etc/rc5.d
Disable /etc/rcS.d
Disable /etc/rc2.d
Disable /etc/rc4.d
Disable /etc/rc1.d
Disable /etc/rc6.d
Disable /etc/rc0.d
Disable /etc/logcheck
Mounting read-only /home/service/.bash_logout
1655 1432 8:5 /home/service/.bash_logout /home/service/.bash_logout ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1655 fsname=/home/service/.bash_logout dir=/home/service/.bash_logout fstype=ext4
Mounting read-only /home/service/.bashrc
1656 1432 8:5 /home/service/.bashrc /home/service/.bashrc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1656 fsname=/home/service/.bashrc dir=/home/service/.bashrc fstype=ext4
Mounting read-only /home/service/.profile
1657 1432 8:5 /home/service/.profile /home/service/.profile ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1657 fsname=/home/service/.profile dir=/home/service/.profile fstype=ext4
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /etc/sudoers
Disable /etc/sudoers.d
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Disable /usr/lib/eject/dmcrypt-get-device
Disable /usr/lib/openssh
Disable /usr/lib/policykit-1/polkit-agent-helper-1
Disable /usr/lib/xorg/Xorg.wrap
Disable /snap
Disable /usr/lib/snapd
Disable /var/lib/snapd
Disable /var/snap
Mounting read-only /tmp/.X11-unix
1679 1608 8:5 /tmp/.X11-unix /tmp/.X11-unix ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1679 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
Base filesystem installed in 128.62 ms
Mounting noexec /run/firejail/mnt/pulse
1682 1415 0:58 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1682 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/service/.config/pulse
1683 1432 0:58 /pulse /home/service/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1683 fsname=/pulse dir=/home/service/.config/pulse fstype=tmpfs
Current directory: /home/service
DISPLAY is not set
Install protocol filter: unix,inet,inet6
configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 8, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 9, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
Dual 32/64 bit seccomp filter configured
configuring 79 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 10, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
seccomp filter configured
Install namespaces filter
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces 
Dropping all capabilities
Drop privileges: pid 11, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 
Dropping all capabilities
Drop privileges: pid 12, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
Mounting read-only /run/firejail/mnt/seccomp
1685 1415 0:58 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1685 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             200 .
drwxr-xr-x root     root             340 ..
-rw-r--r-- service  service          632 seccomp
-rw-r--r-- service  service          432 seccomp.32
-rw-r--r-- service  service          207 seccomp.list
-rw-r--r-- service  service          208 seccomp.namespaces
-rw-r--r-- service  service          208 seccomp.namespaces.32
-rw-r--r-- service  service            0 seccomp.postexec
-rw-r--r-- service  service            0 seccomp.postexec32
-rw-r--r-- service  service          184 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
/run/firejail/mnt/seccomp/seccomp.namespaces
/run/firejail/mnt/seccomp/seccomp.namespaces.32
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1001, gid 1001, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Child process initialized in 347.26 ms
Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found
monitoring pid 13

Sandbox monitor: waitpid 13 retval 13 status 256

Parent is shutting down, bye...

