github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1148] nogroups option and man page #794

New issue

Closed

opened 2026-05-05 06:51:34 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 06:51:34 -06:00

Owner

Originally created by @SYN-cook on GitHub (Mar 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1148

I have found a deviation between man page and actual firejail behavior. When I run first firejail --nogroupsand then the id command, the output still shows few supplementary groups:

uid=1000(user) gid=1000(user) Gruppen=1000(user),65534,29(audio),65534,44(video),65534

~~Also I have no idea what's behind gid 65534~~ (that was an easy one - it's group nogroup).
According to the man page I would expect something more restrictive like:

uid=1000(user) gid=1000(user) Gruppen=1000(user)

This is on Debian (Jessie and Stretch) with firejail 0.44.8 and 0.45

Originally created by @SYN-cook on GitHub (Mar 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1148 I have found a deviation between man page and actual firejail behavior. When I run first `firejail --nogroups`and then the `id` command, the output still shows few supplementary groups: `uid=1000(user) gid=1000(user) Gruppen=1000(user),65534,29(audio),65534,44(video),65534` ~~Also I have no idea what's behind gid 65534~~ (that was an easy one - it's group nogroup). According to the man page I would expect something more restrictive like: `uid=1000(user) gid=1000(user) Gruppen=1000(user)` This is on Debian (Jessie and Stretch) with firejail 0.44.8 and 0.45

gitea-mirror

2026-05-05 06:51:34 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:51:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 20, 2017):

It is a bug! --noroot does something similar with --nogroups, but allows audio, video, games and tty groups. I'll have to clean them up.

65534 is user/group nobody:

$ grep 65534 /etc/passwd
sync:x:4:65534:sync:/bin:/bin/sync
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
dnsmasq:x:115:65534:dnsmasq,,,:/var/lib/misc:/bin/false

I'll try to find out why is added by default. Anyway, the guy has no permissions whatsoever. I see it used mainly by servers.

@netblue30 commented on GitHub (Mar 20, 2017): It is a bug! --noroot does something similar with --nogroups, but allows audio, video, games and tty groups. I'll have to clean them up. 65534 is user/group nobody: ````` $ grep 65534 /etc/passwd sync:x:4:65534:sync:/bin:/bin/sync nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin statd:x:106:65534::/var/lib/nfs:/bin/false sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin dnsmasq:x:115:65534:dnsmasq,,,:/var/lib/misc:/bin/false ````` I'll try to find out why is added by default. Anyway, the guy has no permissions whatsoever. I see it used mainly by servers.

gitea-mirror commented

2026-05-05 06:51:42 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 20, 2017):

Fixed!

@netblue30 commented on GitHub (Mar 20, 2017): Fixed!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#794

No description provided.

Rows
Columns