[PR #3676] [MERGED] Allow --tmpfs and --bind inside $HOME for unprivileged users #4846

New issue

Closed

opened 2026-05-05 10:27:37 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:27:37 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3676
Author: @rusty-snake
Created: 10/16/2020
Status: ✅ Merged
Merged: 10/25/2020
Merged by: @netblue30

Base: master ← Head: tmpfs-inside-home

📝 Commits (2)

1ebdf89 Allow --tmpfs inside $HOME for unprivileged users
fb35ad6 Likewise allow --bind inside $HOME for users

📊 Changes

3 files changed (+23 additions, -9 deletions)

View changed files

📝 RELNOTES (+3 -0)
📝 src/firejail/fs.c (+8 -0)
📝 src/firejail/profile.c (+12 -9)

📄 Description

--tmpfs was added in 0.9.14 and restricted to root only in 0.9.38
due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify
/etc/sudoers). This commit reintroduce it for normal users, if the
realpath of it is inside users-home.

BTW: Could we not allow tmpfs complete if nnp is enforced?

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3676 **Author:** [@rusty-snake](https://github.com/rusty-snake) **Created:** 10/16/2020 **Status:** ✅ Merged **Merged:** 10/25/2020 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `tmpfs-inside-home` --- ### 📝 Commits (2) - [`1ebdf89`](https://github.com/netblue30/firejail/commit/1ebdf894c675925109031b3fbb859478a2ece566) Allow --tmpfs inside $HOME for unprivileged users - [`fb35ad6`](https://github.com/netblue30/firejail/commit/fb35ad696deb7ab6a6a6be53e9842247b77f3ca3) Likewise allow --bind inside $HOME for users ### 📊 Changes **3 files changed** (+23 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `RELNOTES` (+3 -0) 📝 `src/firejail/fs.c` (+8 -0) 📝 `src/firejail/profile.c` (+12 -9) </details> ### 📄 Description --tmpfs was added in 0.9.14 and restricted to root only in 0.9.38 due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify /etc/sudoers). This commit reintroduce it for normal users, if the realpath of it is inside users-home. BTW: Could we not allow tmpfs complete if nnp is enforced? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:27:37 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4846

No description provided.

Rows
Columns