github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1066] Trying to run firejail on Heroku (existing sandbox was detected) #726

New issue

Closed

opened 2026-05-05 06:31:51 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 06:31:51 -06:00

Owner

Originally created by @xrisk on GitHub (Jan 23, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1066

hi, I'm trying to run firejail on heroku and I get:

Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. python will run without any additional sandboxing features
Child process initialized

Is there some technical difficulty that prevents running sandbox inside sandbox? I am looking to use the --net=non option to create a safe way to run 3rd party code.

Is there some way to do it?

Originally created by @xrisk on GitHub (Jan 23, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1066 hi, I'm trying to run firejail on heroku and I get: ``` Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: an existing sandbox was detected. python will run without any additional sandboxing features Child process initialized ``` Is there some technical difficulty that prevents running sandbox inside sandbox? I am looking to use the `--net=non` option to create a safe way to run 3rd party code. Is there some way to do it?

gitea-mirror

2026-05-05 06:31:51 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:31:58 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 24, 2017):

Yes, you need to use --force when you start the second sandbox. First sandbox should be permissive enough so you can start the second one (use --noprofile):

$ firejail --noprofile
Parent pid 2454, child pid 2455
Child process initialized
[netblue@debian firejail]$ firejail --force --net=none
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 7, child pid 8
Child process initialized
[netblue@debian firejail]$

You can also move --net=none form the second sandbox to the first one:

$ firejail --net=none --noprofile
Parent pid 2498, child pid 2499
Child process initialized
[netblue@debian firejail]$ firejail --force
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 8, child pid 9
Child process initialized
[netblue@debian firejail]$

@netblue30 commented on GitHub (Jan 24, 2017): Yes, you need to use --force when you start the second sandbox. First sandbox should be permissive enough so you can start the second one (use --noprofile): ````` $ firejail --noprofile Parent pid 2454, child pid 2455 Child process initialized [netblue@debian firejail]$ firejail --force --net=none Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 7, child pid 8 Child process initialized [netblue@debian firejail]$ ````` You can also move --net=none form the second sandbox to the first one: ````` $ firejail --net=none --noprofile Parent pid 2498, child pid 2499 Child process initialized [netblue@debian firejail]$ firejail --force Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 8, child pid 9 Child process initialized [netblue@debian firejail]$ `````

gitea-mirror commented

2026-05-05 06:32:01 -06:00

Author

Owner

@xrisk commented on GitHub (Jan 26, 2017):

Hi it appears that Heroku's outer sandbox does not allow setting euid/eguid and thus I cannot use firejail on Heroku.

Thanks for your help!

@xrisk commented on GitHub (Jan 26, 2017): Hi it appears that Heroku's outer sandbox does not allow setting euid/eguid and thus I cannot use firejail on Heroku. Thanks for your help!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#726

No description provided.

Rows
Columns