Originally created by @intereglementet on GitHub (Feb 12, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6206 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Trying to use firejail to execute a login shell (for user "service"). Grateful for input on this. ### Steps to Reproduce Firejail is set as shell. > sudo grep service /etc/passwd > service:x:1001:1001:test user,,,:/home/service:/usr/local/bin/firejail And a shell profile that is included from login.users exists: > cat /usr/local/etc/firejail/service_user.profile | grep -v \# > include /usr/local/etc/firejail/default.profile > private-bin bash,ls,sh 1. If no shell is provided no command is found: > cat /usr/local/etc/firejail/login.users | grep -v \# > service: --profile=/usr/local/etc/firejail/service_user.profile > > Password: > Reading profile /usr/local/etc/firejail/service_user.profile > Reading profile /usr/local/etc/firejail/default.profile > Reading profile /usr/local/etc/firejail/disable-common.inc > Reading profile /usr/local/etc/firejail/disable-programs.inc > firejail version 0.9.73 > > Parent pid 1120188, child pid 1120189 > 4 programs installed in 40.29 ms > Base filesystem installed in 124.87 ms > Child process initialized in 281.18 ms > **Cannot start application: No such file or directory** > > Parent is shutting down, bye... 2. Fair enough, so provide a shell: > cat /usr/local/etc/firejail/login.users | grep -v \# > service: --profile=/usr/local/etc/firejail/service_user.profile /bin/bash > > su -l service > Reading profile /usr/local/etc/firejail/service_user.profile > Reading profile /usr/local/etc/firejail/default.profile > Reading profile /usr/local/etc/firejail/disable-common.inc > Reading profile /usr/local/etc/firejail/disable-programs.inc > firejail version 0.9.73 > > Parent pid 1119897, child pid 1119898 > 4 programs installed in 74.39 ms > Base filesystem installed in 110.83 ms > Child process initialized in 304.28 ms > **Error: no suitable SHELL=/usr/local/bin/firejail executable found** > > Parent is shutting down, bye... > ### Expected behavior Bash as login shell ### Actual behavior Firejail is unable to find a working shell path ### Behavior without a profile > cat /usr/local/etc/firejail/login.users | grep -v \# > service: --noprofile /bin/bash > > su -l service > firejail version 0.9.73 > > Parent pid 1123115, child pid 1123116 > Base filesystem installed in 0.22 ms > Child process initialized in 20.72 ms > Error: no suitable SHELL=/usr/local/bin/firejail executable found > > Parent is shutting down, bye... ### Environment /usr/local/bin/firejail --version firejail version 0.9.73 uname -a Linux ubuntu 5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux git rev-parse HEAD bb45aa505dd56eecbe1054c99a4dac1d4ab12f7c ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log ``` cat /usr/local/etc/firejail/login.users | grep -v \# service: --debug --profile=/usr/local/etc/firejail/service_user.profile /bin/bash su -l service Reading profile /usr/local/etc/firejail/service_user.profile Reading profile /usr/local/etc/firejail/default.profile Found disable-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-common.inc Found disable-programs.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-programs.inc [profile] combined protocol list: "unix,inet,inet6" Building quoted command line: '/bin/bash' Command name #bash# firejail version 0.9.73 DISPLAY is not set Using the local network stack Parent pid 1123476, child pid 1123477 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1001, gid 1001, force_nogroups 1 No supplementary groups Drop privileges: pid 3, uid 1001, gid 1001, force_nogroups 0 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1418 114 8:5 /etc /etc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1418 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1419 1418 8:5 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1419 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1420 114 8:5 /var /var ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1420 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1421 1420 8:5 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1421 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1422 114 8:5 /usr /usr ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1422 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Cannot open /run/user/1001 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/sr0 file mounting /run/firejail/mnt/dev/hidraw0 file Process /dev/shm directory Copying files in the new bin directory Checking /usr/local/bin/bash Checking /usr/bin/bash sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin Checking /usr/local/bin/ls Checking /usr/bin/ls sbox run: /run/firejail/lib/fcopy /usr/bin/ls /run/firejail/mnt/bin Checking /usr/local/bin/sh Checking /usr/bin/sh sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin 4 programs installed in 53.82 ms Generate private-tmp whitelist commands blacklist /run/firejail/dbus Creating a new /etc/hostname file Creating empty /run/firejail/mnt/hostname file Creating a new /etc/hosts file Loading user hosts file Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /proc/kmsg Debug 588: whitelist /tmp/.X11-unix Debug 609: expanded: /tmp/.X11-unix Debug 620: new_name: /tmp/.X11-unix Debug 630: dir: /tmp Adding whitelist top level directory /tmp Debug 588: whitelist /tmp/sndio Debug 609: expanded: /tmp/sndio Debug 620: new_name: /tmp/sndio Debug 630: dir: /tmp Removed path: whitelist /tmp/sndio new_name: /tmp/sndio realpath: (null) No such file or directory Mounting tmpfs on /tmp, check owner: no 1381 