github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #764] python-wand not starting with /sbin blacklisted #514

New issue

Closed

opened 2026-05-05 06:01:48 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:01:48 -06:00

Owner

Originally created by @filippog on GitHub (Sep 5, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/764

hi,
python-wand fails to start with firejail and --blacklist=/sbin, initially discovered as part of https://gerrit.wikimedia.org/r/#/c/308542/

# firejail --version
firejail version 0.9.40
# dpkg-query -W python-wand
python-wand     0.3.8-2
# firejail --blacklist=/sbin python -c 'import wand.image as image'
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 6664, child pid 6665
The new log directory is /proc/6665/root/var/log
Warning: masking /etc/firejail disabled when starting the sandbox as root

Child process initialized
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/wand/image.py", line 20, in <module>
    from .api import MagickPixelPacket, libc, libmagick, library
  File "/usr/lib/python2.7/dist-packages/wand/api.py", line 163, in <module>
    'Try to install:\n  ' + msg)
ImportError: MagickWand shared library not found.
You probably had not installed ImageMagick library.
Try to install:
  apt-get install libmagickwand-dev

Parent is shutting down, bye...

Originally created by @filippog on GitHub (Sep 5, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/764 hi, python-wand fails to start with firejail and `--blacklist=/sbin`, initially discovered as part of https://gerrit.wikimedia.org/r/#/c/308542/ ``` # firejail --version firejail version 0.9.40 # dpkg-query -W python-wand python-wand 0.3.8-2 # firejail --blacklist=/sbin python -c 'import wand.image as image' Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable server.profile ** Parent pid 6664, child pid 6665 The new log directory is /proc/6665/root/var/log Warning: masking /etc/firejail disabled when starting the sandbox as root Child process initialized Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/wand/image.py", line 20, in <module> from .api import MagickPixelPacket, libc, libmagick, library File "/usr/lib/python2.7/dist-packages/wand/api.py", line 163, in <module> 'Try to install:\n ' + msg) ImportError: MagickWand shared library not found. You probably had not installed ImageMagick library. Try to install: apt-get install libmagickwand-dev Parent is shutting down, bye... ```

gitea-mirror

2026-05-05 06:01:48 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:01:55 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Sep 5, 2016):

Hi filippog. If I could hazard a guess (I don't have python-wand installed) it's because either python or python-wand is in /sbin, or requires something in /sbin. So this isn't a bug, but simply firejail doing what it's supposed to do (I think).

What happens when /sbin is not blacklisted?

@Fred-Barclay commented on GitHub (Sep 5, 2016): Hi filippog. If I could hazard a guess (I don't have python-wand installed) it's because either python or python-wand is in /sbin, or requires something in /sbin. So this isn't a bug, but simply firejail doing what it's supposed to do (I think). What happens when /sbin is not blacklisted?

gitea-mirror commented

2026-05-05 06:01:57 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 5, 2016):

I am on Debian stable, python 2.7, wand installed. In a separate terminal I run "sudo firemon". This monitors all exec and fork calls for processes inside the sandbox. If I start the test program from http://docs.wand-py.org/en/0.4.3/ and I get:

[...]
4:41:10 fork 13297 (netblue) python p.py 
    child 13330 python p.py 
14:41:10 exec 13330 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
14:41:10 fork 13330 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
    child 13331 sh -c /sbin/ldconfig -p 2>/dev/null 
14:41:10 exit 13331 (netblue)
14:41:10 exit 13330 (netblue)
14:41:10 fork 13297 (netblue) python p.py 
    child 13332 python p.py 
14:41:10 exec 13332 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpdvj4Nk 2>&1 -lMagickWand-Q8HDRI 
[...]

It tries to run /sbin/ldconfig and it fails. You would need to remove the "blacklist /sbin" from your profile, or you can use --noblacklist=/sbin on firejail command line:

$ firejail --noblacklist=/sbin python program.py

@netblue30 commented on GitHub (Sep 5, 2016): I am on Debian stable, python 2.7, wand installed. In a separate terminal I run "sudo firemon". This monitors all exec and fork calls for processes inside the sandbox. If I start the test program from http://docs.wand-py.org/en/0.4.3/ and I get: ``` [...] 4:41:10 fork 13297 (netblue) python p.py child 13330 python p.py 14:41:10 exec 13330 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 14:41:10 fork 13330 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null child 13331 sh -c /sbin/ldconfig -p 2>/dev/null 14:41:10 exit 13331 (netblue) 14:41:10 exit 13330 (netblue) 14:41:10 fork 13297 (netblue) python p.py child 13332 python p.py 14:41:10 exec 13332 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpdvj4Nk 2>&1 -lMagickWand-Q8HDRI [...] ``` It tries to run /sbin/ldconfig and it fails. You would need to remove the "blacklist /sbin" from your profile, or you can use --noblacklist=/sbin on firejail command line: ``` $ firejail --noblacklist=/sbin python program.py ```

gitea-mirror commented

2026-05-05 06:01:59 -06:00

Author

Owner

@filippog commented on GitHub (Sep 6, 2016):

thanks @netblue30 and @Fred-Barclay for your help! It indeed looks like it is python ctypes calling /sbin/ldconfig, from my POV this issue is resolved, unless you want to add ctypes / sbin issue somewhere in the documentation (?)

@filippog commented on GitHub (Sep 6, 2016): thanks @netblue30 and @Fred-Barclay for your help! It indeed looks like it is python ctypes calling `/sbin/ldconfig`, from my POV this issue is resolved, unless you want to add ctypes / sbin issue somewhere in the documentation (?)

gitea-mirror commented

2026-05-05 06:02:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 6, 2016):

You're welcome.

@netblue30 commented on GitHub (Sep 6, 2016): You're welcome.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#514

No description provided.

Rows
Columns