[GH-ISSUE #1127] --whitelist=~/.bashrc temporarily overwrites .bashrc

gitea-mirror commented

2026-05-05 06:38:16 -06:00

Owner

Originally created by @Fred-Barclay on GitHub (Mar 5, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1127

Originally assigned to: @chiraag-nataraj on GitHub.

This was brought to my attention by a chap on the Linux Mint forums. When doing something like the following, .bashrc is overwritten or overlayed inside the jail with a new, different .bashrc.:

firejail --whitelist=~/.bashrc
firejail --noprofile --whitelist=~/.bashrc

Compare the following output for firejail --noprofile --whitelist=~/.bashrc:
Outside jail

$ tail .bashrc
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
export QT_STYLE_OVERRIDE=gtk

Inside jail

tail .bashrc
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

This is on Debian Jessie.

For the bloke who originally mentioned this, he has a far more drastic change on Arch Linux, from a very long .bashrc outside of firejail to just these lines inside:

#
# ~/.bashrc
#

# If not running interactively, don't do anything
[[ $- != *i* ]] && return

alias ls='ls --color=auto'
PS1='[\u@\h \W]\$ '

Debug output is at https://gist.github.com/Fred-Barclay/fa603fb1ff6dc3084b907e7f680bf3e2

I've done a bit of digging around but I can't figure out the cause. If it were due to the read-only ${HOME}/.bashrc line in etc/disable-common.inc then this shouldn't occur when I use --noprofile, right? But it does. 😕

Is this expected?

Originally created by @Fred-Barclay on GitHub (Mar 5, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1127 Originally assigned to: @chiraag-nataraj on GitHub. This was brought to my attention by a chap on the Linux Mint forums. When doing something like the following, .bashrc is overwritten or overlayed inside the jail with a new, different .bashrc.: ``` firejail --whitelist=~/.bashrc firejail --noprofile --whitelist=~/.bashrc ``` Compare the following output for `firejail --noprofile --whitelist=~/.bashrc`: **Outside jail** ``` $ tail .bashrc # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi export QT_STYLE_OVERRIDE=gtk ``` **Inside jail** ``` tail .bashrc # enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi ``` This is on Debian Jessie. For the bloke who originally mentioned this, he has a far more drastic change on Arch Linux, from a very long .bashrc outside of firejail to just these lines inside: ``` # # ~/.bashrc # # If not running interactively, don't do anything [[ $- != *i* ]] && return alias ls='ls --color=auto' PS1='[\u@\h \W]\$ ' ``` Debug output is at https://gist.github.com/Fred-Barclay/fa603fb1ff6dc3084b907e7f680bf3e2 I've done a bit of digging around but I can't figure out the cause. If it were due to the `read-only ${HOME}/.bashrc` line in etc/disable-common.inc then this shouldn't occur when I use `--noprofile`, right? But it does. :confused: Is this expected?

gitea-mirror

2026-05-05 06:38:16 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:38:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 7, 2017):

It is copying by default /etc/skel/.bashrc, I have to disable this when .bashrc is whitelisted. Thanks!

@netblue30 commented on GitHub (Mar 7, 2017): It is copying by default /etc/skel/.bashrc, I have to disable this when .bashrc is whitelisted. Thanks!

gitea-mirror commented

2026-05-05 06:38:25 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

Is this still around?

@chiraag-nataraj commented on GitHub (Jul 22, 2018): Is this still around?

gitea-mirror commented

2026-05-05 06:38:27 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jul 22, 2018):

@chiraag-nataraj it is -- just tested on Arch.

@Fred-Barclay commented on GitHub (Jul 22, 2018): @chiraag-nataraj it is -- just tested on Arch.

gitea-mirror commented

2026-05-05 06:38:30 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

Oh man, okay. Yeah, I just confirmed as well. I think the problem is somewhere in fs_home.c? That code checks for the existence of .bashrc before copying, but for some reason it doesn't seem to work...a print statement there never prints.

@chiraag-nataraj commented on GitHub (Jul 22, 2018): Oh man, okay. Yeah, I just confirmed as well. I think the problem is somewhere in `fs_home.c`? That code checks for the existence of `.bashrc` before copying, but for some reason it doesn't seem to work...a print statement there never prints.

gitea-mirror commented

2026-05-05 06:38:32 -06:00

Author

Owner

@D-Nice commented on GitHub (Mar 2, 2019):

Still experiencing this!

@D-Nice commented on GitHub (Mar 2, 2019): Still experiencing this!

gitea-mirror commented

2026-05-05 06:38:34 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

Thanks for the bump, I'll take a look.

@chiraag-nataraj commented on GitHub (May 21, 2019): Thanks for the bump, I'll take a look.

gitea-mirror commented

2026-05-05 06:38:36 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

Hmm, if I do firejail --noprofile without any whitelist directives, I get my regular bash prompt. This is with current git master.

