github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1346] private-bin and shells #923

New issue

Closed

opened 2026-05-05 07:09:24 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 07:09:24 -06:00

Owner

Originally created by @reinerh on GitHub (Jun 23, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1346

Hi,

while investigating a failing tar.exp test, I found out that there is an issue with private-bin and shells.
On Debian/Ubuntu tar.exp fails, because bzip2 can't be executed. This probably fails because it can't execute the default shell. In the tar profile it allows "sh", but not for example "bash", "dash" etc, so they are not available in the private bin.
And indeed, after I added dash (my /bin/sh points to dash) to the private-bin line, the test was passing.
Adding all shells to all private-bin lines that require a shell is probably no good solution.

I'm wondering now if the symlink should be resolved and the destination binary be also copied to the private bin?

Originally created by @reinerh on GitHub (Jun 23, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1346 Hi, while investigating a failing tar.exp test, I found out that there is an issue with private-bin and shells. On Debian/Ubuntu tar.exp fails, because bzip2 can't be executed. This probably fails because it can't execute the default shell. In the tar profile it allows "sh", but not for example "bash", "dash" etc, so they are not available in the private bin. And indeed, after I added dash (my /bin/sh points to dash) to the private-bin line, the test was passing. Adding all shells to all private-bin lines that require a shell is probably no good solution. I'm wondering now if the symlink should be resolved and the destination binary be also copied to the private bin?

gitea-mirror

2026-05-05 07:09:24 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:09:32 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 24, 2017):

I added sh,bash,dash in several profiles: 81b61d55a3

I think that's the easiest fix for now. Some time ago somebody put in a patch for private-bin to follow the links. I had to disable it after some time, apparently on some distributions firefox is a symbolic link in /usr/bin directory pointing to the place where firefox was installed, and it was breaking firefox.

I disabled the patch, currently it is a config option in /etc/firejail/firejail config:

# Follow symlink for private-bin command.
# Disabled by default
# follow-symlink-private-bin no

@netblue30 commented on GitHub (Jun 24, 2017): I added sh,bash,dash in several profiles: https://github.com/netblue30/firejail/commit/81b61d55a3174189d3c810f645f81f0ef48f7db0 I think that's the easiest fix for now. Some time ago somebody put in a patch for private-bin to follow the links. I had to disable it after some time, apparently on some distributions firefox is a symbolic link in /usr/bin directory pointing to the place where firefox was installed, and it was breaking firefox. I disabled the patch, currently it is a config option in /etc/firejail/firejail config: ````` # Follow symlink for private-bin command. # Disabled by default # follow-symlink-private-bin no `````

gitea-mirror commented

2026-05-05 07:09:37 -06:00

Author

Owner

@reinerh commented on GitHub (Jun 24, 2017):

Okay, thanks. I wasn't aware of the config option.
Let's keep your fix then for now.

@reinerh commented on GitHub (Jun 24, 2017): Okay, thanks. I wasn't aware of the config option. Let's keep your fix then for now.

gitea-mirror referenced this issue

2026-05-05 10:08:02 -06:00

[PR #923] [MERGED] explain audit for seccomp logging #3796

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#923

No description provided.

Rows
Columns