114 0:71 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64 mountid=1381 fsname=/ dir=/tmp fstype=tmpfs Whitelisting /tmp/.X11-unix 1608 1381 8:5 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1608 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Add path entry /usr/local/sbin Add path entry /usr/local/bin Add path entry /usr/sbin Add path entry /usr/bin Add path entry /sbin ...skip path /bin Add path entry /usr/games Add path entry /usr/local/games Add path entry /snap/bin Number of path entries: 8 Disable /etc/systemd/network Disable /etc/systemd/system Disable /var/lib/systemd Disable /etc/init.d Disable /var/cache/apt Disable /var/lib/apt Disable /var/lib/upower Disable /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /run/docker.sock (requested /var/run/docker.sock) Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock) Disable /var/spool/anacron Disable /var/spool/cron Disable /var/mail (requested /var/spool/mail) Disable /etc/adduser.conf Disable /etc/anacrontab Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/cron.hourly Disable /etc/cron.d Disable /etc/cron.daily Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/crontab Disable /etc/default Disable /etc/grub.d Disable /etc/kernel Disable /etc/kerneloops.conf Disable /etc/kernel-img.conf Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/modules Disable /etc/modules-load.d Disable /etc/rc.local Disable /etc/rc3.d Disable /etc/rc5.d Disable /etc/rcS.d Disable /etc/rc2.d Disable /etc/rc4.d Disable /etc/rc1.d Disable /etc/rc6.d Disable /etc/rc0.d Disable /etc/logcheck Mounting read-only /home/service/.bash_logout 1655 1432 8:5 /home/service/.bash_logout /home/service/.bash_logout ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1655 fsname=/home/service/.bash_logout dir=/home/service/.bash_logout fstype=ext4 Mounting read-only /home/service/.bashrc 1656 1432 8:5 /home/service/.bashrc /home/service/.bashrc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1656 fsname=/home/service/.bashrc dir=/home/service/.bashrc fstype=ext4 Mounting read-only /home/service/.profile 1657 1432 8:5 /home/service/.profile /home/service/.profile ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1657 fsname=/home/service/.profile dir=/home/service/.profile fstype=ext4 Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /etc/sudoers Disable /etc/sudoers.d Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper Disable /usr/lib/eject/dmcrypt-get-device Disable /usr/lib/openssh Disable /usr/lib/policykit-1/polkit-agent-helper-1 Disable /usr/lib/xorg/Xorg.wrap Disable /snap Disable /usr/lib/snapd Disable /var/lib/snapd Disable /var/snap Mounting read-only /tmp/.X11-unix 1679 1608 8:5 /tmp/.X11-unix /tmp/.X11-unix ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro mountid=1679 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /sys/fs Disable /sys/module Base filesystem installed in 128.62 ms Mounting noexec /run/firejail/mnt/pulse 1682 1415 0:58 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1682 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/service/.config/pulse 1683 1432 0:58 /pulse /home/service/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1683 fsname=/pulse dir=/home/service/.config/pulse fstype=tmpfs Current directory: /home/service DISPLAY is not set Install protocol filter: unix,inet,inet6 configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 8, uid 1001, gid 1001, force_nogroups 1 No supplementary groups line OP JT JF K ==snip=============================== configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 9, uid 1001, gid 1001, force_nogroups 1 No supplementary groups line OP JT JF K ================================= Dual 32/64 bit seccomp filter configured configuring 79 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 10, uid 1001, gid 1001, force_nogroups 1 No supplementary groups line OP JT JF K ==snip=============================== seccomp filter configured Install namespaces filter configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces Dropping all capabilities Drop privileges: pid 11, uid 1001, gid 1001, force_nogroups 1 No supplementary groups line OP JT JF K ==snip=============================== configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 Dropping all capabilities Drop privileges: pid 12, uid 1001, gid 1001, force_nogroups 1 No supplementary groups line OP JT JF K ==snip=============================== Mounting read-only /run/firejail/mnt/seccomp 1685 1415 0:58 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1685 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 200 . drwxr-xr-x root root 340 .. -rw-r--r-- service service 632 seccomp -rw-r--r-- service service 432 seccomp.32 -rw-r--r-- service service 207 seccomp.list -rw-r--r-- service service 208 seccomp.namespaces -rw-r--r-- service service 208 seccomp.namespaces.32 -rw-r--r-- service service 0 seccomp.postexec -rw-r--r-- service service 0 seccomp.postexec32 -rw-r--r-- service service 184 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.namespaces /run/firejail/mnt/seccomp/seccomp.namespaces.32 Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1001, gid 1001, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Child process initialized in 347.26 ms Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found monitoring pid 13 Sandbox monitor: waitpid 13 retval 13 status 256 Parent is shutting down, bye... ``` </p> </details>
gitea-mirror added the
bug
 label 2026-05-05 09:49:59 -06:00
gitea-mirror commented 2026-05-05 09:50:01 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 12, 2024):

