github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #678] --private-bin does not warn for non-existing programmes #463

New issue

Closed

opened 2026-05-05 05:54:51 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 05:54:51 -06:00

Owner

Originally created by @Fred-Barclay on GitHub (Aug 1, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/678

G'day guys! I found this while trying to correct a mistake I had made with the warzone2100 profile: the lineprivate-bin warzone2100

Now warzone2100 is not installed to /bin, /usr/bin, and so on; it's in /usr/games.
fred@<redacted> ~ $ which warzone2100
/usr/games/warzone2100
When I realised this, I thought initially that --private-bin might include /usr/games as well, but after glancing over src/firejail/fs_bin.c it doesn't appear that this is the case, unless I missed something.

After checking gnome-chess, which is also in /usr/games/, --private-bin works without a hitch:
firejail --debug --private-bin=gnome-chess --shell=none gnome-chess

So my question is, shouldn't private-bin warn and/or exit with a warning for cases like this when there isn't a corresponding programme in a *bin directory?

Originally created by @Fred-Barclay on GitHub (Aug 1, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/678 G'day guys! I found this while trying to correct a mistake I had made with the warzone2100 profile: the line`private-bin warzone2100` Now warzone2100 is **not** installed to /bin, /usr/bin, and so on; it's in /usr/games. `fred@<redacted> ~ $ which warzone2100` `/usr/games/warzone2100` When I realised this, I thought initially that `--private-bin` might include /usr/games as well, but after glancing over src/firejail/fs_bin.c it doesn't appear that this is the case, unless I missed something. After checking gnome-chess, which is also in /usr/games/, `--private-bin` works without a hitch: `firejail --debug --private-bin=gnome-chess --shell=none gnome-chess` So my question is, shouldn't private-bin warn and/or exit with a warning for cases like this when there isn't a corresponding programme in a *bin directory?

gitea-mirror

2026-05-05 05:54:51 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:54:59 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 2, 2016):

It is in fact a bug, I don't have /usr/games in the list, that's why it doesn't find warzone2100. This is the list in this moment:

static char *paths[] = {
    "/usr/local/bin",
    "/usr/bin",
    "/bin",
    "/usr/local/sbin",
    "/usr/sbin",
    "/sbin",
    NULL
};

There was also a warning at some point, but it is commented out for some reason. I'll bring back the warning.

@netblue30 commented on GitHub (Aug 2, 2016): It is in fact a bug, I don't have /usr/games in the list, that's why it doesn't find warzone2100. This is the list in this moment: ``` static char *paths[] = { "/usr/local/bin", "/usr/bin", "/bin", "/usr/local/sbin", "/usr/sbin", "/sbin", NULL }; ``` There was also a warning at some point, but it is commented out for some reason. I'll bring back the warning.

gitea-mirror commented

2026-05-05 05:55:01 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 2, 2016):

Would it be a good idea to add /usr/games to the list of private-bin? It is a common executable directory and it's not at all inconceivable that it could be manipulated maliciously.
Adding /usr/games to private-bin would help protect against this and add all the benefits of private-bin.

@Fred-Barclay commented on GitHub (Aug 2, 2016): Would it be a good idea to add /usr/games to the list of private-bin? It is a common executable directory and it's not at all inconceivable that it could be manipulated maliciously. Adding /usr/games to private-bin would help protect against this and add all the benefits of private-bin.

gitea-mirror commented

2026-05-05 05:55:05 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 3, 2016):

I added /usr/games and /usr/local/games.

If you add --debug on the command line, you will get a warning if the program is not found. I cannot show the message by default, there are cases when you have a longer program list that covers multiple Linux distributions. It is the same for --private-etc, where each distro has a different set of files in /etc, and you are forced to have in your profile file a long list that covers all of them.

@netblue30 commented on GitHub (Aug 3, 2016): I added /usr/games and /usr/local/games. If you add --debug on the command line, you will get a warning if the program is not found. I cannot show the message by default, there are cases when you have a longer program list that covers multiple Linux distributions. It is the same for --private-etc, where each distro has a different set of files in /etc, and you are forced to have in your profile file a long list that covers all of them.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#463

No description provided.

Rows
Columns