github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

Using private-bin Profiles (v0.9.42 Regression) #524

New issue

Closed

opened 2026-05-05 06:03:02 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:03:02 -06:00

Owner

Originally created by @svgeof4695 on GitHub (Sep 14, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/778

I have custom wrapper scripts in /usr/local/bin to launch firejailed programs. When I try to use the new profiles in v0.9.42, I cannot launch programs that use private-bin. Here is an example:

/usr/local/bin/eog:

!/bin/sh

firejail --profile=/home/me/backedup/firejail/eog.profile /usr/bin/eog "$@"

/home/me/backedup/firejail/eog.profile:
This is eom.profile except with "eom" replaced with "eog" (both the config file location and the private-bin entry).

When I run "eog" (which will be /usr/local/bin/eog based on my path), firejail tries to start it and then terminates. I experimented with the config and found private-bin to be the offending line. When I rename /usr/local/bin/eog to /usr/local/bin/eog2, and then try to launch eog from bash with the wrapper script's command above, everything works. What I think is happening is firejail tries to put /usr/local/bin/eog into the jail, then tries to run it, but it can't because neither firejail nor the real eog exist.

This regression may be related to https://github.com/netblue30/firejail/issues/422 that requested that /usr/local/bin be used in firejail's paths.

The workaround for me is to remove private-bin from my profiles, but I then lose this very useful feature. Please note that before v0.9.42, I did not use the private-bin feature. I only started using it because it showed up in the included profiles, so maybe this has been an unreported problem for others. In any case, I am calling this a regression because the 0.9.40 profiles did not ship using private-bin but the 0.9.42 ones do.

Before someone asks, I tried using the symlink method for /usr/local/bin found here originally: https://l3net.wordpress.com/2016/02/04/firejail-0-9-38-release-announcement/. I never got this to work because firejail would not find my profile in /.config/firejail (I currently have that directory symlinked elsewhere, but I don't remember it ever working), so I had to create wrapper scripts that told firejail with a hard path where my profile was located (using '' didn't work either).

FYI, I also did the command line private-bin examples (e.g., the one with bash, ls, and sed) to make sure the feature worked, and I had no problem there. Like I said, I think firejail doesn't understand what files it needs to copy into the jail. I tried hardcoded paths like /usr/bin/eog using the --private-bin switch and in the profile, but that doesn't seem to make a difference (I don't know if firejail looks at that). I think a switch or profile option to let firejail know which version to copy in to the private-bin would work, too (or an ignore if it's better/safer).

Also, thank you netblue30 for your work here and also thank you to the other contributors! I really love this tool!

Originally created by @svgeof4695 on GitHub (Sep 14, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/778 I have custom wrapper scripts in /usr/local/bin to launch firejailed programs. When I try to use the new profiles in v0.9.42, I cannot launch programs that use private-bin. Here is an example: /usr/local/bin/eog: # !/bin/sh firejail --profile=/home/me/backedup/firejail/eog.profile /usr/bin/eog "$@" /home/me/backedup/firejail/eog.profile: This is eom.profile except with "eom" replaced with "eog" (both the config file location and the private-bin entry). When I run "eog" (which will be /usr/local/bin/eog based on my path), firejail tries to start it and then terminates. I experimented with the config and found private-bin to be the offending line. When I rename /usr/local/bin/eog to /usr/local/bin/eog2, and then try to launch eog from bash with the wrapper script's command above, everything works. What I think is happening is firejail tries to put /usr/local/bin/eog into the jail, then tries to run it, but it can't because neither firejail nor the real eog exist. This regression may be related to https://github.com/netblue30/firejail/issues/422 that requested that /usr/local/bin be used in firejail's paths. The workaround for me is to remove private-bin from my profiles, but I then lose this very useful feature. Please note that before v0.9.42, I did not use the private-bin feature. I only started using it because it showed up in the included profiles, so maybe this has been an unreported problem for others. In any case, I am calling this a regression because the 0.9.40 profiles did not ship using private-bin but the 0.9.42 ones do. Before someone asks, I tried using the symlink method for /usr/local/bin found here originally: https://l3net.wordpress.com/2016/02/04/firejail-0-9-38-release-announcement/. I never got this to work because firejail would not find my profile in ~/.config/firejail (I currently have that directory symlinked elsewhere, but I don't remember it ever working), so I had to create wrapper scripts that told firejail with a hard path where my profile was located (using '~' didn't work either). FYI, I also did the command line private-bin examples (e.g., the one with bash, ls, and sed) to make sure the feature worked, and I had no problem there. Like I said, I think firejail doesn't understand what files it needs to copy into the jail. I tried hardcoded paths like /usr/bin/eog using the --private-bin switch and in the profile, but that doesn't seem to make a difference (I don't know if firejail looks at that). I think a switch or profile option to let firejail know which version to copy in to the private-bin would work, too (or an ignore if it's better/safer). Also, thank you netblue30 for your work here and also thank you to the other contributors! I really love this tool!

