github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #863] private-bin: use actual files instead of symbolic links #588

New issue
Closed
opened 2026-05-05 06:13:49 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 06:13:49 -06:00
Owner
Copy link

Originally created by @GabrielH0we on GitHub (Oct 17, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/863

Trying to run winetricks and wine under Slackware with private-bin. (firejail-0.9.44-rc1)

I have serveral symbolic links in /usr/bin folder, which lead to actual executables in /bin folder.
Winetricks with firejail doesn't want to run symbolic links. It asks for actual files.

So, I didn't only need to add all required executables to private-bin, but I also needed to remove all symbolic links for those executables from /usr/bin folder and replace them with actual files.

Like rm /usr/bin/which && cp /bin/which /usr/bin/which

Only after that I could successfully run firejail winetricks list-installed

It looks like firejail problem, because if added to private-bin file in /usr/bin folder is not executable, winetricks doesn't have any problems with it.

My current private-bin config is

private-bin winetricks,wine,sha1sum,which,mktemp,ln,dirname,rm,chmod,tar,ln,echo,mkdir,sh,shasum,sha1sum,dirname,wineserver,tr,grep,uname,ls,sed,pwd,basename,sha1sum,wine-preloader,sort,find
Originally created by @GabrielH0we on GitHub (Oct 17, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/863 Trying to run winetricks and wine under Slackware with private-bin. (firejail-0.9.44-rc1) I have serveral symbolic links in /usr/bin folder, which lead to actual executables in /bin folder. Winetricks with firejail doesn't want to run symbolic links. It asks for actual files. So, I didn't only need to add all required executables to private-bin, but I also needed to remove all symbolic links for those executables from /usr/bin folder and replace them with actual files. Like `rm /usr/bin/which && cp /bin/which /usr/bin/which` Only after that I could successfully run `firejail winetricks list-installed` It looks like firejail problem, because if added to private-bin file in /usr/bin folder is not executable, winetricks doesn't have any problems with it. My current private-bin config is ``` private-bin winetricks,wine,sha1sum,which,mktemp,ln,dirname,rm,chmod,tar,ln,echo,mkdir,sh,shasum,sha1sum,dirname,wineserver,tr,grep,uname,ls,sed,pwd,basename,sha1sum,wine-preloader,sort,find ```
gitea-mirror 2026-05-05 06:13:49 -06:00
gitea-mirror commented 2026-05-05 06:13:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Oct 17, 2016):

Can you provide the actual output from Winetricks? It seems like a Winetricks-specific problem since LibreOffice also uses a symlink (to a binary in /usr/lib) and it works fine. It would also seem that since the symlinks and binaries have the same name, firejail is getting confused when scanning for files to add to private-bin (since both /bin and /usr/bin are in the scan path).

<!-- gh-comment-id:254181905 --> @chiraag-nataraj commented on GitHub (Oct 17, 2016): Can you provide the actual output from Winetricks? It seems like a Winetricks-specific problem since LibreOffice also uses a symlink (to a binary in `/usr/lib`) and it works fine. It would also seem that since the symlinks and binaries have the same name, firejail is getting confused when scanning for files to add to `private-bin` (since both `/bin` and `/usr/bin` are in the scan path).
gitea-mirror commented 2026-05-05 06:13:57 -06:00
Author
Owner
Copy link

@GabrielH0we commented on GitHub (Oct 17, 2016):

Here is what I see after

# rm /usr/bin/dirname
# ln -s /bin/dirname /usr/bin/dirname
# rm /usr/bin/sha1sum
# ln -s /bin/sha1sum /usr/bin/sha1sum

bash-4.4$ firejail winetricks list-installed
Reading profile /home/mograt/.config/firejail/winetricks.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 13769, child pid 13770
Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum
Warning cannot create symbolic link /run/firejail/mnt/bin/dirname
Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum
Child process initialized
/usr/local/bin/winetricks: line 4554: dirname: command not found
/usr/local/bin/winetricks: line 291: cd: : Permission denied
------------------------------------------------------
Note: command cd  returned status 1.  Aborting.
------------------------------------------------------
------------------------------------------------------
No sha1sum utility available.
------------------------------------------------------

Parent is shutting down, bye...

