github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6768] Login via SSH does not load proper Bash shell #3363

New issue
Open
opened 2026-05-05 09:56:35 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 09:56:35 -06:00
Owner
Copy link

Originally created by @pinric on GitHub (Jun 5, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6768

Description

Default configuration when logging in via SSH does not enter jailed shell.

Steps to Reproduce

  1. Default install and login via SSH to user with shell set to /bin/firejail

Expected behavior

Currently running a previous version for 5+ years and when pointing user default shell to /bin/firejail it just works and any user logging in get's the default.profile applied.

Actual behavior

When connecting via SSH the following error shows up:

Error: --shell=none configured, but no program specified

Behavior without a profile

Running "su username /bin/bash" works fine.

Additional context

Tried changing the login.users to have "--debug /bin/bash" but the following error then shows up:

LD_PRELOAD=(null)
Child process initialized in 97.70 ms
Searching $PATH for LANG=en_US.UTF-8
trying #/usr/local/sbin/LANG=en_US.UTF-8#
trying #/usr/local/bin/LANG=en_US.UTF-8#
trying #/usr/sbin/LANG=en_US.UTF-8#
trying #/usr/bin/LANG=en_US.UTF-8#
trying #/sbin/LANG=en_US.UTF-8#
trying #/bin/LANG=en_US.UTF-8#
trying #/usr/games/LANG=en_US.UTF-8#
trying #/usr/local/games/LANG=en_US.UTF-8#
trying #/snap/bin/LANG=en_US.UTF-8#
Error: no suitable LANG=en_US.UTF-8 executable found
monitoring pid 10

Sandbox monitor: waitpid 10 retval 10 status 256

Parent is shutting down, bye...

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.8.0-60-generic x86_6
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Ubuntu 24.04
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
  • Version of Firejail (firejail --version): 0.9.72
Originally created by @pinric on GitHub (Jun 5, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6768 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Default configuration when logging in via SSH does not enter jailed shell. ### Steps to Reproduce 1. Default install and login via SSH to user with shell set to /bin/firejail ### Expected behavior Currently running a previous version for 5+ years and when pointing user default shell to /bin/firejail it just works and any user logging in get's the default.profile applied. ### Actual behavior When connecting via SSH the following error shows up: `Error: --shell=none configured, but no program specified` ### Behavior without a profile Running "su username /bin/bash" works fine. ### Additional context Tried changing the login.users to have "--debug /bin/bash" but the following error then shows up: ``` LD_PRELOAD=(null) Child process initialized in 97.70 ms Searching $PATH for LANG=en_US.UTF-8 trying #/usr/local/sbin/LANG=en_US.UTF-8# trying #/usr/local/bin/LANG=en_US.UTF-8# trying #/usr/sbin/LANG=en_US.UTF-8# trying #/usr/bin/LANG=en_US.UTF-8# trying #/sbin/LANG=en_US.UTF-8# trying #/bin/LANG=en_US.UTF-8# trying #/usr/games/LANG=en_US.UTF-8# trying #/usr/local/games/LANG=en_US.UTF-8# trying #/snap/bin/LANG=en_US.UTF-8# Error: no suitable LANG=en_US.UTF-8 executable found monitoring pid 10 Sandbox monitor: waitpid 10 retval 10 status 256 Parent is shutting down, bye... ``` ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.8.0-60-generic x86_6 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Ubuntu 24.04 - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu) - Version of Firejail (`firejail --version`): 0.9.72
gitea-mirror added the
needinfo
 label 2026-05-05 09:56:35 -06:00
gitea-mirror commented 2026-05-05 09:56:37 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 5, 2025):

Currently running a previous version for 5+ years

Which one?

0.9.72

Note that we do not maintain that version of firejail:

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

What happens with the latest released version?

Also, what is the full log output and the content of login.users?

<!-- gh-comment-id:2945721507 --> @kmk3 commented on GitHub (Jun 5, 2025): > Currently running a previous version for 5+ years Which one? > 0.9.72 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing> What happens with the latest released version? Also, what is the full log output and the content of login.users?
gitea-mirror commented 2026-05-05 09:56:38 -06:00
Author
Owner
Copy link

@inode64 commented on GitHub (Jul 1, 2025):