service: --profile=/usr/local/etc/firejail/service_user.profile

Longshot. There might be some confusion about correct syntax in login.users.
5d3b61de89/etc/login.users (L6)

Yet, there's NO space between the user name and the program arguments:

5d3b61de89/etc/login.users (L10)

5d3b61de89/etc/login.users (L14)

Have you tried dropping that space yet? So:

$ cat /usr/local/etc/firejail/login.users | grep -v #
 service:--profile=/usr/local/etc/firejail/service_user.profile
<!-- gh-comment-id:1938658620 --> @ghost commented on GitHub (Feb 12, 2024): > service: --profile=/usr/local/etc/firejail/service_user.profile Longshot. There might be some confusion about correct syntax in login.users. https://github.com/netblue30/firejail/blob/5d3b61de89b65a6bcbc9beb49b76646734dc6f60/etc/login.users#L6 Yet, there's NO space between the user name and the program arguments: https://github.com/netblue30/firejail/blob/5d3b61de89b65a6bcbc9beb49b76646734dc6f60/etc/login.users#L10 https://github.com/netblue30/firejail/blob/5d3b61de89b65a6bcbc9beb49b76646734dc6f60/etc/login.users#L14 Have you tried dropping that space yet? So: ```console $ cat /usr/local/etc/firejail/login.users | grep -v # service:--profile=/usr/local/etc/firejail/service_user.profile ```
gitea-mirror commented 2026-05-05 09:50:02 -06:00
Author
Owner
Copy link

@intereglementet commented on GitHub (Feb 12, 2024):

Well spotted. I tried a few different login.users variants without that space; unfortunately that was not it, that made no difference. I did however notice that additional arguments change the error message in a peculiar way.

service:--debug --private-bin=bash --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

Error: no suitable HOME=/home/service executable found

<!-- gh-comment-id:1938686001 --> @intereglementet commented on GitHub (Feb 12, 2024): Well spotted. I tried a few different login.users variants without that space; unfortunately that was not it, that made no difference. I did however notice that additional arguments change the error message in a peculiar way. > service:--debug --private-bin=bash --profile=/usr/local/etc/firejail/service_user.profile /bin/bash **Error: no suitable HOME=/home/service executable found**
gitea-mirror commented 2026-05-05 09:50:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 12, 2024):

Ah well, the 'space' thing would have been too easy I guess :-)

Other idea: the allusers option. But to avoid stabbing in the dark indefinately, you could try with our weakest (most permissive) profile and determine of you can get that to work:

$ cat foo
service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash
<!-- gh-comment-id:1938707167 --> @ghost commented on GitHub (Feb 12, 2024): Ah well, the 'space' thing would have been too easy I guess :-) Other idea: the `allusers` option. But to avoid stabbing in the dark indefinately, you could try with our weakest (most permissive) profile and determine of you can get that to work: ```console $ cat foo service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash ```
gitea-mirror commented 2026-05-05 09:50:05 -06:00
Author
Owner
Copy link

@intereglementet commented on GitHub (Feb 12, 2024):

Well, at this point stabbing is fine by me =)

service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash

*:--allusers --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash

...both gets:

Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found

<!-- gh-comment-id:1938733518 --> @intereglementet commented on GitHub (Feb 12, 2024): Well, at this point stabbing is fine by me =) > service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash > *:--allusers --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash ...both gets: **Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found**
gitea-mirror commented 2026-05-05 09:50:05 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 15, 2024):

Found some time to come back to this. I can confirm that - at the very least - the restricted shell feature isn't working as described in the documentation. Perhaps I'm missing something vital though, I never tried using it before (simply because I only have single-user laptops).

Below are some observations, for a newly created user guest.

