[GH-ISSUE #8] LD_LIBRARY_PATH unset in firejail environment

gitea-mirror commented

2026-05-05 04:43:32 -06:00

Owner

Originally created by @boltronics on GitHub (Aug 10, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/8

I have Midori (for example) which I have built from source and installed into its own prefix for testing. eg. binaries in ${HOME}/opt/midori/bin, libs in ${HOME}/opt/midori/lib/x86_64-linux-gnu, etc. I have ${HOME}/opt/midori/lib-related stuff in my LD_LIBRARY_PATH so the binary can find the shared libraries. Sometimes I do this for binaries where I don't want to use root privileges to install it, and I don't have time to create a package, and it's exactly the kind of thing I'd like to use with firejail.

Unfortunately firejail breaks breaks with this setup, as it seems the LD_LIBRARY_PATH environment variable is silently dropped. I understand this is probably for security, but it would be great if you could either tell firejail to not do this in the profile via a profile option, or to have the ability to specify a custom LD_LIBRARY_PATH environment variable for the jail in the application profile. Both would be wonderful. :)

As a workaround, I need to update all shortcuts to have firejail LD_LIBRARY_PATH=.... midori which I feel is quite cumbersome.

Originally created by @boltronics on GitHub (Aug 10, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/8 I have Midori (for example) which I have built from source and installed into its own prefix for testing. eg. binaries in `${HOME}/opt/midori/bin`, libs in `${HOME}/opt/midori/lib/x86_64-linux-gnu`, etc. I have `${HOME}/opt/midori/lib`-related stuff in my `LD_LIBRARY_PATH` so the binary can find the shared libraries. Sometimes I do this for binaries where I don't want to use root privileges to install it, and I don't have time to create a package, and it's exactly the kind of thing I'd like to use with firejail. Unfortunately firejail breaks breaks with this setup, as it seems the `LD_LIBRARY_PATH` environment variable is silently dropped. I understand this is probably for security, but it would be great if you could either tell firejail to not do this in the profile via a profile option, or to have the ability to specify a custom `LD_LIBRARY_PATH` environment variable for the jail in the application profile. Both would be wonderful. :) As a workaround, I need to update all shortcuts to have `firejail LD_LIBRARY_PATH=.... midori` which I feel is quite cumbersome.

gitea-mirror added the

enhancement

label 2026-05-05 04:43:32 -06:00

gitea-mirror referenced this issue

2026-05-05 04:43:32 -06:00

[GH-ISSUE #7] Option to disable suid calls, except to firejail #8

gitea-mirror closed this issue

2026-05-05 04:43:35 -06:00

gitea-mirror commented

2026-05-05 04:43:38 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2015):

I'll have to investigate it. Yes, to do "firejail LD_LIBRARY_PATH=.... midori" all over the place would be ugly. Thanks.

@netblue30 commented on GitHub (Aug 10, 2015): I'll have to investigate it. Yes, to do "firejail LD_LIBRARY_PATH=.... midori" all over the place would be ugly. Thanks.

gitea-mirror commented

2026-05-05 04:43:41 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 24, 2015):

I've just added a --env option. Examples:

$ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
$ firejail --env="-W -Wall -Werror"

@netblue30 commented on GitHub (Aug 24, 2015): I've just added a --env option. Examples: ``` $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib $ firejail --env="-W -Wall -Werror" ```

gitea-mirror commented

2026-05-05 04:43:45 -06:00

Author

Owner

@boltronics commented on GitHub (Aug 25, 2015):

Hmm... so instead of
firejail LD_LIBRARY_PATH=/opt/test/lib midori
we now do
firejail --env=LD_LIBRARY_PATH=/opt/test/lib midori
? I appreciate your work, but that seems longer to me.

I don't know what $ firejail --env="-W -Wall -Werror" would do.

I believe most environment variables get through, just not LD_LIBRARY_PATH which needs to be treated specially with firejail. eg.

boltron@localhost:~$ export ZZZ=Test
boltron@localhost:~$ export LD_LIBRARY_PATH="/home/boltron/lib"
boltron@localhost:~$ firejail
Parent pid 10771, child pid 10772
Child process initialized
[boltron@localhost ~]$ echo $ZZZ
Test
[boltron@localhost ~]$ echo $LD_LIBRARY_PATH
[boltron@localhost ~]$

I feel this is inconsistent behaviour.

