github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6778] man: Cannot start application: Permission denied (fish shell on Chimera Linux) #3369

New issue
Open
opened 2026-05-05 09:56:43 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 09:56:43 -06:00
Owner
Copy link

Originally created by @matu3ba on GitHub (Jun 13, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6778

Description

When invoking from fish shell on Chimera Linux programs with path traversal, I get permission denied errors.

Steps to Reproduce

Steps to reproduce the behavior

  1. Run in fish LC_ALL=C /usr/local/bin/man or firejail --noprofile man or man with firecfg setting up the symlink in /usr/local/bin/man
  2. See error Cannot start application: Permission denied

Expected behavior

Output

firejail version 0.9.75

Parent pid 16696, child pid 16697
Warning: cannot find /dev/null/utmp
Base filesystem installed in 0.13 ms
Child process initialized in 24.83 ms
usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection]
	   [[-s] section] name ...

Parent is shutting down, bye...

and definitely not Cannot start application or Permission denied.

Actual behavior

Output

firejail version 0.9.75

Parent pid 16410, child pid 16411
Warning: cannot find /dev/null/utmp
Base filesystem installed in 0.11 ms
Child process initialized in 25.45 ms
Warning: an existing sandbox was detected. /home/user/.local/texlive/2025/bin/x86_64-linuxmusl/man will run without any additional sandboxing features
< above content optional, when using with firejail --noprofile >
Cannot start application: Permission denied

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Additional context

Any other detail that may help to understand/debug the problem
Problem is not reproducible in bash or default shell of Chimera Linux. env prints including LANG=C.UTF-8, LC_COLLATE=C.
Interestingly, I have an entry Warning: cannot create /usr/local/bin/man - already exists! Skipping... on running doas firecfg, which could be related.

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.15.1-0-generic x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Linux chimera 6.15.1-0-generic
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): man
  • Version of Firejail (firejail --version): firejail version 0.9.75
  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD): facaa03df9

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local). Using an empty profile
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of firejail /usr/bin/man 

firejail version 0.9.75

Parent pid 16970, child pid 16971
Warning: cannot find /dev/null/utmp
Base filesystem installed in 0.11 ms
Child process initialized in 39.21 ms
usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection]
           [[-s] section] name ...

Parent is shutting down, bye...

Output of firejail --debug /usr/bin/man 

Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=17021: locking /run/firejail/firejail-run.lock ...
pid=17021: locked /run/firejail/firejail-run.lock
pid=17021: unlocking /run/firejail/firejail-run.lock ...
pid=17021: unlocked /run/firejail/firejail-run.lock
Building quoted command line: '/usr/bin/man'
Command name #man#
Found man.profile profile in /home/user/.config/firejail directory
firejail version 0.9.75

pid=17021: locking /run/firejail/firejail-run.lock ...
pid=17021: locked /run/firejail/firejail-run.lock
DISPLAY=:0 parsed as 0
pid=17021: unlocking /run/firejail/firejail-run.lock ...
pid=17021: unlocked /run/firejail/firejail-run.lock
Using the local network stack
Parent pid 17021, child pid 17023
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1854 1834 254:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard
mountid=1854 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1855 1854 254:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard
mountid=1855 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1856 1834 254:0 /var /var ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard
mountid=1856 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1857 1856 254:0 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard
mountid=1857 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1858 1834 254:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard
mountid=1858 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Warning: cannot find /dev/null/utmp
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Creating a new /etc/hostname file
Creating empty /run/firejail/mnt/hostname file
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Base filesystem installed in 0.23 ms
Mounting noexec /run/firejail/mnt/pulse
1904 1851 0:140 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1904 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user/.config/pulse
1905 1863 0:140 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1905 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs
Globbing /dev/tcm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tcm[0-9]* (type=tpm)
Globbing /dev/tcmrm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tcmrm[0-9]* (type=tpm)
Globbing /dev/tpm[0-9]* (type=tpm skip_symlinks=0)
blacklist /dev/tpm0
Globbing /dev/tpmrm[0-9]* (type=tpm skip_symlinks=0)
blacklist /dev/tpmrm0
Globbing /dev/ntsync (type=ntsync skip_symlinks=0)
No match /dev/ntsync (type=ntsync)
Current directory: /home/user
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
1909 1851 0:140 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1909 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             220 ..
-rw-r--r-- user      user              640 seccomp
-rw-r--r-- user      user              432 seccomp.32
-rw-r--r-- user      user                0 seccomp.postexec
-rw-r--r-- user      user                0 seccomp.postexec32
No active seccomp files
pid=17021: unlocking /run/firejail/firejail-network.lock ...
pid=17021: already unlocked /run/firejail/firejail-network.lock
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Not enforcing Landlock
execvp argument 0: /usr/bin/man
Child process initialized in 32.74 ms
usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection]
           [[-s] section] name ...
monitoring pid 3

Sandbox monitor: waitpid 3 retval 3 status 1280

Parent is shutting down, bye...