Same with --debug

bash-4.4$ firejail --debug winetricks list-installed
Autoselecting /bin/bash as shell
Command name #winetricks#
Found winetricks profile in /home/mograt/.config/firejail directory
Reading profile /home/mograt/.config/firejail/winetricks.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Checking /usr/local/bin/winetricks
firejail exec symlink detected
Checking /usr/bin/winetricks
Checking /usr/local/bin/wine
firejail exec symlink detected
Checking /usr/bin/wine
Checking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Checking /usr/local/bin/which
Checking /usr/bin/which
Checking /usr/local/bin/mktemp
Checking /usr/bin/mktemp
Checking /usr/local/bin/ln
Checking /usr/bin/ln
Checking /usr/local/bin/dirname
Checking /usr/bin/dirname
Checking /usr/local/bin/rm
Checking /usr/bin/rm
Checking /usr/local/bin/chmod
Checking /usr/bin/chmod
Checking /usr/local/bin/tar
Checking /usr/bin/tar
Checking /usr/local/bin/ln
Checking /usr/bin/ln
Checking /usr/local/bin/echo
Checking /usr/bin/echo
Checking /usr/local/bin/mkdir
Checking /usr/bin/mkdir
Checking /usr/local/bin/sh
Checking /usr/bin/sh
Checking /bin/sh
Checking /usr/local/bin/shasum
Checking /usr/bin/shasum
Checking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Checking /usr/local/bin/dirname
Checking /usr/bin/dirname
Checking /usr/local/bin/wineserver
Checking /usr/bin/wineserver
Checking /usr/local/bin/tr
Checking /usr/bin/tr
Checking /usr/local/bin/grep
Checking /usr/bin/grep
Checking /usr/local/bin/uname
Checking /usr/bin/uname
Checking /usr/local/bin/ls
Checking /usr/bin/ls
Checking /usr/local/bin/sed
Checking /usr/bin/sed
Checking /usr/local/bin/pwd
Checking /usr/bin/pwd
Checking /usr/local/bin/basename
Checking /usr/bin/basename
Checking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Checking /usr/local/bin/wine-preloader
Checking /usr/bin/wine-preloader
Checking /usr/local/bin/sort
Checking /usr/bin/sort
Checking /usr/local/bin/find
Checking /usr/bin/find
Checking /usr/local/bin/cat
Checking /usr/bin/cat
Checking /usr/local/bin/basename
Checking /usr/bin/basename
Checking /usr/local/bin/du
Checking /usr/bin/du
Checking /usr/local/bin/cut
Checking /usr/bin/cut
Checking /usr/local/bin/test
Checking /usr/bin/test
Checking /usr/local/bin/mv
Checking /usr/bin/mv
Checking /usr/local/bin/wget
Checking /usr/bin/wget
Checking /usr/local/bin/ntlm_auth
Checking /usr/bin/ntlm_auth
Checking /usr/local/bin/chmod
Checking /usr/bin/chmod
Checking /usr/local/bin/cabextract
Checking /usr/bin/cabextract
Checking /usr/local/bin/cp
Checking /usr/bin/cp
Checking /etc/X11
Checking /etc/fonts
Checking /etc/resolv.conf
DISPLAY :0.0, 0
Using the local network stack
Parent pid 14012, child pid 14013
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mograt/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
Create /dev/shm directory
Copying files in the new etc directory:
running: /run/firejail/mnt/cp -a --parents /etc/X11 /run/firejail/mnt
running: /run/firejail/mnt/cp -a --parents /etc/fonts /run/firejail/mnt
running: /run/firejail/mnt/cp -a --parents /etc/resolv.conf /run/firejail/mnt
Mount-bind /run/firejail/mnt/etc on top of /etc
Copying files in the new home:
Checking /usr/local/bin/winetricks
firejail exec symlink detected
Checking /usr/bin/winetricks
running: /run/firejail/mnt/cp -a /usr/bin/winetricks /run/firejail/mnt/bin/winetricksChecking /usr/local/bin/wine
firejail exec symlink detected
Checking /usr/bin/wine
running: /run/firejail/mnt/cp -a /usr/bin/wine /run/firejail/mnt/bin/wineChecking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Created symbolic link /run/firejail/mnt/bin/sha1sum -> /bin/sha1sum
Checking /usr/local/bin/which
Checking /usr/bin/which
running: /run/firejail/mnt/cp -a /usr/bin/which /run/firejail/mnt/bin/whichChecking /usr/local/bin/mktemp
Checking /usr/bin/mktemp
running: /run/firejail/mnt/cp -a /usr/bin/mktemp /run/firejail/mnt/bin/mktempChecking /usr/local/bin/ln
Checking /usr/bin/ln
running: /run/firejail/mnt/cp -a /usr/bin/ln /run/firejail/mnt/bin/lnChecking /usr/local/bin/dirname
Checking /usr/bin/dirname
Created symbolic link /run/firejail/mnt/bin/dirname -> /bin/dirname
Checking /usr/local/bin/rm
Checking /usr/bin/rm
running: /run/firejail/mnt/cp -a /usr/bin/rm /run/firejail/mnt/bin/rmChecking /usr/local/bin/chmod
Checking /usr/bin/chmod
running: /run/firejail/mnt/cp -a /usr/bin/chmod /run/firejail/mnt/bin/chmodChecking /usr/local/bin/tar
Checking /usr/bin/tar
Created symbolic link /run/firejail/mnt/bin/tar -> /bin/tar
Checking /usr/local/bin/ln
Checking /usr/bin/ln
running: /run/firejail/mnt/cp -a /usr/bin/ln /run/firejail/mnt/bin/lnChecking /usr/local/bin/echo
Checking /usr/bin/echo
Created symbolic link /run/firejail/mnt/bin/echo -> /bin/echo
Checking /usr/local/bin/mkdir
Checking /usr/bin/mkdir
running: /run/firejail/mnt/cp -a /usr/bin/mkdir /run/firejail/mnt/bin/mkdirChecking /usr/local/bin/sh
Checking /usr/bin/sh
Checking /bin/sh
running: /run/firejail/mnt/cp -a /bin/bash /run/firejail/mnt/bin/shChecking /usr/local/bin/shasum
Checking /usr/bin/shasum
running: /run/firejail/mnt/cp -a /usr/bin/shasum /run/firejail/mnt/bin/shasumChecking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum
Checking /usr/local/bin/dirname
Checking /usr/bin/dirname
