[GH-ISSUE #6490] Reintroduce shell feature #3290

New issue

Open

opened 2026-05-05 09:53:36 -06:00 by gitea-mirror · 15 comments

gitea-mirror commented 2026-05-05 09:53:36 -06:00

Owner

Copy link

Originally created by @ganeshjkale on GitHub (Sep 27, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6490

#OS : Redhat 9.4
#Firejail : v0.9.72
#Command
firejail --shell=/bin/rbash --profile=/etc/firejail/abc.profile /usr/bin/gedit
firejail --shell=/bin/rbash /usr/bin/gedit
firejail --shell=/bin/rbash --noprofile /usr/bin/gedit

shell feature enables to provide more security , not able to find its alternative and documentation.
please help

Originally created by @ganeshjkale on GitHub (Sep 27, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6490 #OS : Redhat 9.4 #Firejail : v0.9.72 #Command firejail --shell=/bin/rbash --profile=/etc/firejail/abc.profile /usr/bin/gedit firejail --shell=/bin/rbash /usr/bin/gedit firejail --shell=/bin/rbash --noprofile /usr/bin/gedit shell feature enables to provide more security , not able to find its alternative and documentation. please help

gitea-mirror added the

enhancement

needinfo

labels 2026-05-05 09:53:36 -06:00

gitea-mirror commented 2026-05-05 09:53:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 27, 2024):

What do you mean with shell feature?

Why does it provide more security?

<!-- gh-comment-id:2379121028 --> @rusty-snake commented on GitHub (Sep 27, 2024): What do you mean with shell feature? Why does it provide more security?

gitea-mirror commented 2026-05-05 09:53:38 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Sep 27, 2024):

Basic information is missing; please follow the feature request template:

• https://github.com/netblue30/firejail/issues/new?template=feature_request.md

<!-- gh-comment-id:2379286279 --> @kmk3 commented on GitHub (Sep 27, 2024): Basic information is missing; please follow the feature request template: * <https://github.com/netblue30/firejail/issues/new?template=feature_request.md>

gitea-mirror commented 2026-05-05 09:53:40 -06:00

Author

Owner

Copy link

@ganeshjkale commented on GitHub (Sep 27, 2024):

For eg. combine firejail with rbash or custom shell

<!-- gh-comment-id:2379306362 --> @ganeshjkale commented on GitHub (Sep 27, 2024): For eg. combine firejail with rbash or custom shell

gitea-mirror commented 2026-05-05 09:53:40 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 27, 2024):

firejail rbash?

You need to explain in more detail.

<!-- gh-comment-id:2379317949 --> @rusty-snake commented on GitHub (Sep 27, 2024): `firejail rbash`? You need to explain in more detail.

gitea-mirror commented 2026-05-05 09:53:41 -06:00

Author

Owner

Copy link

@ganeshjkale commented on GitHub (Sep 27, 2024):

Firejail v0.9.70 below command.
firejail --shell=/bin/rbash application

<!-- gh-comment-id:2379326983 --> @ganeshjkale commented on GitHub (Sep 27, 2024): Firejail v0.9.70 below command. firejail --shell=/bin/rbash application

gitea-mirror commented 2026-05-05 09:53:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 27, 2024):

And why is a --shell required? Why not simply firejail /bin/rbash application?

<!-- gh-comment-id:2379331129 --> @rusty-snake commented on GitHub (Sep 27, 2024): And why is a `--shell` required? Why not simply `firejail /bin/rbash application`?

gitea-mirror commented 2026-05-05 09:53:42 -06:00

Author

Owner

Copy link

@ganeshjkale commented on GitHub (Sep 27, 2024):

#not working getting cannot execute binary gedit.
firejail /bin/rbash gedit

#working
firejail gedit

<!-- gh-comment-id:2379363831 --> @ganeshjkale commented on GitHub (Sep 27, 2024): #not working getting cannot execute binary gedit. firejail /bin/rbash gedit #working firejail gedit

gitea-mirror commented 2026-05-05 09:53:42 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 27, 2024):

Maybe you should outline why you even need/want a rbash.

not working getting cannot execute binary gedit

firejail /bin/bash -r -c gedit

<!-- gh-comment-id:2379420999 --> @rusty-snake commented on GitHub (Sep 27, 2024): Maybe you should outline why you even need/want a rbash. > not working getting cannot execute binary gedit `firejail /bin/bash -r -c gedit`

gitea-mirror commented 2026-05-05 09:53:43 -06:00

Author

Owner

Copy link

@luitzifa commented on GitHub (Nov 19, 2024):

IMHO this is a regression introduced in 0.9.72. The --shell feature was removed here: https://github.com/netblue30/firejail/issues/5190
The feature is needed to use firejail directly as login shell.
This issue is somewhat related to https://github.com/netblue30/firejail/issues/6206

<!-- gh-comment-id:2485856415 --> @luitzifa commented on GitHub (Nov 19, 2024): IMHO this is a regression introduced in 0.9.72. The --shell feature was removed here: https://github.com/netblue30/firejail/issues/5190 The feature is needed to use firejail directly as login shell. This issue is somewhat related to https://github.com/netblue30/firejail/issues/6206

gitea-mirror commented 2026-05-05 09:53:43 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 19, 2024):

A small wrapper (e.g. firejail-sh) would fit this better IMHO.

