github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #559] [CentOS 7.2]Running Firejail 0.9.40 causes /etc/passwd, /etc/group and /etc/gshadow to be locked making useradd, userdel and gpasswd unusable. Kernel 3.10 #395

New issue
Closed
opened 2026-05-05 05:46:42 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 05:46:42 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Jun 10, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/559

I'm a fan of Firejail, I was running it on Debian Testing with no issues until recently, then I switched to Centos 7.

Issue:

OS: Centos 7.2.1511, amd64

Running Firefox or Thunderbird(probably everything else) prefixed with firejail locks /etc/passwd, /etc/group and /etc/gshadow files on Centos 7 with the 3.10 kernel.

This causes some package installations to fail while firejailed applications run since plenty of them add users, like httpd, libvirt or even tcpdump. It also make adding new users, groups or adding existing users to groups impossible while firejailed applications run.

The file locks(-1 EBUSY (Device or resource busy)) errors go away if you stop or pkill firejail.

I can reproduce the issue both on the stock 3.10.0-327.el7.x86_64 and 3.10.0-327.18.2.el7.x86_64 kernels, both on real(my own laptop) and virtual machines.

Kernel 4.6.2-1.el7.elrepo.x86_64 doesn't seem to be affected.

Firejail 0.9.40 RPM was installed from one of sourceforge's mirros, linked from https://firejail.wordpress.com/download-2/.

Strace-ing useradd username will return:

rename("/etc/passwd+", "/etc/passwd") = -1 EBUSY (Device or resource busy)

Running on firejail causes selinux to generate the following in journalctl:

Jun 10 03:58:00 centos7 useradd[6092]: new group: name=rvF9PuTE, GID=1749
Jun 10 03:58:00 centos7 useradd[6092]: new user: name=rvF9PuTE, UID=1749, GID=1749, home=/home/rvF9PuTE, shell=/bin/bash
Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/firefox.profile
Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-common.inc
Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-programs.inc
Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-devel.inc
Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/whitelist-common.inc
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jun 10 03:58:00 centos7 useradd[6092]: failure while writing changes to /etc/shadow
Jun 10 03:58:00 centos7 useradd[6092]: failed adding user 'rvF9PuTE', exit code: 1
Jun 10 03:58:00 centos7 useradd[6108]: new group: name=NPUE2CbQ, GID=1750
Jun 10 03:58:00 centos7 useradd[6108]: new user: name=NPUE2CbQ, UID=1750, GID=1750, home=/home/NPUE2CbQ, shell=/bin/bash

The issue appears regardless of selinux being on enforced, disabled or permissive mode.

The virtual machine I've tested had selinux disabled(at vultr.com), so I didn't have wrong selinux labels.

My own machine(during several reinstallations) had proper labelling since the issue both reappeared after reinstalls and I ran restorecon -R -v /etc and on /home frequently.

Relabeling the entire filesystem with /.autorelabel is irrelevant.

Linked is my Centos thread on centos.org.

https://www.centos.org/forums/viewtopic.php?f=48&t=58096

Originally created by @ghost on GitHub (Jun 10, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/559 I'm a fan of Firejail, I was running it on Debian Testing with no issues until recently, then I switched to Centos 7. Issue: OS: Centos 7.2.1511, amd64 Running Firefox or Thunderbird(probably everything else) prefixed with firejail locks /etc/passwd, /etc/group and /etc/gshadow files on Centos 7 with the 3.10 kernel. This causes some package installations to fail while firejailed applications run since plenty of them add users, like httpd, libvirt or even tcpdump. It also make adding new users, groups or adding existing users to groups impossible while firejailed applications run. The file locks(-1 EBUSY (Device or resource busy)) errors go away if you stop or pkill firejail. I can reproduce the issue both on the stock 3.10.0-327.el7.x86_64 and 3.10.0-327.18.2.el7.x86_64 kernels, both on real(my own laptop) and virtual machines. Kernel 4.6.2-1.el7.elrepo.x86_64 doesn't seem to be affected. Firejail 0.9.40 RPM was installed from one of sourceforge's mirros, linked from https://firejail.wordpress.com/download-2/. Strace-ing useradd username will return: ``` rename("/etc/passwd+", "/etc/passwd") = -1 EBUSY (Device or resource busy) ``` Running on firejail <application> causes selinux to generate the following in journalctl: ``` Jun 10 03:58:00 centos7 useradd[6092]: new group: name=rvF9PuTE, GID=1749 Jun 10 03:58:00 centos7 useradd[6092]: new user: name=rvF9PuTE, UID=1749, GID=1749, home=/home/rvF9PuTE, shell=/bin/bash Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/firefox.profile Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-common.inc Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-programs.inc Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/disable-devel.inc Jun 10 03:58:00 centos7 lightdm[922]: Reading profile /etc/firejail/whitelist-common.inc Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 10 03:58:00 centos7 useradd[6092]: failure while writing changes to /etc/shadow Jun 10 03:58:00 centos7 useradd[6092]: failed adding user 'rvF9PuTE', exit code: 1 Jun 10 03:58:00 centos7 useradd[6108]: new group: name=NPUE2CbQ, GID=1750 Jun 10 03:58:00 centos7 useradd[6108]: new user: name=NPUE2CbQ, UID=1750, GID=1750, home=/home/NPUE2CbQ, shell=/bin/bash ``` The issue appears regardless of selinux being on enforced, disabled or permissive mode. The virtual machine I've tested had selinux disabled(at vultr.com), so I didn't have wrong selinux labels. My own machine(during several reinstallations) had proper labelling since the issue both reappeared after reinstalls and I ran restorecon -R -v /etc and on /home frequently. Relabeling the entire filesystem with /.autorelabel is irrelevant. Linked is my Centos thread on centos.org. https://www.centos.org/forums/viewtopic.php?f=48&t=58096
gitea-mirror 2026-05-05 05:46:42 -06:00
gitea-mirror commented 2026-05-05 05:46:47 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 10, 2016):