gitea-mirror

2026-05-05 06:03:02 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:03:10 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 15, 2016):

/usr/local/bin is included in the search list for --private-bin. Firejail will find eog in /usr/local/bin and it will not bother to look further. I'll add a configuration option in /etc/firejail/firejail.config file to remove /usr/local/bin from the search list. This should fix the problem with eog.

~/.config/firejail (I currently have that directory symlinked elsewhere, but I don't remember it ever working)

This should work fine. I also keep .config directory symlinked outside, in a /transfer/.config directory:

$ ls -al ~ | grep config
lrwxrwxrwx  1 netblue netblue     17 Sep 15 10:34 .config -> /transfer/.config

Then, when I start a program it will grab the profile from ~/.config/firejail directory:

$ firejail simutrans
Reading profile /home/netblue/.config/firejail/simutrans.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

@netblue30 commented on GitHub (Sep 15, 2016): /usr/local/bin is included in the search list for --private-bin. Firejail will find eog in /usr/local/bin and it will not bother to look further. I'll add a configuration option in /etc/firejail/firejail.config file to remove /usr/local/bin from the search list. This should fix the problem with eog. > ~/.config/firejail (I currently have that directory symlinked elsewhere, but I don't remember it ever working) This should work fine. I also keep .config directory symlinked outside, in a /transfer/.config directory: ``` $ ls -al ~ | grep config lrwxrwxrwx 1 netblue netblue 17 Sep 15 10:34 .config -> /transfer/.config ``` Then, when I start a program it will grab the profile from ~/.config/firejail directory: ``` $ firejail simutrans Reading profile /home/netblue/.config/firejail/simutrans.profile Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ```

gitea-mirror commented

2026-05-05 06:03:11 -06:00

Author

Owner

@svgeof4695 commented on GitHub (Sep 16, 2016):

Thanks for looking at this. I think adding the configuration option will solve the problem, too. People who need to use /usr/local/bin for that program will be able to use it, and those who don't can turn off that search.

For the symlinked config directory, I will have to verify that again. It was a few versions ago, and I have noticed that some stuff I recall not working properly that involved symlinks started working as I would have expected them. I prefer using the config file and would like to have /usr/local/bin/eog linked to /usr/bin/firejail instead since it means a little less maintenance on my side.

@svgeof4695 commented on GitHub (Sep 16, 2016): Thanks for looking at this. I think adding the configuration option will solve the problem, too. People who need to use /usr/local/bin for that program will be able to use it, and those who don't can turn off that search. For the symlinked config directory, I will have to verify that again. It was a few versions ago, and I have noticed that some stuff I recall not working properly that involved symlinks started working as I would have expected them. I prefer using the config file and would like to have /usr/local/bin/eog linked to /usr/bin/firejail instead since it means a little less maintenance on my side.

gitea-mirror commented

2026-05-05 06:03:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 17, 2016):

All fixed. In /etc/firejail/firejail.config set "private-bin-no-local yes".

@netblue30 commented on GitHub (Sep 17, 2016): All fixed. In /etc/firejail/firejail.config set "private-bin-no-local yes".

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#524

No description provided.

Rows
Columns