$ sudo grep guest /etc/password
guest:x:1002:1002:guest@lab16,,,,:/home/guest:/usr/bin/firejail
$ cat /etc/firejail/login.users
# /etc/firejail/login.users - restricted user shell configuration
#
# Each user entry consists of a user name and firejail
# program arguments:
#
#       user name: arguments
#
# For example:
#
#       netblue:--net=none --protocol=unix
#
# Wildcard patterns are accepted in the user name field:
#
#       user*: --private
#
# The example will do --private for user1, user2, and so on.
#
# The extra arguments are inserted into program command line if firejail
# was started as a login shell.

## all restricted users:
#+ have throwaway data [--private]
#+ are provided a very restricted shell [--private-bin=bash,ls,sh]
#+ have tab-completion [--tab]
*:--quiet --private --private-bin=bash,ls,sh --tab

What isn't working:

$ su -l guest
Password:
Cannot start application: No such file or directory

$ su guest
Password:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/landlock-common.inc
Reading profile /etc/firejail/landlock-common.local

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.73

Parent pid 51288, child pid 51290

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 84.97 ms
Child process initialized in 150.05 ms
Cannot start application: Permission denied

Parent is shutting down, bye...

$ su -l guest /bin/bash
Password:
Error: no suitable HOME=/home/guest executable found

What seems to work:

$ su guest /bin/bash
Password:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/landlock-common.inc
Reading profile /etc/firejail/landlock-common.local

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.73

Parent pid 54796, child pid 54798

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 90.97 ms
Child process initialized in 159.25 ms
[guest@lab16 ~]$ cat .bashrc
#
# ~/.bashrc
#

# If not running interactively, don't do anything
[[ $- != *i* ]] && return

alias ls='ls --color=auto'
alias grep='grep --color=auto'
PS1='[\u@\h \W]\$ '
[guest@lab16 ~]$ echo "I should be discarded after closing the sandbox due to --private" > discard.me
[guest@lab16 ~]$ exit
exit

Parent is shutting down, bye...

glitsj16@lab16 $ sudo cat /home/guest/discard.me
I should be discarded after closing the sandbox due to --private

I used _seems_ to work above because the configured options from /etc/firejail/login.users are NOT respected:

  • the --quiet option is there, yet I see firejail's output
  • the --private option isn't working, I can see discard.me in the real filesystem after closing the sandbox
  • the --private-bin=bash,ls,sh doesn't mention cat, yet I can use that regardless (just like I could any other command from inside the sandbox BTW)

Side-note:
Login from TTY isn't possible at all: Login incorrect

Marking this as a bug.

<!-- gh-comment-id:1946591027 --> @ghost commented on GitHub (Feb 15, 2024): Found some time to come back to this. I can confirm that - at the very least - the `restricted shell` feature isn't working as described in the documentation. Perhaps I'm missing something vital though, I never tried using it before (simply because I only have single-user laptops). Below are some observations, for a newly created user `guest`. ```console $ sudo grep guest /etc/password guest:x:1002:1002:guest@lab16,,,,:/home/guest:/usr/bin/firejail $ cat /etc/firejail/login.users # /etc/firejail/login.users - restricted user shell configuration # # Each user entry consists of a user name and firejail # program arguments: # # user name: arguments # # For example: # # netblue:--net=none --protocol=unix # # Wildcard patterns are accepted in the user name field: # # user*: --private # # The example will do --private for user1, user2, and so on. # # The extra arguments are inserted into program command line if firejail # was started as a login shell. ## all restricted users: #+ have throwaway data [--private] #+ are provided a very restricted shell [--private-bin=bash,ls,sh] #+ have tab-completion [--tab] *:--quiet --private --private-bin=bash,ls,sh --tab ``` What isn't working: ```console $ su -l guest Password: Cannot start application: No such file or directory ``` ```console $ su guest Password: Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.local Reading profile /etc/firejail/landlock-common.inc Reading profile /etc/firejail/landlock-common.local ** Note: you can use --noprofile to disable default.profile ** firejail version 0.9.73 Parent pid 51288, child pid 51290 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Base filesystem installed in 84.97 ms Child process initialized in 150.05 ms Cannot start application: Permission denied Parent is shutting down, bye... ``` ```console $ su -l guest /bin/bash Password: Error: no suitable HOME=/home/guest executable found ``` What _seems_ to work: ```console $ su guest /bin/bash Password: Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.local Reading profile /etc/firejail/landlock-common.inc Reading profile /etc/firejail/landlock-common.local ** Note: you can use --noprofile to disable default.profile ** firejail version 0.9.73 Parent pid 54796, child pid 54798 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Base filesystem installed in 90.97 ms Child process initialized in 159.25 ms [guest@lab16 ~]$ cat .bashrc # # ~/.bashrc # # If not running interactively, don't do anything [[ $- != *i* ]] && return alias ls='ls --color=auto' alias grep='grep --color=auto' PS1='[\u@\h \W]\$ ' [guest@lab16 ~]$ echo "I should be discarded after closing the sandbox due to --private" > discard.me [guest@lab16 ~]$ exit exit Parent is shutting down, bye... glitsj16@lab16 $ sudo cat /home/guest/discard.me I should be discarded after closing the sandbox due to --private ``` I used `_seems_` to work above because the configured options from `/etc/firejail/login.users` are NOT respected: - the --quiet option is there, yet I see firejail's output - the --private option isn't working, I can see discard.me in the real filesystem after closing the sandbox - the --private-bin=bash,ls,sh doesn't mention `cat`, yet I can use that regardless (just like I could any other command from inside the sandbox BTW) Side-note: Login from TTY isn't possible at all: Login incorrect Marking this as a bug.
gitea-mirror commented 2026-05-05 09:50:06 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 15, 2024):