If there is a good reason for not changing this, can we perhaps instead have the required argument as firejail --env_pass=LD_LIBRARY_PATH:OTHER_VAR command (so the environment variable(s) is/are simply inherited)? And ideally the equivalent options in the profile config so shortcuts need not all require an update. But personally I feel we shouldn't have the inconsistent behaviour with

Sorry for all the work requests!

@boltronics commented on GitHub (Aug 25, 2015): Hmm... so instead of `firejail LD_LIBRARY_PATH=/opt/test/lib midori` we now do `firejail --env=LD_LIBRARY_PATH=/opt/test/lib midori` ? I appreciate your work, but that seems longer to me. I don't know what `$ firejail --env="-W -Wall -Werror"` would do. I believe most environment variables get through, just not LD_LIBRARY_PATH which needs to be treated specially with firejail. eg. ``` boltron@localhost:~$ export ZZZ=Test boltron@localhost:~$ export LD_LIBRARY_PATH="/home/boltron/lib" boltron@localhost:~$ firejail Parent pid 10771, child pid 10772 Child process initialized [boltron@localhost ~]$ echo $ZZZ Test [boltron@localhost ~]$ echo $LD_LIBRARY_PATH [boltron@localhost ~]$ ``` I feel this is inconsistent behaviour. If there is a good reason for not changing this, can we perhaps instead have the required argument as `firejail --env_pass=LD_LIBRARY_PATH:OTHER_VAR command` (so the environment variable(s) is/are simply inherited)? And ideally the equivalent options in the profile config so shortcuts need not all require an update. But personally I feel we shouldn't have the inconsistent behaviour with Sorry for all the work requests!

gitea-mirror commented

2026-05-05 04:43:48 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 25, 2015):

firejail LD_LIBRARY_PATH=/opt/test/lib midori
firejail --env=LD_LIBRARY_PATH=/opt/test/lib midori

Both of them are working, use what is most convenient for you.

LD_LIBRARY_PATH is removed from the environment by the loader.By the time firejail starts, the variable is already gone. This is standard functionality in all unixes, take a look at "man ld.so".

@netblue30 commented on GitHub (Aug 25, 2015): ``` firejail LD_LIBRARY_PATH=/opt/test/lib midori firejail --env=LD_LIBRARY_PATH=/opt/test/lib midori ``` Both of them are working, use what is most convenient for you. LD_LIBRARY_PATH is removed from the environment by the loader.By the time firejail starts, the variable is already gone. This is standard functionality in all unixes, take a look at "man ld.so".

gitea-mirror commented

2026-05-05 04:43:51 -06:00

Author

Owner

@boltronics commented on GitHub (Aug 25, 2015):

Got it. Confirming, making an ELF binary SUID causes LD_LIBRARY_PATH to be unset for security, which makes sense - since we need to be concerned with the security of firejail itself, not so much about the unprivileged process running under it.

It's trivial to make a wrapper to handle this. For anyone else with this issue, name the following script fj or something and call that instead.

#!/bin/sh                                                                            

if [ -n "${*}" ]
then
    profile="${HOME}/.config/firejail/${1}.profile"
    if [ -f "${profile}" ]
    then
        firejail --profile="${profile}" --name="${1}" \
            LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${@}
    else
        firejail --name="${1}" LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${@}
    fi

else
    firejail LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${SHELL}
fi

@boltronics commented on GitHub (Aug 25, 2015): Got it. Confirming, making an ELF binary SUID causes LD_LIBRARY_PATH to be unset for security, which makes sense - since we need to be concerned with the security of firejail itself, not so much about the unprivileged process running under it. It's trivial to make a wrapper to handle this. For anyone else with this issue, name the following script `fj` or something and call that instead. ``` #!/bin/sh if [ -n "${*}" ] then profile="${HOME}/.config/firejail/${1}.profile" if [ -f "${profile}" ] then firejail --profile="${profile}" --name="${1}" \ LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${@} else firejail --name="${1}" LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${@} fi else firejail LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ${SHELL} fi ```

gitea-mirror commented

2026-05-05 04:43:53 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 26, 2015):

Thanks

@netblue30 commented on GitHub (Aug 26, 2015): Thanks

gitea-mirror referenced this issue

2026-05-05 05:06:26 -06:00

[GH-ISSUE #175] using links in sandboxed firefox #121

Rows
Columns

[GH-ISSUE #8] LD_LIBRARY_PATH unset in firejail environment #7