[GH-ISSUE #6364] hashcat: failure with private-dev & private-bin

gitea-mirror commented

2026-05-05 09:51:29 -06:00

Owner

Originally created by @schrotthaufen on GitHub (Jun 2, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6364

Description

The default profile for hashcat uses, private-bin, and private-dev, which break hashcat.
I have a AMD RX 7900 XT GPU.

Steps to Reproduce

Run in bash LC_ALL=C firejail hashcat -b -m 1000

Expected behavior

hashcat starts working.

Actual behavior

With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory
With private-dev: hashcat throws an error, and quits: No devices found/left.

Behavior without a profile

hashcat works as expected.

Additional context

I think /dev/kfd is required to make private-dev work, but if I pass --whitelist=/dev/kfd, the /dev/ directory is empty.

Environment

Arch Linux, kernel 6.9.3-arch1-1
firejail version 0.9.72
Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is disabled
- networking support is enabled- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @schrotthaufen on GitHub (Jun 2, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6364  ### Description The default profile for hashcat uses, private-bin, and private-dev, which break hashcat. I have a AMD RX 7900 XT GPU. ### Steps to Reproduce 1. Run in bash `LC_ALL=C firejail hashcat -b -m 1000` ### Expected behavior hashcat starts working. ### Actual behavior * With `private-bin hashcat`: hashcat throws an error, and quits: `/usr/local/bin/OpenCL/: No such file or directory` * With `private-dev`: hashcat throws an error, and quits: `No devices found/left.` ### Behavior without a profile hashcat works as expected. ### Additional context I think `/dev/kfd` is required to make `private-dev` work, but if I pass `--whitelist=/dev/kfd`, the `/dev/` directory is empty. ### Environment - Arch Linux, kernel 6.9.3-arch1-1 - firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled- output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror

2026-05-05 09:51:29 -06:00

closed this issue
added the
graphics
label

gitea-mirror commented

2026-05-05 09:51:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 2, 2024):

@rusty-snake commented on GitHub (Jun 2, 2024): Related: https://github.com/netblue30/firejail/issues/6148

gitea-mirror commented

2026-05-05 09:51:32 -06:00

Author

Owner

@ghost commented on GitHub (Jun 2, 2024):

Thanks for reporting. Sadly my current hardware is partly broken so I can't reliably test hashcat. I do have a few questions/remarks.

With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory

Do you have binaries installed under that /usr/local/bin/OpenCL/ path (or under /usr/bin)? Just asking because instead of dropping private-bin we might be able to keep that and add the needed binary name(s) to it.

After installing the hashcat package and running hashcat -h I noticed it creates only two directories under ${HOME}:

${HOME}/.cache/hashcat
${HOME}/.local/share/hashcat

The referenced ${HOME}/.hashcat does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine?
This isn't directly related to this issue IMO, but it would be nice to update the profile accordingly if we can check/confirm these discrepancies.

Regards

@ghost commented on GitHub (Jun 2, 2024): Thanks for reporting. Sadly my current hardware is partly broken so I can't reliably test hashcat. I do have a few questions/remarks. > With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory Do you have binaries installed under that `/usr/local/bin/OpenCL/` path (or under /usr/bin)? Just asking because instead of dropping `private-bin` we might be able to keep that and add the needed binary name(s) to it. After installing the hashcat package and running `hashcat -h` I noticed it creates only two directories under ${HOME}: - `${HOME}/.cache/hashcat` - `${HOME}/.local/share/hashcat` The referenced `${HOME}/.hashcat` does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine? This isn't directly related to this issue IMO, but it would be nice to update the profile accordingly if we can check/confirm these discrepancies. Regards

gitea-mirror commented

2026-05-05 09:51:32 -06:00

Author

Owner

@schrotthaufen commented on GitHub (Jun 2, 2024):

Do you have binaries installed under that /usr/local/bin/OpenCL/ path (or under /usr/bin)?

Hashcat is installed to /usr/bin/, but I have firejail symlinks in /usr/local/bin/ (generated with firecfg). When I run firejail /usr/bin/hashcat -b -m 1000, I only get the No devices found/left. error. Maybe the OpenCL path issue is because the sandboxed hashcat can´t find /usr/share/hashcat/OpenCL/, and so it tries to find it next to /usr/local/bin/hashcat.

The referenced ${HOME}/.hashcat does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine?

Yes, this directory exists on my box, and contains the potfile, session data, etc.
It seems ${HOME}/.local/share/hashcat is the new location for ${HOME}/.hashcat.