@chiraag-nataraj commented on GitHub (May 21, 2019): Hmm, if I do `firejail --noprofile` without any whitelist directives, I get my regular bash prompt. This is with current git master.

gitea-mirror commented

2026-05-05 06:38:38 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

Here's what I get when I do the following:

$ firejail --debug-whitelists --noprofile --whitelist=~/.bash_logout --whitelist=~/.bash_completion --whitelist=~/.bashrc --whitelist=~/.profile --whitelist=~/.config/bash/ bash
Parent pid 13335, child pid 13338
Debug 409: new_name #/home/chiraag/.bash_logout#, whitelist
real path /home/chiraag/.config/bash/bash_logout
Debug 517: fname #/home/chiraag/.config/bash/bash_logout#, cfg.homedir #/home/chiraag#
Replaced whitelist path: whitelist /home/chiraag/.config/bash/bash_logout
Debug 409: new_name #/home/chiraag/.bash_completion#, whitelist
real path /home/chiraag/.config/bash/bash_completion
Debug 517: fname #/home/chiraag/.config/bash/bash_completion#, cfg.homedir #/home/chiraag#
Replaced whitelist path: whitelist /home/chiraag/.config/bash/bash_completion
Debug 409: new_name #/home/chiraag/.bashrc#, whitelist
real path /home/chiraag/.config/bash/bashrc
Debug 517: fname #/home/chiraag/.config/bash/bashrc#, cfg.homedir #/home/chiraag#
Replaced whitelist path: whitelist /home/chiraag/.config/bash/bashrc
Debug 409: new_name #/home/chiraag/.profile#, whitelist
real path /home/chiraag/.config/bash/profile
Debug 517: fname #/home/chiraag/.config/bash/profile#, cfg.homedir #/home/chiraag#
Replaced whitelist path: whitelist /home/chiraag/.config/bash/profile
Debug 409: new_name #/home/chiraag/.config/bash#, whitelist
real path /home/chiraag/.config/bash
Debug 517: fname #/home/chiraag/.config/bash#, cfg.homedir #/home/chiraag#
Replaced whitelist path: whitelist /home/chiraag/.config/bash
Whitelisting /home/chiraag/.config/bash/bash_logout
Created symbolic link /home/chiraag/.bash_logout -> /home/chiraag/.config/bash/bash_logout
Whitelisting /home/chiraag/.config/bash/bash_completion
Created symbolic link /home/chiraag/.bash_completion -> /home/chiraag/.config/bash/bash_completion
Whitelisting /home/chiraag/.config/bash/bashrc
Whitelisting /home/chiraag/.config/bash/profile
Created symbolic link /home/chiraag/.profile -> /home/chiraag/.config/bash/profile
Whitelisting /home/chiraag/.config/bash
Child process initialized in 40.44 ms

So it seems like .bashrc is being treated differently. They should all be symlinked to relevant files in ~/.config/bash, and while the other ones are, .bashrc is not. Time to hunt for where this happens!

@chiraag-nataraj commented on GitHub (May 21, 2019): Here's what I get when I do the following: ``` $ firejail --debug-whitelists --noprofile --whitelist=~/.bash_logout --whitelist=~/.bash_completion --whitelist=~/.bashrc --whitelist=~/.profile --whitelist=~/.config/bash/ bash Parent pid 13335, child pid 13338 Debug 409: new_name #/home/chiraag/.bash_logout#, whitelist real path /home/chiraag/.config/bash/bash_logout Debug 517: fname #/home/chiraag/.config/bash/bash_logout#, cfg.homedir #/home/chiraag# Replaced whitelist path: whitelist /home/chiraag/.config/bash/bash_logout Debug 409: new_name #/home/chiraag/.bash_completion#, whitelist real path /home/chiraag/.config/bash/bash_completion Debug 517: fname #/home/chiraag/.config/bash/bash_completion#, cfg.homedir #/home/chiraag# Replaced whitelist path: whitelist /home/chiraag/.config/bash/bash_completion Debug 409: new_name #/home/chiraag/.bashrc#, whitelist real path /home/chiraag/.config/bash/bashrc Debug 517: fname #/home/chiraag/.config/bash/bashrc#, cfg.homedir #/home/chiraag# Replaced whitelist path: whitelist /home/chiraag/.config/bash/bashrc Debug 409: new_name #/home/chiraag/.profile#, whitelist real path /home/chiraag/.config/bash/profile Debug 517: fname #/home/chiraag/.config/bash/profile#, cfg.homedir #/home/chiraag# Replaced whitelist path: whitelist /home/chiraag/.config/bash/profile Debug 409: new_name #/home/chiraag/.config/bash#, whitelist real path /home/chiraag/.config/bash Debug 517: fname #/home/chiraag/.config/bash#, cfg.homedir #/home/chiraag# Replaced whitelist path: whitelist /home/chiraag/.config/bash Whitelisting /home/chiraag/.config/bash/bash_logout Created symbolic link /home/chiraag/.bash_logout -> /home/chiraag/.config/bash/bash_logout Whitelisting /home/chiraag/.config/bash/bash_completion Created symbolic link /home/chiraag/.bash_completion -> /home/chiraag/.config/bash/bash_completion Whitelisting /home/chiraag/.config/bash/bashrc Whitelisting /home/chiraag/.config/bash/profile Created symbolic link /home/chiraag/.profile -> /home/chiraag/.config/bash/profile Whitelisting /home/chiraag/.config/bash Child process initialized in 40.44 ms ``` So it seems like `.bashrc` is being treated differently. They should all be symlinked to relevant files in `~/.config/bash`, and while the other ones are, `.bashrc` is not. Time to hunt for where this happens!

