github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1243] Error fcopy: invalid file #844

New issue

Closed

opened 2026-05-05 06:58:00 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 06:58:00 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Apr 23, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1243

I'm getting Error fcopy: invalid file whenever I try to use private-etc or private-bin. This is happening on Debian Sid/Experimental with Firejail 0.9.46~rc1.

More specifically, I'm running into errors with this line:
private-etc Muttrc.d/,Muttrc,alternatives/,resolv.conf,ssl/,mime.types,proxychains.conf
but not this line:
private-etc Muttrc,resolv.conf.

Similarly, I'm running into errors with: private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk but not private-bin sh,mutt,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk.

Relates to:

#1531
#4545

Originally created by @chiraag-nataraj on GitHub (Apr 23, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1243 I'm getting `Error fcopy: invalid file` whenever I try to use `private-etc` or `private-bin`. This is happening on Debian Sid/Experimental with Firejail 0.9.46~rc1. More specifically, I'm running into errors with this line: `private-etc Muttrc.d/,Muttrc,alternatives/,resolv.conf,ssl/,mime.types,proxychains.conf` but not this line: `private-etc Muttrc,resolv.conf`. Similarly, I'm running into errors with: `private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk` but not `private-bin sh,mutt,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk`. Relates to: * #1531 * #4545

gitea-mirror

2026-05-05 06:58:00 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:58:05 -06:00

Author

Owner

@reinerh commented on GitHub (Apr 23, 2017):

I was able to reproduce the private-bin error:

$ firejail --noprofile --private-bin=bash,mutt_dotlock
Parent pid 12801, child pid 12802
Error fcopy: invalid file /usr/bin/mutt_dotlock
Error: failed to run /usr/lib/x86_64-linux-gnu/firejail/fcopy
Error: proc 12801 cannot sync with peer: unexpected EOF
Peer 12802 unexpectedly exited with status 1

The reason seems to be that mutt_dotlock is a suid binary.
It might be not allowed to copy it because of security reasons, but I'm not completely sure about that.
At least a more telling error message would be good.

@reinerh commented on GitHub (Apr 23, 2017): I was able to reproduce the private-bin error: ``` $ firejail --noprofile --private-bin=bash,mutt_dotlock Parent pid 12801, child pid 12802 Error fcopy: invalid file /usr/bin/mutt_dotlock Error: failed to run /usr/lib/x86_64-linux-gnu/firejail/fcopy Error: proc 12801 cannot sync with peer: unexpected EOF Peer 12802 unexpectedly exited with status 1 ``` The reason seems to be that mutt_dotlock is a suid binary. It might be not allowed to copy it because of security reasons, but I'm not completely sure about that. At least a more telling error message would be good.

gitea-mirror commented

2026-05-05 06:58:06 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 24, 2017):

The reason seems to be that mutt_dotlock is a suid binary.
It might be not allowed to copy it because of security reasons, but I'm not completely sure about that.

That's almost certainly not the problem - otherwise, the problem would only show up in private-bin but it shows up with private-etc as well.

@chiraag-nataraj commented on GitHub (Apr 24, 2017): > The reason seems to be that mutt_dotlock is a suid binary. It might be not allowed to copy it because of security reasons, but I'm not completely sure about that. That's almost certainly not the problem - otherwise, the problem would only show up in `private-bin` but it shows up with `private-etc` as well.

gitea-mirror commented

2026-05-05 06:58:08 -06:00

Author

Owner

@reinerh commented on GitHub (Apr 24, 2017):

On Sun, Apr 23, 2017 at 07:13:15PM -0700, ಚಿರಾಗ್ ನಟರಾಜ್ wrote:

The reason seems to be that mutt_dotlock is a suid binary.
It might be not allowed to copy it because of security reasons, but I'm not completely sure about that.

That's almost certainly not the problem - otherwise, the problem would only show up in private-bin but it shows up with private-etc as well.

There seem to be two cases where it can fail:
https://github.com/netblue30/firejail/blob/master/src/fcopy/main.c#L199-L204

If the file is not there or can't be stat'ed, or if the real uid/gid don't
match the file to copy.

@reinerh commented on GitHub (Apr 24, 2017): On Sun, Apr 23, 2017 at 07:13:15PM -0700, ಚಿರಾಗ್ ನಟರಾಜ್ wrote: > > The reason seems to be that mutt_dotlock is a suid binary. > It might be not allowed to copy it because of security reasons, but I'm not completely sure about that. > > That's almost certainly not the problem - otherwise, the problem would only show up in `private-bin` but it shows up with `private-etc` as well. There seem to be two cases where it can fail: https://github.com/netblue30/firejail/blob/master/src/fcopy/main.c#L199-L204 If the file is not there or can't be stat'ed, or if the real uid/gid don't match the file to copy.

gitea-mirror commented

2026-05-05 06:58:10 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 24, 2017):

There are two different bugs, one with the trailing '/' char (firejail --private-etc=alternatives/) and one with the group ownership.

Fixes: bff77f44af and df8c4e9cd1

@netblue30 commented on GitHub (Apr 24, 2017): There are two different bugs, one with the trailing '/' char (firejail --private-etc=alternatives/) and one with the group ownership. Fixes: https://github.com/netblue30/firejail/commit/bff77f44afcdf43e69053dc2a3e4b45514810952 and https://github.com/netblue30/firejail/commit/df8c4e9cd15bfc2c5cb4c854a8f876c02c2eb1d6

gitea-mirror commented

2026-05-05 06:58:14 -06:00

Author

Owner

@miszr commented on GitHub (Aug 30, 2017):

The issue still persists.

My system is configured with systemd-networkd and systemd-resolved.

The file /etc/resolv.conf is symlinked to /run/systemd/resolve/resolv.conf with the following permissions:
-rw-r--r-- systemd-resolve systemd-resolve /run/systemd/resolve/resolv.conf

So the file is world readable, but fcopy still refuses to copy it.

The issue is that fcopy only checks the uid of the file, not respecting the actual permissions set on it.

An example where this would fail terribly is if a file owner had no permissions.

@miszr commented on GitHub (Aug 30, 2017): The issue still persists. My system is configured with `systemd-networkd ` and `systemd-resolved`. The file `/etc/resolv.conf` is symlinked to `/run/systemd/resolve/resolv.conf` with the following permissions: `-rw-r--r-- systemd-resolve systemd-resolve /run/systemd/resolve/resolv.conf` So the file is world readable, but fcopy still refuses to copy it. The issue is that fcopy only checks the `uid` of the file, not respecting the actual permissions set on it. An example where this would fail terribly is if a file owner had no permissions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#844

No description provided.

Rows
Columns