@schrotthaufen commented on GitHub (Jun 2, 2024): > Do you have binaries installed under that `/usr/local/bin/OpenCL/` path (or under /usr/bin)? Hashcat is installed to `/usr/bin/`, but I have firejail symlinks in `/usr/local/bin/` (generated with `firecfg`). When I run `firejail /usr/bin/hashcat -b -m 1000`, I only get the `No devices found/left.` error. Maybe the OpenCL path issue is because the sandboxed hashcat can´t find `/usr/share/hashcat/OpenCL/`, and so it tries to find it next to `/usr/local/bin/hashcat`. > The referenced `${HOME}/.hashcat` does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine? Yes, this directory exists on my box, and contains the potfile, session data, etc. It seems `${HOME}/.local/share/hashcat` is the new location for `${HOME}/.hashcat`.

gitea-mirror commented

2026-05-05 09:51:33 -06:00

Author

Owner

@ghost commented on GitHub (Jun 2, 2024):

It seems ${HOME}/.local/share/hashcat is the new location for ${HOME}/.hashcat.

Thanks. We'll better keep that in then for backward-compatibility.

@ghost commented on GitHub (Jun 2, 2024): > It seems ${HOME}/.local/share/hashcat is the new location for ${HOME}/.hashcat. Thanks. We'll better keep that in then for backward-compatibility.

gitea-mirror commented

2026-05-05 09:51:34 -06:00

Author

Owner

@hlein commented on GitHub (Sep 3, 2025):

FYI this is still present; I think I have workarounds.

$ firejail --version | head -n1
firejail version 0.9.76
$ /usr/bin/hashcat --backend-info | head
hashcat (v6.2.6) starting in backend information mode

CUDA Info:
==========

CUDA.Version.: 12.9

Backend Device ID #1 (Alias: #2)
  Name...........: NVIDIA GeForce RTX 4070 Ti SUPER
  Processor(s)...: 66
$ firejail hashcat --backend-info 
hashcat (v6.2.6) starting in backend information mode

/usr/local/bin/OpenCL/: No such file or directory

Started: Tue Sep  2 20:17:54 2025
Stopped: Tue Sep  2 20:17:54 2025

hashcat's ./src/backend.c:generate_source_kernel_filename constructs various paths-to-kernel-files based on shared_dir, which normally is:

$ hashcat -II | egrep Shar
Shared.Dir...: /usr/share/hashcat

But (based on the error) is I think calculated to be /usr/local/bin when we run it under firejail.

When I disable private-bin hashcat, that error goes away:

$ firejail hashcat -II
hashcat (v6.2.6) starting in backend information mode

cuInit(): no CUDA-capable device is detected

System Info:
============

OS.Name......: Linux
OS.Release...: 6.6.99-gentoo
HW.Model.....: N/A
HW.Platform..: x86_64

And the final error is I think caused by needing group video to access /dev/nvidia* on many distros including mine (Gentoo). It goes away if I ignore novideo.

I'll submit a PR making both those changes.

But this won't fix all hashcat issues like https://github.com/netblue30/firejail/issues/6148 where the user couldn't load hashes in /tmp/ due to private-tmp being on by default.

@hlein commented on GitHub (Sep 3, 2025): FYI this is still present; I think I have workarounds. ``` $ firejail --version | head -n1 firejail version 0.9.76 $ /usr/bin/hashcat --backend-info | head hashcat (v6.2.6) starting in backend information mode CUDA Info: ========== CUDA.Version.: 12.9 Backend Device ID #1 (Alias: #2) Name...........: NVIDIA GeForce RTX 4070 Ti SUPER Processor(s)...: 66 $ firejail hashcat --backend-info hashcat (v6.2.6) starting in backend information mode /usr/local/bin/OpenCL/: No such file or directory Started: Tue Sep 2 20:17:54 2025 Stopped: Tue Sep 2 20:17:54 2025 ``` `hashcat`'s `./src/backend.c:generate_source_kernel_filename` constructs various paths-to-kernel-files based on `shared_dir`, which normally is: ``` $ hashcat -II | egrep Shar Shared.Dir...: /usr/share/hashcat ``` But (based on the error) is I think calculated to be `/usr/local/bin` when we run it under `firejail`. When I disable `private-bin hashcat`, that error goes away: ``` $ firejail hashcat -II hashcat (v6.2.6) starting in backend information mode cuInit(): no CUDA-capable device is detected System Info: ============ OS.Name......: Linux OS.Release...: 6.6.99-gentoo HW.Model.....: N/A HW.Platform..: x86_64 ``` And the final error is I think caused by needing group `video` to access `/dev/nvidia*` on many distros including mine (Gentoo). It goes away if I `ignore novideo`. I'll submit a PR making both those changes. But this won't fix all `hashcat` issues like https://github.com/netblue30/firejail/issues/6148 where the user couldn't load hashes in `/tmp/` due to `private-tmp` being on by default.

gitea-mirror commented

2026-05-05 09:51:34 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 7, 2025):

$ firejail hashcat --backend-info 
hashcat (v6.2.6) starting in backend information mode

/usr/local/bin/OpenCL/: No such file or directory

Started: Tue Sep  2 20:17:54 2025
Stopped: Tue Sep  2 20:17:54 2025
hashcat's ./src/backend.c:generate_source_kernel_filename constructs
various paths-to-kernel-files based on shared_dir, which normally is:
$ hashcat -II | egrep Shar
Shared.Dir...: /usr/share/hashcat
But (based on the error) is I think calculated to be /usr/local/bin when we
run it under firejail.

