github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

user` is mounted with noexec when `--private` is used #3420

New issue

Closed

opened 2026-05-05 09:59:25 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:59:25 -06:00

Owner

Originally created by @oblique on GitHub (Oct 1, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6921

Description

When --private is used the /home/user directory is mounted as NOEXEC, even if ignore noexec ${HOME} is specified.

Steps to Reproduce

firejail --private bash
echo -e '#!/bin/bash\necho test' > test.sh
chmod +x test.sh
./test.sh

Error: bash: ./test.sh: Permission denied.

Expected behavior

I would expect the /home/user directory to allow execution unless if noexec ${HOME} is specified.

Actual behavior

/home/user does not allow execution

Behavior without a profile

--noprofile doesn't change the behaviour.

Additional context

The code responsible for this is:

54d5bb04bc/src/firejail/fs_home.c (L395-L402)

There are two ways of fixing this:

We keep the current behaviour but if ignore noexec /home or ignore noexec ${HOME} is specified, then we remove the MS_NOEXEC flag.
We change the behaviour to exec by default and user should specify noexec ${HOME} if they don't want execution.

There is a workaround for this issue: If --allusers is specified then /home/user is mounted via fs_tmpfs‎, which doesn't use MS_NOEXEC.

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.16.8-arch3-1 x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): bash 5.3.3
Version of Firejail (firejail --version): 0.9.76
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD):

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @oblique on GitHub (Oct 1, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6921  ### Description When `--private` is used the `/home/user` directory is mounted as NOEXEC, even if `ignore noexec ${HOME}` is specified. ### Steps to Reproduce 1. `firejail --private bash` 2. `echo -e '#!/bin/bash\necho test' > test.sh` 3. `chmod +x test.sh` 4. `./test.sh` Error: `bash: ./test.sh: Permission denied`. ### Expected behavior I would expect the `/home/user` directory to allow execution unless if `noexec ${HOME}` is specified. ### Actual behavior `/home/user` does not allow execution ### Behavior without a profile `--noprofile` doesn't change the behaviour. ### Additional context The code responsible for this is: https://github.com/netblue30/firejail/blob/54d5bb04bc5c64a84c3eb8fdd3fa62197b326018/src/firejail/fs_home.c#L395-L402 There are two ways of fixing this: 1. We keep the current behaviour but if `ignore noexec /home` or `ignore noexec ${HOME}` is specified, then we remove the `MS_NOEXEC` flag. 2. We change the behaviour to exec by default and user should specify `noexec ${HOME}` if they don't want execution. There is a workaround for this issue: If `--allusers` is specified then `/home/user` is mounted via `fs_tmpfs‎`, which doesn't use `MS_NOEXEC`. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.16.8-arch3-1 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): bash 5.3.3 - Version of Firejail (`firejail --version`): 0.9.76 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist  - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror

2026-05-05 09:59:25 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:59:28 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 9, 2026):

Fixed, thanks @oblique

I have removed MS_NOEXEC flag from the code above. In the profiles noexec home is usually done by including disable-exec.inc.

06fe85f4b7

@netblue30 commented on GitHub (Jan 9, 2026): Fixed, thanks @oblique I have removed MS_NOEXEC flag from the code above. In the profiles noexec home is usually done by including disable-exec.inc. https://github.com/netblue30/firejail/commit/06fe85f4b7452a7c28b0a6c6bef73a55c54766df

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3420

No description provided.

Rows
Columns

[GH-ISSUE #6921] /home/user is mounted with noexec when --private is used #3420