Warning cannot create symbolic link /run/firejail/mnt/bin/dirname
Checking /usr/local/bin/wineserver
Checking /usr/bin/wineserver
running: /run/firejail/mnt/cp -a /usr/bin/wineserver /run/firejail/mnt/bin/wineserverChecking /usr/local/bin/tr
Checking /usr/bin/tr
running: /run/firejail/mnt/cp -a /usr/bin/tr /run/firejail/mnt/bin/trChecking /usr/local/bin/grep
Checking /usr/bin/grep
running: /run/firejail/mnt/cp -a /usr/bin/grep /run/firejail/mnt/bin/grepChecking /usr/local/bin/uname
Checking /usr/bin/uname
Created symbolic link /run/firejail/mnt/bin/uname -> /bin/uname
Checking /usr/local/bin/ls
Checking /usr/bin/ls
Created symbolic link /run/firejail/mnt/bin/ls -> /bin/ls
Checking /usr/local/bin/sed
Checking /usr/bin/sed
running: /run/firejail/mnt/cp -a /usr/bin/sed /run/firejail/mnt/bin/sedChecking /usr/local/bin/pwd
Checking /usr/bin/pwd
Created symbolic link /run/firejail/mnt/bin/pwd -> /bin/pwd
Checking /usr/local/bin/basename
Checking /usr/bin/basename
running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/sha1sum
Checking /usr/bin/sha1sum
Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum
Checking /usr/local/bin/wine-preloader
Checking /usr/bin/wine-preloader
running: /run/firejail/mnt/cp -a /usr/bin/wine-preloader /run/firejail/mnt/bin/wine-preloaderChecking /usr/local/bin/sort
Checking /usr/bin/sort
running: /run/firejail/mnt/cp -a /usr/bin/sort /run/firejail/mnt/bin/sortChecking /usr/local/bin/find
Checking /usr/bin/find
running: /run/firejail/mnt/cp -a /usr/bin/find /run/firejail/mnt/bin/findChecking /usr/local/bin/cat
Checking /usr/bin/cat
running: /run/firejail/mnt/cp -a /usr/bin/cat /run/firejail/mnt/bin/catChecking /usr/local/bin/basename
Checking /usr/bin/basename
running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/du
Checking /usr/bin/du
running: /run/firejail/mnt/cp -a /usr/bin/du /run/firejail/mnt/bin/duChecking /usr/local/bin/cut
Checking /usr/bin/cut
running: /run/firejail/mnt/cp -a /usr/bin/cut /run/firejail/mnt/bin/cutChecking /usr/local/bin/test
Checking /usr/bin/test
running: /run/firejail/mnt/cp -a /usr/bin/test /run/firejail/mnt/bin/testChecking /usr/local/bin/mv
Checking /usr/bin/mv
running: /run/firejail/mnt/cp -a /usr/bin/mv /run/firejail/mnt/bin/mvChecking /usr/local/bin/wget
Checking /usr/bin/wget
running: /run/firejail/mnt/cp -a /usr/bin/wget /run/firejail/mnt/bin/wgetChecking /usr/local/bin/ntlm_auth
Checking /usr/bin/ntlm_auth
running: /run/firejail/mnt/cp -a /usr/bin/ntlm_auth /run/firejail/mnt/bin/ntlm_authChecking /usr/local/bin/chmod
Checking /usr/bin/chmod
running: /run/firejail/mnt/cp -a /usr/bin/chmod /run/firejail/mnt/bin/chmodChecking /usr/local/bin/cabextract
Checking /usr/bin/cabextract
running: /run/firejail/mnt/cp -a /usr/bin/cabextract /run/firejail/mnt/bin/cabextractChecking /usr/local/bin/cp
Checking /usr/bin/cp
running: /run/firejail/mnt/cp -a /usr/bin/cp /run/firejail/mnt/bin/cpMount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/fs
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/src/linux-4.7.7
Disable /lib/modules
Disable /boot
Disable /proc/kmsg
Debug 349: new_name #/tmp/.X11-unix#
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Disable /home/mograt/.bash_history
Mounting read-only /home/mograt/.local/share/applications
Disable /home/mograt/.xinitrc
Disable /home/mograt/.config/autostart
Disable /var/spool/cron
Disable /var/run/acpid.socket
Mounting read-only /home/mograt/.xinitrc
Mounting read-only /home/mograt/.xscreensaver
Disable /home/mograt/.gnupg
Disable /sbin
Disable /usr/sbin
Disable /usr/local/sbin
Not blacklist /home/mograt/.wine
Disable /home/mograt/.gimp-2.8
Disable /home/mograt/.config/deadbeef
Disable /home/mograt/.config/mpv
Disable /home/mograt/.mozilla
Disable /home/mograt/.config/chromium
Disable /home/mograt/.config/filezilla
Not blacklist /home/mograt/.steam
Disable /home/mograt/.cache/mozilla
Disable /home/mograt/.cache/chromium
Not blacklist /home/mograt/.local/share/steam
Disable /usr/include
Disable /usr/share/perl5
DISPLAY :0.0, 0
Dropping all capabilities
Dual i386/amd64 seccomp filter configured
SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  BLACKLIST 165 mount
  BLACKLIST 166 umount2
  BLACKLIST 101 ptrace
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 175 init_module
  BLACKLIST 313 finit_module
  BLACKLIST 174 create_module
  BLACKLIST 176 delete_module
  BLACKLIST 172 iopl
  BLACKLIST 173 ioperm
  BLACKLIST 251 ioprio_set
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 103 syslog
  BLACKLIST 310 process_vm_readv
  BLACKLIST 311 process_vm_writev
  BLACKLIST 139 sysfs
  BLACKLIST 156 _sysctl
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 134 uselib
  BLACKLIST 163 acct
  BLACKLIST 154 modify_ldt
  BLACKLIST 155 pivot_root
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 237 mbind
  BLACKLIST 239 get_mempolicy
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 161 chroot
  BLACKLIST 184 tuxcall
  BLACKLIST 169 reboot
  BLACKLIST 180 nfsservctl
  BLACKLIST 177 get_kernel_syms
  RETURN_ALLOW
Save seccomp filter, size 880 bytes
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
execvp argument 0: winetricks
execvp argument 1: list-installed
Child process initialized
monitoring pid 37