It seems it doesn't matter who or which uid launches firejail.

As soon as you launch it, /etc/passwd group gshadow and shadow files become locked by firejail.

Forgot to mention, it's also not possible to change your user passwords(/etc/shadow) while a firejail process runs.

[root@vultr ~]# passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password contains the user name in some form
Retype new password: 
passwd: Authentication token manipulation error

SELinux status is irrelevant. This appears on all 3 SELinux statuses.

The issue can be reproduced on any VM Centos 7.2 with 3.10 kernel.

It also happens on installing the MATE desktop, so I think DE-s are irrelevant.

What you launch doesn't need to be graphical.

Running firejail bash also locks the files mentioned above, exiting from that bash unlocks those files.

<!-- gh-comment-id:225173488 --> @ghost commented on GitHub (Jun 10, 2016): It seems it doesn't matter who or which uid launches firejail. As soon as you launch it, /etc/passwd group gshadow and shadow files become locked by firejail. Forgot to mention, it's also not possible to change your user passwords(/etc/shadow) while a firejail process runs. ``` [root@vultr ~]# passwd Changing password for user root. New password: BAD PASSWORD: The password contains the user name in some form Retype new password: passwd: Authentication token manipulation error ``` SELinux status is irrelevant. This appears on all 3 SELinux statuses. The issue can be reproduced on any VM Centos 7.2 with 3.10 kernel. It also happens on installing the MATE desktop, so I think DE-s are irrelevant. What you launch doesn't need to be graphical. Running firejail bash also locks the files mentioned above, exiting from that bash unlocks those files.
gitea-mirror commented 2026-05-05 05:46:49 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 10, 2016):

This is a kernel bug. If you have firejail running, you won't be able to install new packages: lots of directories such as /sbin and /usr/sbin are basically locked read-only by the kernel, and also a number of files in /etc. The problem was fixed in kernel 3.18, so if you move to 4.6.2 you shouldn't see it.

The rpm package on my download page was built and tested on Centos 7. I didn't run into any SELinux problems. What you are getting in journalctl is because of the kernel bug mentioned above.

<!-- gh-comment-id:225176838 --> @netblue30 commented on GitHub (Jun 10, 2016): This is a kernel bug. If you have firejail running, you won't be able to install new packages: lots of directories such as /sbin and /usr/sbin are basically locked read-only by the kernel, and also a number of files in /etc. The problem was fixed in kernel 3.18, so if you move to 4.6.2 you shouldn't see it. The rpm package on my download page was built and tested on Centos 7. I didn't run into any SELinux problems. What you are getting in journalctl is because of the kernel bug mentioned above.
gitea-mirror commented 2026-05-05 05:46:51 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 10, 2016):

Thanks for the explanation!

I wish I have known this before.

I've looked at quickly at the documentation and looks like only distrowatch mentions kernel 3.18 and newer(https://distrowatch.com/weekly.php?issue=20160222#tips):

The only downside I found to this feature is it requires relatively modern kernels, the system needs to be running Linux 3.18 (or newer) for the temporary file system to work.

Do you think a note can be added with a link perhaps to this issue report for other Centos 7 users with 3.10 kernels on the download page?

If you want, then we're free to close the issue.

<!-- gh-comment-id:225231678 --> @ghost commented on GitHub (Jun 10, 2016): Thanks for the explanation! I wish I have known this before. I've looked at quickly at the documentation and looks like only distrowatch mentions kernel 3.18 and newer(https://distrowatch.com/weekly.php?issue=20160222#tips): ``` The only downside I found to this feature is it requires relatively modern kernels, the system needs to be running Linux 3.18 (or newer) for the temporary file system to work. ``` Do you think a note can be added with a link perhaps to this issue report for other Centos 7 users with 3.10 kernels on the download page? If you want, then we're free to close the issue.
gitea-mirror commented 2026-05-05 05:46:54 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 13, 2016):

I have document it on my Known Problems page here: https://firejail.wordpress.com/support/known-problems/#removeblacklisted

<!-- gh-comment-id:225568615 --> @netblue30 commented on GitHub (Jun 13, 2016): I have document it on my Known Problems page here: https://firejail.wordpress.com/support/known-problems/#removeblacklisted
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#395
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?