I have the same problem but with version 0.9.74

Building quoted command line: '/usr/bin/bash' 
Command name #bash#
firejail version 0.9.74

pid=76533: locking /run/firejail/firejail-run.lock ...
pid=76533: locked /run/firejail/firejail-run.lock
DISPLAY is not set
pid=76533: unlocking /run/firejail/firejail-run.lock ...
pid=76533: unlocked /run/firejail/firejail-run.lock
Using the local network stack
Parent pid 76533, child pid 76534
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Drop privileges: pid 2, uid 1004, gid 81, force_nogroups 0
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
56 34 254:2 /etc /etc ro,noatime - ext4 /dev/root rw,errors=remount-ro
mountid=56 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
57 56 254:2 /etc /etc ro,nosuid,nodev,noexec,noatime - ext4 /dev/root rw,errors=remount-ro
mountid=57 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
Mounting read-only /usr
83 34 254:2 /usr /usr ro,noatime - ext4 /dev/root rw,errors=remount-ro
mountid=83 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /run/user directory
Cannot open /run/user/1004 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /dev/kmsg
Disable /proc/kmsg
Warning: you are not allowed to change /var/www/xxxxxxx.com to read-write
Disable /sys/fs
Disable /sys/module
Base filesystem installed in 0.10 ms
Cannot read /etc/pulse/client.conf
Current directory: /var/www/xxxxxxx.com
Mounting read-only /run/firejail/mnt/seccomp
117 53 0:24 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=117 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             200 ..
-rw-r--r-- mascamar apache           640 seccomp
-rw-r--r-- mascamar apache           432 seccomp.32
-rw-r--r-- mascamar apache             0 seccomp.postexec
-rw-r--r-- mascamar apache             0 seccomp.postexec32
No active seccomp files
pid=76533: unlocking /run/firejail/firejail-network.lock ...
pid=76533: already unlocked /run/firejail/firejail-network.lock
Drop privileges: pid 1, uid 1004, gid 81, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Not enforcing Landlock
Child process initialized in 8.61 ms
Searching $PATH for LANGUAGE=es_ES.UTF-8
trying #/usr/local/sbin/LANGUAGE=es_ES.UTF-8#
trying #/usr/local/bin/LANGUAGE=es_ES.UTF-8#
trying #/usr/bin/LANGUAGE=es_ES.UTF-8#
trying #/opt/bin/LANGUAGE=es_ES.UTF-8#
Error: no suitable LANGUAGE=es_ES.UTF-8 executable found
monitoring pid 3

Sandbox monitor: waitpid 3 retval 3 status 256

Parent is shutting down, bye...

My system is Gentoo
kernel Linux version 6.12.16-gentoo

<!-- gh-comment-id:3025593512 --> @inode64 commented on GitHub (Jul 1, 2025): I have the same problem but with version 0.9.74 <pre> Building quoted command line: '/usr/bin/bash' Command name #bash# firejail version 0.9.74 pid=76533: locking /run/firejail/firejail-run.lock ... pid=76533: locked /run/firejail/firejail-run.lock DISPLAY is not set pid=76533: unlocking /run/firejail/firejail-run.lock ... pid=76533: unlocked /run/firejail/firejail-run.lock Using the local network stack Parent pid 76533, child pid 76534 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Drop privileges: pid 2, uid 1004, gid 81, force_nogroups 0 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 56 34 254:2 /etc /etc ro,noatime - ext4 /dev/root rw,errors=remount-ro mountid=56 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 57 56 254:2 /etc /etc ro,nosuid,nodev,noexec,noatime - ext4 /dev/root rw,errors=remount-ro mountid=57 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var Mounting read-only /usr 83 34 254:2 /usr /usr ro,noatime - ext4 /dev/root rw,errors=remount-ro mountid=83 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/cache/apache2 Create the new utmp file Mount the new utmp file Cleaning /run/user directory Cannot open /run/user/1004 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Creating a new /etc/hosts file Loading user hosts file Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /dev/kmsg Disable /proc/kmsg Warning: you are not allowed to change /var/www/xxxxxxx.com to read-write Disable /sys/fs Disable /sys/module Base filesystem installed in 0.10 ms Cannot read /etc/pulse/client.conf Current directory: /var/www/xxxxxxx.com Mounting read-only /run/firejail/mnt/seccomp 117 53 0:24 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=117 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 200 .. -rw-r--r-- mascamar apache 640 seccomp -rw-r--r-- mascamar apache 432 seccomp.32 -rw-r--r-- mascamar apache 0 seccomp.postexec -rw-r--r-- mascamar apache 0 seccomp.postexec32 No active seccomp files pid=76533: unlocking /run/firejail/firejail-network.lock ... pid=76533: already unlocked /run/firejail/firejail-network.lock Drop privileges: pid 1, uid 1004, gid 81, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Not enforcing Landlock Child process initialized in 8.61 ms Searching $PATH for LANGUAGE=es_ES.UTF-8 trying #/usr/local/sbin/LANGUAGE=es_ES.UTF-8# trying #/usr/local/bin/LANGUAGE=es_ES.UTF-8# trying #/usr/bin/LANGUAGE=es_ES.UTF-8# trying #/opt/bin/LANGUAGE=es_ES.UTF-8# Error: no suitable LANGUAGE=es_ES.UTF-8 executable found monitoring pid 3 Sandbox monitor: waitpid 3 retval 3 status 256 Parent is shutting down, bye... </pre> My system is Gentoo kernel Linux version 6.12.16-gentoo
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3363
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?