/usr/local/bin/winetricks: line 4554: dirname: command not found
/usr/local/bin/winetricks: line 291: cd: : Permission denied
------------------------------------------------------
Note: command cd  returned status 1.  Aborting.
------------------------------------------------------
------------------------------------------------------
No sha1sum utility available.
------------------------------------------------------
Sandbox monitor: waitpid 37 retval 37 status 256

Parent is shutting down, bye...
<!-- gh-comment-id:254201819 --> @GabrielH0we commented on GitHub (Oct 17, 2016): Here is what I see after ``` # rm /usr/bin/dirname # ln -s /bin/dirname /usr/bin/dirname # rm /usr/bin/sha1sum # ln -s /bin/sha1sum /usr/bin/sha1sum ``` ``` bash-4.4$ firejail winetricks list-installed Reading profile /home/mograt/.config/firejail/winetricks.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Parent pid 13769, child pid 13770 Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum Warning cannot create symbolic link /run/firejail/mnt/bin/dirname Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum Child process initialized /usr/local/bin/winetricks: line 4554: dirname: command not found /usr/local/bin/winetricks: line 291: cd: : Permission denied ------------------------------------------------------ Note: command cd returned status 1. Aborting. ------------------------------------------------------ ------------------------------------------------------ No sha1sum utility available. ------------------------------------------------------ Parent is shutting down, bye... ``` Same with --debug ``` bash-4.4$ firejail --debug winetricks list-installed Autoselecting /bin/bash as shell Command name #winetricks# Found winetricks profile in /home/mograt/.config/firejail directory Reading profile /home/mograt/.config/firejail/winetricks.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Checking /usr/local/bin/winetricks firejail exec symlink detected Checking /usr/bin/winetricks Checking /usr/local/bin/wine firejail exec symlink detected Checking /usr/bin/wine Checking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Checking /usr/local/bin/which Checking /usr/bin/which Checking /usr/local/bin/mktemp Checking /usr/bin/mktemp Checking /usr/local/bin/ln Checking /usr/bin/ln Checking /usr/local/bin/dirname Checking /usr/bin/dirname Checking /usr/local/bin/rm Checking /usr/bin/rm Checking /usr/local/bin/chmod Checking /usr/bin/chmod Checking /usr/local/bin/tar Checking /usr/bin/tar Checking /usr/local/bin/ln Checking /usr/bin/ln Checking /usr/local/bin/echo Checking /usr/bin/echo Checking /usr/local/bin/mkdir Checking /usr/bin/mkdir Checking /usr/local/bin/sh Checking /usr/bin/sh Checking /bin/sh Checking /usr/local/bin/shasum Checking /usr/bin/shasum Checking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Checking /usr/local/bin/dirname Checking /usr/bin/dirname Checking /usr/local/bin/wineserver Checking /usr/bin/wineserver Checking /usr/local/bin/tr Checking /usr/bin/tr Checking /usr/local/bin/grep Checking /usr/bin/grep Checking /usr/local/bin/uname Checking /usr/bin/uname Checking /usr/local/bin/ls Checking /usr/bin/ls Checking /usr/local/bin/sed Checking /usr/bin/sed Checking /usr/local/bin/pwd Checking /usr/bin/pwd Checking /usr/local/bin/basename Checking /usr/bin/basename Checking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Checking /usr/local/bin/wine-preloader Checking /usr/bin/wine-preloader Checking /usr/local/bin/sort Checking /usr/bin/sort Checking /usr/local/bin/find Checking /usr/bin/find Checking /usr/local/bin/cat Checking /usr/bin/cat Checking /usr/local/bin/basename Checking /usr/bin/basename Checking /usr/local/bin/du Checking /usr/bin/du Checking /usr/local/bin/cut Checking /usr/bin/cut Checking /usr/local/bin/test Checking /usr/bin/test Checking /usr/local/bin/mv Checking /usr/bin/mv Checking /usr/local/bin/wget Checking /usr/bin/wget Checking /usr/local/bin/ntlm_auth Checking /usr/bin/ntlm_auth Checking /usr/local/bin/chmod Checking /usr/bin/chmod Checking /usr/local/bin/cabextract Checking /usr/bin/cabextract Checking /usr/local/bin/cp Checking /usr/bin/cp Checking /etc/X11 Checking /etc/fonts Checking /etc/resolv.conf DISPLAY :0.0, 