<!-- gh-comment-id:2485893626 --> @rusty-snake commented on GitHub (Nov 19, 2024): A small wrapper (e.g. `firejail-sh`) would fit this better IMHO.

gitea-mirror commented 2026-05-05 09:53:43 -06:00

Author

Owner

Copy link

@luitzifa commented on GitHub (Nov 19, 2024):

I cannot get a wrapper like

root@notebook:~# cat /usr/local/bin/firejail-login.sh
#!/bin/sh
/usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash

to work with something like this:
ssh -o IdentityAgent=none testuser2@127.0.0.1 'ls /dev'

I can login and execute the command, but i need to be able to execute the command directly over ssh in firejail.

<!-- gh-comment-id:2486045843 --> @luitzifa commented on GitHub (Nov 19, 2024): I cannot get a wrapper like ``` root@notebook:~# cat /usr/local/bin/firejail-login.sh #!/bin/sh /usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash ``` to work with something like this: `ssh -o IdentityAgent=none testuser2@127.0.0.1 'ls /dev'` I can login and execute the command, but i need to be able to execute the command directly over ssh in firejail.

gitea-mirror commented 2026-05-05 09:53:44 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 19, 2024):

Passing arguments could help. Untested:

#!/bin/sh
exec /usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash -- "$@"

<!-- gh-comment-id:2486175444 --> @rusty-snake commented on GitHub (Nov 19, 2024): Passing arguments could help. Untested: ```bash #!/bin/sh exec /usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash -- "$@" ```

gitea-mirror commented 2026-05-05 09:53:44 -06:00

Author

Owner

Copy link

@luitzifa commented on GitHub (Nov 21, 2024):

I tested your wrapper. Did not work :( , also the login is broken too.

❯ ssh -o IdentityAgent=none testuser@127.0.0.1
testuser@127.0.0.1's password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

Last login: Thu Nov 21 10:24:21 2024 from 127.0.0.1
/bin/bash: -c: No such file or directory
Connection to 127.0.0.1 closed.
❯ ssh -o IdentityAgent=none testuser@127.0.0.1 'ls /dev'
testuser@127.0.0.1's password:
/bin/bash: -c: No such file or directory

<!-- gh-comment-id:2490515388 --> @luitzifa commented on GitHub (Nov 21, 2024): I tested your wrapper. Did not work :( , also the login is broken too. ``` ❯ ssh -o IdentityAgent=none testuser@127.0.0.1 testuser@127.0.0.1's password: Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-49-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro Last login: Thu Nov 21 10:24:21 2024 from 127.0.0.1 /bin/bash: -c: No such file or directory Connection to 127.0.0.1 closed. ❯ ssh -o IdentityAgent=none testuser@127.0.0.1 'ls /dev' testuser@127.0.0.1's password: /bin/bash: -c: No such file or directory ```

gitea-mirror commented 2026-05-05 09:53:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 21, 2024):

If passing non-file-arguments to bash is required, remove the --.

<!-- gh-comment-id:2490546708 --> @rusty-snake commented on GitHub (Nov 21, 2024): If passing non-file-arguments to bash is required, remove the `--`.

gitea-mirror commented 2026-05-05 09:53:45 -06:00

Author

Owner

Copy link

@luitzifa commented on GitHub (Nov 21, 2024):

That did the trick. I will test it further:

❯ cat /usr/local/bin/firejail-login.sh
#!/bin/sh
/usr/bin/firejail --quiet --profile=/etc/firejail/myloginshell.profile /bin/bash "$@"
❯ grep testuser /etc/passwd
testuser:x:994:981::/home/testuser:/usr/local/bin/firejail-login.sh
testuser2:x:993:980::/home/testuser2:/usr/bin/firejail
❯ ssh -o IdentityAgent=none testuser@127.0.0.1 'ls -la /dev | grep random'
testuser@127.0.0.1's password:
crw-rw-rw-   1 nobody nogroup   1, 8 Nov 21 10:35 random
crw-rw-rw-   1 nobody nogroup   1, 9 Nov 21 10:35 urandom

Thanks

<!-- gh-comment-id:2490566919 --> @luitzifa commented on GitHub (Nov 21, 2024): That did the trick. I will test it further: ``` ❯ cat /usr/local/bin/firejail-login.sh #!/bin/sh /usr/bin/firejail --quiet --profile=/etc/firejail/myloginshell.profile /bin/bash "$@" ❯ grep testuser /etc/passwd testuser:x:994:981::/home/testuser:/usr/local/bin/firejail-login.sh testuser2:x:993:980::/home/testuser2:/usr/bin/firejail ❯ ssh -o IdentityAgent=none testuser@127.0.0.1 'ls -la /dev | grep random' testuser@127.0.0.1's password: crw-rw-rw- 1 nobody nogroup 1, 8 Nov 21 10:35 random crw-rw-rw- 1 nobody nogroup 1, 9 Nov 21 10:35 urandom ``` Thanks

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3290

No description provided.