gitea-mirror commented

2026-05-05 06:38:40 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

Gah, I don't get this. I went to 903adeed61/src/firejail/fs_home.c (L97) and added a print statement. When that didn't show, I added an else statement that should have just printed the result of stat. Neither shows anything, even when I run with --debug. @netblue30, where is this happening? When I run a grep, the only places .bashrc shows up are src/firejail/fs_home.c and src/fbuilder/build_home.c, and the latter is just for when we run firejail --build. But I don't get any output when I force all cases in fs_home.c (for .bashrc) to actually print something (using fs_logger). This makes absolutely no sense.

@chiraag-nataraj commented on GitHub (May 21, 2019): Gah, I don't get this. I went to https://github.com/netblue30/firejail/blob/903adeed610219cd19964f93402efc9a08ed032e/src/firejail/fs_home.c#L97 and added a print statement. When that didn't show, I added an else statement that should have just printed the result of stat. Neither shows anything, even when I run with `--debug`. @netblue30, where is this happening? When I run a `grep`, the only places `.bashrc` shows up are `src/firejail/fs_home.c` and `src/fbuilder/build_home.c`, and the latter is just for when we run `firejail --build`. But I don't get any output when I force all cases in `fs_home.c` (for `.bashrc`) to actually print something (using `fs_logger`). This makes absolutely no sense.

gitea-mirror commented

2026-05-05 06:38:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 10, 2019):

Any progress here?

@rusty-snake commented on GitHub (Jul 10, 2019): Any progress here?

gitea-mirror commented

2026-05-05 06:38:44 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 12, 2019):

In the effort to improve support for non-standard home directories, I wanted to

append snippets like this one

// if tmpfs masks home directory, build a new one
build_new_home("/media/");

where

static void build_new_home(const char *dir) {
	assert(dir);
	if (strncmp(cfg.homedir, dir, strlen(dir)) == 0) {
		if (mkpath_as_root(cfg.homedir, 0755) == -1)
			errExit("mkdir");
		mkdir_attr(cfg.homedir, 0755, getuid(), getgid());
	}
}

to the tmpfs mounts, like for example
6a0d5aaaa2/src/firejail/fs_whitelist.c (L746-L760)

These new homedirs should be suitable for whitelisting, but obviously are not initialized at all.
It's a different issue but quite related, so I think it makes sense to keep track in this place.

@smitsohu commented on GitHub (Jul 12, 2019): In the effort to improve support for non-standard home directories, I wanted to * append snippets like this one ``` // if tmpfs masks home directory, build a new one build_new_home("/media/"); ``` * where ``` static void build_new_home(const char *dir) { assert(dir); if (strncmp(cfg.homedir, dir, strlen(dir)) == 0) { if (mkpath_as_root(cfg.homedir, 0755) == -1) errExit("mkdir"); mkdir_attr(cfg.homedir, 0755, getuid(), getgid()); } } ``` * to the tmpfs mounts, like for example https://github.com/netblue30/firejail/blob/6a0d5aaaa236d05f789620d42232d87c33f15713/src/firejail/fs_whitelist.c#L746-L760 These new homedirs should be suitable for whitelisting, but obviously are not initialized _at all_. It's a different issue but quite related, so I think it makes sense to keep track in this place.

gitea-mirror commented

2026-05-05 06:38:46 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 12, 2019):

I wonder if we should move this line

de80850e93/src/firejail/fs_whitelist.c (L724-L725)

to the end of the tmpfs mounts?

Then whatever turns out to be the fix for overwriting bashrc probably initializes these new homedirs as well, without need for extra code.

@smitsohu commented on GitHub (Jul 12, 2019): I wonder if we should move this line https://github.com/netblue30/firejail/blob/de80850e935ec00e59268f6e20969bcae19578b3/src/firejail/fs_whitelist.c#L724-L725 to the end of the tmpfs mounts? Then whatever turns out to be the fix for overwriting bashrc probably initializes these new homedirs as well, without need for extra code.

gitea-mirror commented

2026-05-05 06:38:48 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 20, 2019):

Nevermind. I'll stick to something less ambitious. Creating folders with generous permissions in places such as /etc creates mixed feelings... to get this really right, it would be necessary to always match permissions exactly, which, as far as I can see, requires larger changes to the whitelisting code (and maybe also the data structures). Let's pretend I didn't post anything here 😄

@smitsohu commented on GitHub (Jul 20, 2019): Nevermind. I'll stick to something less ambitious. Creating folders with generous permissions in places such as /etc creates mixed feelings... to get this really right, it would be necessary to always match permissions exactly, which, as far as I can see, requires larger changes to the whitelisting code (and maybe also the data structures). Let's pretend I didn't post anything here :smile:

Rows
Columns

[GH-ISSUE #1127] --whitelist=~/.bashrc temporarily overwrites .bashrc #777