0 Using the local network stack Parent pid 14012, child pid 14013 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/mograt/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory Create /dev/shm directory Copying files in the new etc directory: running: /run/firejail/mnt/cp -a --parents /etc/X11 /run/firejail/mnt running: /run/firejail/mnt/cp -a --parents /etc/fonts /run/firejail/mnt running: /run/firejail/mnt/cp -a --parents /etc/resolv.conf /run/firejail/mnt Mount-bind /run/firejail/mnt/etc on top of /etc Copying files in the new home: Checking /usr/local/bin/winetricks firejail exec symlink detected Checking /usr/bin/winetricks running: /run/firejail/mnt/cp -a /usr/bin/winetricks /run/firejail/mnt/bin/winetricksChecking /usr/local/bin/wine firejail exec symlink detected Checking /usr/bin/wine running: /run/firejail/mnt/cp -a /usr/bin/wine /run/firejail/mnt/bin/wineChecking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Created symbolic link /run/firejail/mnt/bin/sha1sum -> /bin/sha1sum Checking /usr/local/bin/which Checking /usr/bin/which running: /run/firejail/mnt/cp -a /usr/bin/which /run/firejail/mnt/bin/whichChecking /usr/local/bin/mktemp Checking /usr/bin/mktemp running: /run/firejail/mnt/cp -a /usr/bin/mktemp /run/firejail/mnt/bin/mktempChecking /usr/local/bin/ln Checking /usr/bin/ln running: /run/firejail/mnt/cp -a /usr/bin/ln /run/firejail/mnt/bin/lnChecking /usr/local/bin/dirname Checking /usr/bin/dirname Created symbolic link /run/firejail/mnt/bin/dirname -> /bin/dirname Checking /usr/local/bin/rm Checking /usr/bin/rm running: /run/firejail/mnt/cp -a /usr/bin/rm /run/firejail/mnt/bin/rmChecking /usr/local/bin/chmod Checking /usr/bin/chmod running: /run/firejail/mnt/cp -a /usr/bin/chmod /run/firejail/mnt/bin/chmodChecking /usr/local/bin/tar Checking /usr/bin/tar Created symbolic link /run/firejail/mnt/bin/tar -> /bin/tar Checking /usr/local/bin/ln Checking /usr/bin/ln running: /run/firejail/mnt/cp -a /usr/bin/ln /run/firejail/mnt/bin/lnChecking /usr/local/bin/echo Checking /usr/bin/echo Created symbolic link /run/firejail/mnt/bin/echo -> /bin/echo Checking /usr/local/bin/mkdir Checking /usr/bin/mkdir running: /run/firejail/mnt/cp -a /usr/bin/mkdir /run/firejail/mnt/bin/mkdirChecking /usr/local/bin/sh Checking /usr/bin/sh Checking /bin/sh running: /run/firejail/mnt/cp -a /bin/bash /run/firejail/mnt/bin/shChecking /usr/local/bin/shasum Checking /usr/bin/shasum running: /run/firejail/mnt/cp -a /usr/bin/shasum /run/firejail/mnt/bin/shasumChecking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum Checking /usr/local/bin/dirname Checking /usr/bin/dirname Warning cannot create symbolic link /run/firejail/mnt/bin/dirname Checking /usr/local/bin/wineserver Checking /usr/bin/wineserver running: /run/firejail/mnt/cp -a /usr/bin/wineserver /run/firejail/mnt/bin/wineserverChecking /usr/local/bin/tr Checking /usr/bin/tr running: /run/firejail/mnt/cp -a /usr/bin/tr /run/firejail/mnt/bin/trChecking /usr/local/bin/grep Checking /usr/bin/grep running: /run/firejail/mnt/cp -a /usr/bin/grep /run/firejail/mnt/bin/grepChecking /usr/local/bin/uname Checking /usr/bin/uname Created symbolic link /run/firejail/mnt/bin/uname -> /bin/uname Checking /usr/local/bin/ls Checking /usr/bin/ls Created symbolic link /run/firejail/mnt/bin/ls -> /bin/ls Checking /usr/local/bin/sed Checking /usr/bin/sed running: /run/firejail/mnt/cp -a /usr/bin/sed /run/firejail/mnt/bin/sedChecking /usr/local/bin/pwd Checking /usr/bin/pwd Created symbolic link /run/firejail/mnt/bin/pwd -> /bin/pwd Checking /usr/local/bin/basename Checking /usr/bin/basename running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/sha1sum Checking /usr/bin/sha1sum Warning cannot create symbolic link /run/firejail/mnt/bin/sha1sum Checking /usr/local/bin/wine-preloader Checking /usr/bin/wine-preloader running: /run/firejail/mnt/cp -a /usr/bin/wine-preloader /run/firejail/mnt/bin/wine-preloaderChecking /usr/local/bin/sort Checking /usr/bin/sort running: /run/firejail/mnt/cp -a /usr/bin/sort /run/firejail/mnt/bin/sortChecking /usr/local/bin/find Checking /usr/bin/find running: /run/firejail/mnt/cp -a /usr/bin/find /run/firejail/mnt/bin/findChecking /usr/local/bin/cat Checking /usr/bin/cat running: /run/firejail/mnt/cp -a /usr/bin/cat /run/firejail/mnt/bin/catChecking /usr/local/bin/basename Checking /usr/bin/basename running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/du Checking /usr/bin/du running: /run/firejail/mnt/cp -a /usr/bin/du /run/firejail/mnt/bin/duChecking /usr/local/bin/cut Checking /usr/bin/cut running: /run/firejail/mnt/cp -a /usr/bin/cut /run/firejail/mnt/bin/cutChecking /usr/local/bin/test Checking /usr/bin/test running: /run/firejail/mnt/cp -a /usr/bin/test /run/firejail/mnt/bin/testChecking /usr/local/bin/mv Checking /usr/bin/mv running: /run/firejail/mnt/cp -a /usr/bin/mv /run/firejail/mnt/bin/mvChecking /usr/local/bin/wget Checking /usr/bin/wget running: /run/firejail/mnt/cp -a /usr/bin/wget /run/firejail/mnt/bin/wgetChecking /usr/local/bin/ntlm_auth Checking /usr/bin/ntlm_auth running: /run/firejail/mnt/cp -a /usr/bin/ntlm_auth /run/firejail/mnt/bin/ntlm_authChecking /usr/local/bin/chmod Checking /usr/bin/chmod running: /run/firejail/mnt/cp -a /usr/bin/chmod /run/firejail/mnt/bin/chmodChecking /usr/local/bin/cabextract Checking /usr/bin/cabextract running: /run/firejail/mnt/cp -a /usr/bin/cabextract /run/firejail/mnt/bin/cabextractChecking /usr/local/bin/cp Checking /usr/bin/cp running: /run/firejail/mnt/cp -a /usr/bin/cp /run/firejail/mnt/bin/cpMount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/fs Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/src/linux-4.7.7 Disable /lib/modules Disable /boot Disable /proc/kmsg Debug 349: new_name #/tmp/.X11-unix# Mounting tmpfs on /tmp directory Whitelisting /tmp/.X11-unix Disable /home/mograt/.bash_history Mounting read-only /home/mograt/.local/share/applications Disable /home/mograt/.xinitrc Disable /home/mograt/.config/autostart Disable /var/spool/cron Disable /var/run/acpid.socket Mounting read-only /home/mograt/.xinitrc Mounting read-only /home/mograt/.xscreensaver Disable /home/mograt/.gnupg Disable /sbin Disable /usr/sbin Disable /usr/local/sbin Not blacklist /home/mograt/.wine Disable /home/mograt/.gimp-2.8 Disable /home/mograt/.config/deadbeef Disable /home/mograt/.config/mpv Disable /home/mograt/.mozilla Disable /home/mograt/.config/chromium Disable /home/mograt/.config/filezilla Not blacklist /home/mograt/.steam Disable /home/mograt/.cache/mozilla Disable /home/mograt/.cache/chromium Not blacklist /home/mograt/.local/share/steam Disable /usr/include Disable /usr/share/perl5 DISPLAY :0.0, 0 Dropping all capabilities Dual i386/amd64 seccomp filter configured SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! BLACKLIST 165 mount BLACKLIST 166 umount2 BLACKLIST 101 ptrace BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 175 init_module BLACKLIST 313 finit_module BLACKLIST 174 create_module BLACKLIST 176 delete_module BLACKLIST 172 iopl BLACKLIST 173 ioperm BLACKLIST 251 ioprio_set BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 103 syslog BLACKLIST 310 process_vm_readv BLACKLIST 311 process_vm_writev BLACKLIST 139 sysfs BLACKLIST 156 _sysctl BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 134 uselib BLACKLIST 163 acct BLACKLIST 154 modify_ldt BLACKLIST 155 pivot_root BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 237 mbind BLACKLIST 239 get_mempolicy BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 278 vmsplice BLACKLIST 161 chroot BLACKLIST 184 tuxcall BLACKLIST 169 reboot BLACKLIST 180 nfsservctl BLACKLIST 177 get_kernel_syms RETURN_ALLOW Save seccomp filter, size 880 bytes noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set execvp argument 0: winetricks execvp argument 1: list-installed Child process initialized monitoring pid 37 /usr/local/bin/winetricks: line 4554: dirname: command not found /usr/local/bin/winetricks: line 291: cd: : Permission denied ------------------------------------------------------ Note: command cd returned status 1. Aborting. ------------------------------------------------------ ------------------------------------------------------ No sha1sum utility available. ------------------------------------------------------ Sandbox monitor: waitpid 37 retval 37 status 256 Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 06:13:59 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Oct 17, 2016):

