github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #968] 'configuration file should be owned by root' error #656

New issue

Closed

opened 2026-05-05 06:22:22 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:22:22 -06:00

Owner

Originally created by @ghost on GitHub (Dec 12, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/968

Hi, in a few firejails I need a www browser, firefox in my case. Before commit 9a7acfd771 this worked without problems. Including the aforementioned commit firejail shows an error about root needing to own the config profile (of the www browser I assume) and opening links in firefox fails. As the commit relates to the firejail prompt, I tested with/without setting the env var FIREJAIL_PROMPT="yes". Both yield the same result.

I'll show what happens with liferea for brevity here.

$ lsb_release -d
Description: Arch Linux

$ pacman -Qi firejail-git | grep Version
Version : r1929.f541d8b-1

$ firejail --version
firejail version 0.9.45

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

$ cat ~/.config/firejail/liferea.profile
#+ liferea profile

dns 127.0.0.1

#+ grants
whitelist ${HOME}/.cache/liferea
whitelist ${HOME}/.config/liferea
whitelist ${HOME}/.liferea
whitelist ${HOME}/.local/share/liferea

#+ external downloader via digitalocean droplet
whitelist ${HOME}/.aria2
noblacklist ${HOME}/.ssh
whitelist ${HOME}/.ssh

#+ www browser
whitelist ${HOME}/.adobe
whitelist ${HOME}/.cache/mozplugger
whitelist ${HOME}/.config/freshwrapper.conf
whitelist ${HOME}/.config/freshwrapper-data
whitelist ${HOME}/.devzone
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/plugins
whitelist ${HOME}/.macromedia
whitelist ${HOME}/Downloads
#+ custom view-source editor
whitelist ${HOME}/.config/geany

#+ system-wide profile
#+ compensations
ignore private-tmp

include /etc/firejail/firefox.profile

#+ sandbox name
name liferea

$ echo $FIREJAIL_PROMPT
yes

$ firejail liferea
...
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. /home/glitsj16/.devzone/00.firefox/firefox will run without any additional sandboxing features
Error: configuration file should be owned by root

Originally created by @ghost on GitHub (Dec 12, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/968 Hi, in a few firejails I need a www browser, firefox in my case. Before commit https://github.com/netblue30/firejail/commit/9a7acfd771e17bd7d2ca935fc17fa50ef579cce3 this worked without problems. Including the aforementioned commit firejail shows an error about root needing to own the config profile (of the www browser I assume) and opening links in firefox fails. As the commit relates to the firejail prompt, I tested with/without setting the env var FIREJAIL_PROMPT="yes". Both yield the same result. I'll show what happens with liferea for brevity here. $ lsb_release -d Description: Arch Linux $ pacman -Qi firejail-git | grep Version Version : r1929.f541d8b-1 $ firejail --version firejail version 0.9.45 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ cat ~/.config/firejail/liferea.profile #+ liferea profile dns 127.0.0.1 #+ grants whitelist ${HOME}/.cache/liferea whitelist ${HOME}/.config/liferea whitelist ${HOME}/.liferea whitelist ${HOME}/.local/share/liferea #+ external downloader via digitalocean droplet whitelist ${HOME}/.aria2 noblacklist ${HOME}/.ssh whitelist ${HOME}/.ssh #+ www browser whitelist ${HOME}/.adobe whitelist ${HOME}/.cache/mozplugger whitelist ${HOME}/.config/freshwrapper.conf whitelist ${HOME}/.config/freshwrapper-data whitelist ${HOME}/.devzone whitelist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/plugins whitelist ${HOME}/.macromedia whitelist ${HOME}/Downloads #+ custom view-source editor whitelist ${HOME}/.config/geany #+ system-wide profile #+ compensations ignore private-tmp include /etc/firejail/firefox.profile #+ sandbox name name liferea $ echo $FIREJAIL_PROMPT yes $ firejail liferea ... Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: an existing sandbox was detected. /home/glitsj16/.devzone/00.firefox/firefox will run without any additional sandboxing features Error: configuration file should be owned by root

gitea-mirror

2026-05-05 06:22:22 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:22:28 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 13, 2016):

You are already running in a sandbox, so your second sandbox is killed by the first sandbox. This is why you get "configuration file should be owned by root".

@netblue30 commented on GitHub (Dec 13, 2016): You are already running in a sandbox, so your second sandbox is killed by the first sandbox. This is why you get "configuration file should be owned by root".

gitea-mirror commented

2026-05-05 06:22:30 -06:00

Author

Owner

@ghost commented on GitHub (Dec 13, 2016):

Thanks for replying. I realize that the second sandbox is killed while running inside the first. The warning about that has been there since I started to use firejail. Yet, before commit 9a7acfd771, I never saw 'Error: configuration file should be owned by root' and opening links in the browser always worked just fine. After the recent commit it no longer does, hence I reported the issue. When reverting it, things return to past behavior, so I'm left puzzled by what's causing things to break using the lastest git code..

@ghost commented on GitHub (Dec 13, 2016): Thanks for replying. I realize that the second sandbox is killed while running inside the first. The warning about that has been there since I started to use firejail. Yet, before commit https://github.com/netblue30/firejail/commit/9a7acfd771e17bd7d2ca935fc17fa50ef579cce3, I never saw 'Error: configuration file should be owned by root' and opening links in the browser always worked just fine. After the recent commit it no longer does, hence I reported the issue. When reverting it, things return to past behavior, so I'm left puzzled by what's causing things to break using the lastest git code..

gitea-mirror commented

2026-05-05 06:22:33 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 14, 2016):

You are right, this thing got broken by that particular commit, thanks for the report. All fixed now.

@netblue30 commented on GitHub (Dec 14, 2016): You are right, this thing got broken by that particular commit, thanks for the report. All fixed now.

gitea-mirror referenced this issue

2026-05-05 10:06:22 -06:00

[PR #660] [MERGED] Add new skypeforlinux profile. #3703

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#656

No description provided.

Rows
Columns