Trying to use firejail to execute a login shell

I didn't look into this too closely, but could it be related to --shell being
removed in 0.9.72 (#5190 / #5196)?

0.9.73 also had some related changes which might affect this (for example, see
#5605).

Does it work in 0.9.70 or 0.9.72?

<!-- gh-comment-id:1947458368 --> @kmk3 commented on GitHub (Feb 15, 2024): > Trying to use firejail to execute a login shell I didn't look into this too closely, but could it be related to `--shell` being removed in 0.9.72 (#5190 / #5196)? 0.9.73 also had some related changes which might affect this (for example, see #5605). Does it work in 0.9.70 or 0.9.72?
gitea-mirror commented 2026-05-05 09:50:06 -06:00
Author
Owner
Copy link

@intereglementet commented on GitHub (Feb 16, 2024):

A workaround seems to be putting the firejail command in a login shell script, like:

# cat login.sh

#!/bin/sh
/usr/bin/firejail --quiet --profile=/path/service_user.profile /bin/bash

# chsh -s /path/login.sh service

<!-- gh-comment-id:1947991338 --> @intereglementet commented on GitHub (Feb 16, 2024): A workaround seems to be putting the firejail command in a login shell script, like: \# cat login.sh > #!/bin/sh > /usr/bin/firejail --quiet --profile=/path/service_user.profile /bin/bash \# chsh -s /path/login.sh service
gitea-mirror commented 2026-05-05 09:50:07 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 16, 2024):

@intereglementet

Thanks for the workaround. Can your user service login from TTY with that? Or did you need something else in your service_user.profile?

<!-- gh-comment-id:1948313332 --> @ghost commented on GitHub (Feb 16, 2024): @intereglementet Thanks for the workaround. Can your user `service` login from TTY with that? Or did you need something else in your `service_user.profile`?
gitea-mirror commented 2026-05-05 09:50:07 -06:00
Author
Owner
Copy link

@intereglementet commented on GitHub (Feb 16, 2024):

This is an embedded system, so at this point I have only been able to test su -l and ssh. Nothing special was needed in the profile for that. Will get back to you if I get a chance to test tty.

<!-- gh-comment-id:1948369845 --> @intereglementet commented on GitHub (Feb 16, 2024): This is an embedded system, so at this point I have only been able to test _su -l_ and _ssh_. Nothing special was needed in the profile for that. Will get back to you if I get a chance to test tty.
gitea-mirror commented 2026-05-05 09:50:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 16, 2024):

@intereglementet

No problem. Nice to see firejail being used on embedded systems. Thanks again for reporting this. Now we're aware of the issue we can work towards a fix that actually respects what is in login.users.

Cheers

<!-- gh-comment-id:1949090706 --> @ghost commented on GitHub (Feb 16, 2024): @intereglementet No problem. Nice to see firejail being used on embedded systems. Thanks again for reporting this. Now we're aware of the issue we can work towards a fix that actually respects what is in login.users. Cheers
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3220
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?