github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1123] allow --net only for sandboxes started (or configured) by root #772

New issue

Closed

opened 2026-05-05 06:37:53 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 06:37:53 -06:00

Owner

Originally created by @testbird on GitHub (Mar 4, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1123

Hi netblue, separating this into a proper issue.

Using the SUID firejail, a regular user can access the network even if it is blocked for the host. Using --net is like connecting new boxes to the network.

May be it is possible to only allow to directly configure (non-local) --net configurations for root (and all users with preexisting permissions) and make all others depend on root owned profiles? (Kind of executing part of firejail setup code under NO_NEW_PRIVS, exept when reading a root owned profiles.)

Originally created by @testbird on GitHub (Mar 4, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1123 Hi netblue, separating this into a proper issue. Using the SUID firejail, a regular user can access the network even if it is blocked for the host. Using --net is like connecting new boxes to the network. May be it is possible to only allow to directly configure (non-local) --net configurations for root (and all users with preexisting permissions) and make all others depend on root owned profiles? (Kind of executing part of firejail setup code under NO_NEW_PRIVS, exept when reading a root owned profiles.)

gitea-mirror

2026-05-05 06:37:53 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:37:59 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 5, 2017):

It is already implemented. In a text editor open /etc/firejail/firejail.config and enable restricted-network:

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
restricted-network yes

@netblue30 commented on GitHub (Mar 5, 2017): It is already implemented. In a text editor open /etc/firejail/firejail.config and enable restricted-network: ````` # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. restricted-network yes `````

gitea-mirror commented

2026-05-05 06:38:01 -06:00

Author

Owner

@testbird commented on GitHub (Mar 5, 2017):

I see now. Sorry I missed that.
I am not sure why of if you consider the current default as a secure, though.

@testbird commented on GitHub (Mar 5, 2017): I see now. Sorry I missed that. I am not sure why of if you consider the current default as a secure, though.

gitea-mirror commented

2026-05-05 06:38:04 -06:00

Author

Owner

@testbird commented on GitHub (Mar 5, 2017):

I tried setting restricted-network yes.

However, this breaks sanboxes with network settings preconfigured in /etc/firejail/ (file owner root).

@testbird commented on GitHub (Mar 5, 2017): I tried setting `restricted-network yes`. However, this breaks sanboxes with network settings preconfigured in /etc/firejail/ (file owner root).

gitea-mirror commented

2026-05-05 06:38:06 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2017):

I configured "restricted-network yes", it seems to be working fine on wide range of applications. What problem are you seeing?

@netblue30 commented on GitHub (Mar 10, 2017): I configured "restricted-network yes", it seems to be working fine on wide range of applications. What problem are you seeing?

gitea-mirror commented

2026-05-05 06:38:09 -06:00

Author

Owner

@testbird commented on GitHub (Mar 10, 2017):

For example, user root configures networking in /etc/firejail/firefox.profile

With restricted-network yes, regular users can not use networking anymore (even with the configuration that root put into the sytem default .profile (broken functionality).

I think users should be allowed to use the setting from (root owned) profiles, while restricting users from (re)configuring sandboxes with arbitrary network configurations is ok, of course.

@testbird commented on GitHub (Mar 10, 2017): For example, user root configures networking in /etc/firejail/firefox.profile With ` restricted-network yes`, regular users can not use networking anymore (even with the configuration that root put into the sytem default .profile (broken functionality). I think users should be allowed to use the setting from (root owned) profiles, while restricting users from (re)configuring sandboxes with arbitrary network configurations is ok, of course.

gitea-mirror commented

2026-05-05 06:38:11 -06:00

Author

Owner

@testbird commented on GitHub (Mar 10, 2017):

The idea to make this universally save for all options, was to execute only the system profiles with full suid permissions, and the comand line and user profiles in a limited (non-suid) user environment.

@testbird commented on GitHub (Mar 10, 2017): The idea to make this universally save for all options, was to execute only the system profiles with full suid permissions, and the comand line and user profiles in a limited (non-suid) user environment.

gitea-mirror referenced this issue

2026-05-05 10:37:26 -06:00

[PR #5154] [MERGED] mkdeb.sh.in: pass remaining arguments to ./configure #5382

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#772

No description provided.

Rows
Columns