Hmmm...I see. So, for example, here's my output of ls -lh /usr/bin/libreoffice:

lrwxrwxrwx 1 65534 65534 34 Sep 23 01:24 /usr/bin/libreoffice -> ../lib/libreoffice/program/soffice

and here's my output of ls -lh /usr/bin/which

lrwxrwxrwx. 1 65534 65534 10 Apr 27  2015 /usr/bin/which -> /bin/which

and here's the relevant section of my (debug) output when I append which to the private-bin of my libreoffice profile:

Copying files in the new home:
Checking /usr/local/bin/sh
Checking /usr/bin/sh
Checking /bin/sh
running: /run/firejail/mnt/cp -a /bin/dash /run/firejail/mnt/bin/shChecking /usr/local/bin/libreoffice
Checking /usr/bin/libreoffice
Created symbolic link /run/firejail/mnt/bin/libreoffice -> /usr/lib/libreoffice/program/soffice
Checking /usr/local/bin/dirname
Checking /usr/bin/dirname
running: /run/firejail/mnt/cp -a /usr/bin/dirname /run/firejail/mnt/bin/dirnameChecking /usr/local/bin/grep
Checking /usr/bin/grep
Checking /bin/grep
running: /run/firejail/mnt/cp -a /bin/grep /run/firejail/mnt/bin/grepChecking /usr/local/bin/uname
Checking /usr/bin/uname
Checking /bin/uname
running: /run/firejail/mnt/cp -a /bin/uname /run/firejail/mnt/bin/unameChecking /usr/local/bin/ls
Checking /usr/bin/ls
Checking /bin/ls
running: /run/firejail/mnt/cp -a /bin/ls /run/firejail/mnt/bin/lsChecking /usr/local/bin/sed
Checking /usr/bin/sed
Checking /bin/sed
running: /run/firejail/mnt/cp -a /bin/sed /run/firejail/mnt/bin/sedChecking /usr/local/bin/pwd
Checking /usr/bin/pwd
Checking /bin/pwd
running: /run/firejail/mnt/cp -a /bin/pwd /run/firejail/mnt/bin/pwdChecking /usr/local/bin/basename
Checking /usr/bin/basename
running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/dbus-launch
Checking /usr/bin/dbus-launch
running: /run/firejail/mnt/cp -a /usr/bin/dbus-launch /run/firejail/mnt/bin/dbus-launchChecking /usr/local/bin/dbus-send
Checking /usr/bin/dbus-send
running: /run/firejail/mnt/cp -a /usr/bin/dbus-send /run/firejail/mnt/bin/dbus-sendChecking /usr/local/bin/fcitx-dbus-watcher
Checking /usr/bin/fcitx-dbus-watcher
running: /run/firejail/mnt/cp -a /usr/bin/fcitx-dbus-watcher /run/firejail/mnt/bin/fcitx-dbus-watcherChecking /usr/local/bin/fcitx-remote
Checking /usr/bin/fcitx-remote
running: /run/firejail/mnt/cp -a /usr/bin/fcitx-remote /run/firejail/mnt/bin/fcitx-remoteChecking /usr/local/bin/which
Checking /usr/bin/which
Created symbolic link /run/firejail/mnt/bin/which -> /bin/which

Do /bin/dirname and /bin/sha1sum exist on your machine? Which version of firejail are you using?

<!-- gh-comment-id:254210349 --> @chiraag-nataraj commented on GitHub (Oct 17, 2016): Hmmm...I see. So, for example, here's my output of `ls -lh /usr/bin/libreoffice`: ``` lrwxrwxrwx 1 65534 65534 34 Sep 23 01:24 /usr/bin/libreoffice -> ../lib/libreoffice/program/soffice ``` and here's my output of `ls -lh /usr/bin/which` ``` lrwxrwxrwx. 1 65534 65534 10 Apr 27 2015 /usr/bin/which -> /bin/which ``` and here's the relevant section of my (debug) output when I append `which` to the `private-bin` of my `libreoffice` profile: ``` Copying files in the new home: Checking /usr/local/bin/sh Checking /usr/bin/sh Checking /bin/sh running: /run/firejail/mnt/cp -a /bin/dash /run/firejail/mnt/bin/shChecking /usr/local/bin/libreoffice Checking /usr/bin/libreoffice Created symbolic link /run/firejail/mnt/bin/libreoffice -> /usr/lib/libreoffice/program/soffice Checking /usr/local/bin/dirname Checking /usr/bin/dirname running: /run/firejail/mnt/cp -a /usr/bin/dirname /run/firejail/mnt/bin/dirnameChecking /usr/local/bin/grep Checking /usr/bin/grep Checking /bin/grep running: /run/firejail/mnt/cp -a /bin/grep /run/firejail/mnt/bin/grepChecking /usr/local/bin/uname Checking /usr/bin/uname Checking /bin/uname running: /run/firejail/mnt/cp -a /bin/uname /run/firejail/mnt/bin/unameChecking /usr/local/bin/ls Checking /usr/bin/ls Checking /bin/ls running: /run/firejail/mnt/cp -a /bin/ls /run/firejail/mnt/bin/lsChecking /usr/local/bin/sed Checking /usr/bin/sed Checking /bin/sed running: /run/firejail/mnt/cp -a /bin/sed /run/firejail/mnt/bin/sedChecking /usr/local/bin/pwd Checking /usr/bin/pwd Checking /bin/pwd running: /run/firejail/mnt/cp -a /bin/pwd /run/firejail/mnt/bin/pwdChecking /usr/local/bin/basename Checking /usr/bin/basename running: /run/firejail/mnt/cp -a /usr/bin/basename /run/firejail/mnt/bin/basenameChecking /usr/local/bin/dbus-launch Checking /usr/bin/dbus-launch running: /run/firejail/mnt/cp -a /usr/bin/dbus-launch /run/firejail/mnt/bin/dbus-launchChecking /usr/local/bin/dbus-send Checking /usr/bin/dbus-send running: /run/firejail/mnt/cp -a /usr/bin/dbus-send /run/firejail/mnt/bin/dbus-sendChecking /usr/local/bin/fcitx-dbus-watcher Checking /usr/bin/fcitx-dbus-watcher running: /run/firejail/mnt/cp -a /usr/bin/fcitx-dbus-watcher /run/firejail/mnt/bin/fcitx-dbus-watcherChecking /usr/local/bin/fcitx-remote Checking /usr/bin/fcitx-remote running: /run/firejail/mnt/cp -a /usr/bin/fcitx-remote /run/firejail/mnt/bin/fcitx-remoteChecking /usr/local/bin/which Checking /usr/bin/which Created symbolic link /run/firejail/mnt/bin/which -> /bin/which ``` Do `/bin/dirname` and `/bin/sha1sum` exist on your machine? Which version of firejail are you using?
gitea-mirror commented 2026-05-05 06:14:00 -06:00
Author
Owner
Copy link