When I disable private-bin hashcat, that error goes away:
$ firejail hashcat -II
hashcat (v6.2.6) starting in backend information mode

cuInit(): no CUDA-capable device is detected

System Info:
============

OS.Name......: Linux
OS.Release...: 6.6.99-gentoo
HW.Model.....: N/A
HW.Platform..: x86_64

Make sure to always use the full path to the program to avoid
firejail-in-firejail issues (see #2877).

This breaks hashcat in all of the above examples:

$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  hashcat --backend-info | head -n 1
hashcat (v7.1.2) starting in backend information mode
/usr/local/bin/OpenCL/: No such file or directory

$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  hashcat -II | grep Shar
/usr/local/bin/OpenCL/: No such file or directory

$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  hashcat -II | head -n 1
hashcat (v7.1.2) starting in backend information mode
/usr/local/bin/OpenCL/: No such file or directory

vs

$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  /usr/bin/hashcat --backend-info | head -n 1
hashcat (v7.1.2) starting in backend information mode
$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  /usr/bin/hashcat -II | grep Shar
Shared.Dir...: /usr/share/hashcat
$ firejail \
    --ignore='include globals.local' \
    --ignore='include disable-common.local' \
  /usr/bin/hashcat -II | head -n 1
hashcat (v7.1.2) starting in backend information mode

Does it work with the full path and without private-bin?

And the final error is I think caused by needing group video to access
/dev/nvidia* on many distros including mine (Gentoo). It goes away if I
ignore novideo.

What is the output of the following?

ls -l /dev/nvidia*

@kmk3 commented on GitHub (Sep 7, 2025): > ``` > $ firejail hashcat --backend-info > hashcat (v6.2.6) starting in backend information mode > > /usr/local/bin/OpenCL/: No such file or directory > > Started: Tue Sep 2 20:17:54 2025 > Stopped: Tue Sep 2 20:17:54 2025 > ``` > > `hashcat`'s `./src/backend.c:generate_source_kernel_filename` constructs > various paths-to-kernel-files based on `shared_dir`, which normally is: > > ``` > $ hashcat -II | egrep Shar > Shared.Dir...: /usr/share/hashcat > ``` > > But (based on the error) is I think calculated to be `/usr/local/bin` when we > run it under `firejail`. > > When I disable `private-bin hashcat`, that error goes away: > > ``` > $ firejail hashcat -II > hashcat (v6.2.6) starting in backend information mode > > cuInit(): no CUDA-capable device is detected > > System Info: > ============ > > OS.Name......: Linux > OS.Release...: 6.6.99-gentoo > HW.Model.....: N/A > HW.Platform..: x86_64 > ``` Make sure to always use the full path to the program to avoid firejail-in-firejail issues (see #2877). This breaks hashcat in all of the above examples: ```console $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ hashcat --backend-info | head -n 1 hashcat (v7.1.2) starting in backend information mode /usr/local/bin/OpenCL/: No such file or directory $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ hashcat -II | grep Shar /usr/local/bin/OpenCL/: No such file or directory $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ hashcat -II | head -n 1 hashcat (v7.1.2) starting in backend information mode /usr/local/bin/OpenCL/: No such file or directory ``` vs ```console $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ /usr/bin/hashcat --backend-info | head -n 1 hashcat (v7.1.2) starting in backend information mode $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ /usr/bin/hashcat -II | grep Shar Shared.Dir...: /usr/share/hashcat $ firejail \ --ignore='include globals.local' \ --ignore='include disable-common.local' \ /usr/bin/hashcat -II | head -n 1 hashcat (v7.1.2) starting in backend information mode ``` Does it work with the full path and without `private-bin`? > And the final error is I think caused by needing group `video` to access > `/dev/nvidia*` on many distros including mine (Gentoo). It goes away if I > `ignore novideo`. What is the output of the following? ```sh ls -l /dev/nvidia* ```

gitea-mirror referenced this issue

2026-05-05 10:24:59 -06:00

[PR #3255] [MERGED] conky needs lua #4699