Originally created by @matu3ba on GitHub (Jun 13, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6778 ### Description When invoking from fish shell on Chimera Linux programs with path traversal, I get permission denied errors. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in fish `LC_ALL=C /usr/local/bin/man` or `firejail --noprofile man` or `man` with `firecfg` setting up the symlink in `/usr/local/bin/man` 2. See error `Cannot start application: Permission denied` ### Expected behavior Output ``` firejail version 0.9.75 Parent pid 16696, child pid 16697 Warning: cannot find /dev/null/utmp Base filesystem installed in 0.13 ms Child process initialized in 24.83 ms usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection] [[-s] section] name ... Parent is shutting down, bye... ``` and definitely not `Cannot start application` or `Permission denied`. ### Actual behavior Output ``` firejail version 0.9.75 Parent pid 16410, child pid 16411 Warning: cannot find /dev/null/utmp Base filesystem installed in 0.11 ms Child process initialized in 25.45 ms Warning: an existing sandbox was detected. /home/user/.local/texlive/2025/bin/x86_64-linuxmusl/man will run without any additional sandboxing features < above content optional, when using with firejail --noprofile > Cannot start application: Permission denied ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ### Additional context _Any other detail that may help to understand/debug the problem_ Problem is not reproducible in bash or default shell of Chimera Linux. `env` prints including `LANG=C.UTF-8, LC_COLLATE=C`. Interestingly, I have an entry `Warning: cannot create /usr/local/bin/man - already exists! Skipping...` on running `doas firecfg`, which could be related. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.15.1-0-generic x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Linux chimera 6.15.1-0-generic - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): man - Version of Firejail (`firejail --version`): firejail version 0.9.75 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): facaa03df9357b2882ecde4731bced8e7521784b ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). Using an empty profile - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>firejail /usr/bin/man</code></summary> <p> ``` firejail version 0.9.75 Parent pid 16970, child pid 16971 Warning: cannot find /dev/null/utmp Base filesystem installed in 0.11 ms Child process initialized in 39.21 ms usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection] [[-s] section] name ... Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>firejail --debug /usr/bin/man</code></summary> <p> ``` Looking for kernel processes Found kthreadd process, we are not running in a sandbox pid=17021: locking /run/firejail/firejail-run.lock ... pid=17021: locked /run/firejail/firejail-run.lock pid=17021: unlocking /run/firejail/firejail-run.lock ... pid=17021: unlocked /run/firejail/firejail-run.lock Building quoted command line: '/usr/bin/man' Command name #man# Found man.profile profile in /home/user/.config/firejail directory firejail version 0.9.75 pid=17021: locking /run/firejail/firejail-run.lock ... pid=17021: locked /run/firejail/firejail-run.lock DISPLAY=:0 parsed as 0 pid=17021: unlocking /run/firejail/firejail-run.lock ... pid=17021: unlocked /run/firejail/firejail-run.lock Using the local network stack Parent pid 17021, child pid 17023 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1854 1834 254:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard mountid=1854 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1855 1854 254:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard mountid=1855 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1856 1834 254:0 /var /var ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard mountid=1856 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1857 1856 254:0 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard mountid=1857 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1858 1834 254:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/nvme_root rw,discard mountid=1858 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Warning: cannot find /dev/null/utmp Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/user/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Creating a new /etc/hostname file Creating empty /run/firejail/mnt/hostname file Creating a new /etc/hosts file Loading user hosts file Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Base filesystem installed in 0.23 ms Mounting noexec /run/firejail/mnt/pulse 1904 1851 0:140 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1904 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/user/.config/pulse 1905 1863 0:140 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1905 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs Globbing /dev/tcm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tcm[0-9]* (type=tpm) Globbing /dev/tcmrm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tcmrm[0-9]* (type=tpm) Globbing /dev/tpm[0-9]* (type=tpm skip_symlinks=0) blacklist /dev/tpm0 Globbing /dev/tpmrm[0-9]* (type=tpm skip_symlinks=0) blacklist /dev/tpmrm0 Globbing /dev/ntsync (type=ntsync skip_symlinks=0) No match /dev/ntsync (type=ntsync) Current directory: /home/user DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 1909 1851 0:140 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1909 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 220 .. -rw-r--r-- user user 640 seccomp -rw-r--r-- user user 432 seccomp.32 -rw-r--r-- user user 0 seccomp.postexec -rw-r--r-- user user 0 seccomp.postexec32 No active seccomp files pid=17021: unlocking /run/firejail/firejail-network.lock ... pid=17021: already unlocked /run/firejail/firejail-network.lock Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Not enforcing Landlock execvp argument 0: /usr/bin/man Child process initialized in 32.74 ms usage: man [-acfhklw] [-C file] [-M path] [-m path] [-S subsection] [[-s] section] name ... monitoring pid 3 Sandbox monitor: waitpid 3 retval 3 status 1280 Parent is shutting down, bye... ``` </p> </details>
gitea-mirror commented 2026-05-05 09:56:45 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Jun 13, 2025):

Not sure, if firejail wants to support Chimera Linux or upstream Chimera Linux wants to support firejail. I wanted to open this, since it is an annoying problem.

<!-- gh-comment-id:2969877354 --> @matu3ba commented on GitHub (Jun 13, 2025): Not sure, if firejail wants to support Chimera Linux or upstream Chimera Linux wants to support firejail. I wanted to open this, since it is an annoying problem.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3369
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?