@GabrielH0we commented on GitHub (Oct 17, 2016):

Its 0.9.44-rc1.
/bin/dirname and /bin/sha1sum do exist on my machine.

bash-4.4$ ls /bin/dirname /bin/sha1sum -oh
-rwxr-xr-x 1 root 31K Apr 17  2016 /bin/dirname
-rwxr-xr-x 1 root 43K Apr 17  2016 /bin/sha1sum

But it's not about files in /bin. It's about symlinks in /usr/bin to files in /bin. After I replace symlinks in /usr/bin with files from /bin winetricks have no problem running.

<!-- gh-comment-id:254212902 --> @GabrielH0we commented on GitHub (Oct 17, 2016): Its 0.9.44-rc1. `/bin/dirname` and `/bin/sha1sum` do exist on my machine. ``` bash-4.4$ ls /bin/dirname /bin/sha1sum -oh -rwxr-xr-x 1 root 31K Apr 17 2016 /bin/dirname -rwxr-xr-x 1 root 43K Apr 17 2016 /bin/sha1sum ``` But it's not about files in `/bin`. It's about symlinks in `/usr/bin` to files in `/bin`. After I replace symlinks in `/usr/bin` with files from `/bin` winetricks have no problem running.
gitea-mirror commented 2026-05-05 06:14:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Oct 17, 2016):

But it's not about files in /bin. It's about symlinks in /usr/bin to files in /bin. After I replace symlinks in /usr/bin with files from /bin winetricks have no problem running.

So the interesting thing is that when I did that with which (in my example), firejail had no problem. Can you post your full profile (please attach as a txt file) so that this is easier to debug?

<!-- gh-comment-id:254343016 --> @chiraag-nataraj commented on GitHub (Oct 17, 2016): > But it's not about files in /bin. It's about symlinks in /usr/bin to files in /bin. After I replace symlinks in /usr/bin with files from /bin winetricks have no problem running. So the interesting thing is that when I did that with `which` (in my example), firejail had no problem. Can you post your full profile (please attach as a txt file) so that this is easier to debug?
gitea-mirror commented 2026-05-05 06:14:06 -06:00
Author
Owner
Copy link

@GabrielH0we commented on GitHub (Oct 18, 2016):

Current winetricks profile.
winetricks.txt

<!-- gh-comment-id:254383535 --> @GabrielH0we commented on GitHub (Oct 18, 2016): Current winetricks profile. [winetricks.txt](https://github.com/netblue30/firejail/files/535089/winetricks.txt)
gitea-mirror commented 2026-05-05 06:14:07 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Oct 18, 2016):

Huh, so okay. It's interesting - basically, I think my first intuition was right. If you load up a shell (sh is fine) and whitelist ls (so you can examine the directory), you will see that /bin/which points to.../bin/which. That obviously is a bit of a problem and is the root cause of what you are seeing. Let me experiment a bit and update this comment.
[Edit] Huh. @netblue30, this would seem to be a bug of sorts. Basically, whitelisting a binary that is a symlink to another directory included in the private-bin path leads to a circular symlink without actual access to the binary.

<!-- gh-comment-id:254393628 --> @chiraag-nataraj commented on GitHub (Oct 18, 2016): Huh, so okay. It's interesting - basically, I think my first intuition was right. If you load up a shell (`sh` is fine) and whitelist `ls` (so you can examine the directory), you will see that `/bin/which` points to...`/bin/which`. That obviously is a bit of a problem and is the root cause of what you are seeing. Let me experiment a bit and update this comment. [Edit] Huh. @netblue30, this would seem to be a bug of sorts. Basically, whitelisting a binary that is a symlink to another directory included in the `private-bin` path leads to a circular symlink without actual access to the binary.
gitea-mirror commented 2026-05-05 06:14:10 -06:00
Author
Owner
Copy link

@Khady commented on GitHub (Feb 7, 2017):

Hi. I'm facing this issue too. I see that this issue is closed, but there is no explanation. Is there a fix?

<!-- gh-comment-id:277935514 --> @Khady commented on GitHub (Feb 7, 2017): Hi. I'm facing this issue too. I see that this issue is closed, but there is no explanation. Is there a fix?
gitea-mirror commented 2026-05-05 06:14:11 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 8, 2017):

I would say open a new bug. I don't remember what was the fix here.

<!-- gh-comment-id:278407635 --> @netblue30 commented on GitHub (Feb 8, 2017): I would say open a new bug. I don't remember what was the fix here.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#588
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?