github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1419] Archive Managers can't acces network folders #965

New issue
Closed
opened 2026-05-05 07:13:51 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 07:13:51 -06:00
Owner
Copy link

Originally created by @Utini2000 on GitHub (Jul 31, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1419

Hello everyone,
I am on Archlinux and due to the network restriction the following archive managers aren't able to access/extract to/from network shared folders:

file-roller
xarchiver
ark

I can manually edit the .conf but it will be overwritten after each update? Or to .local files always trump .profile files? Besides that I think it should still be possible for those application to exttract to network folders?

Thanks in advance !

Originally created by @Utini2000 on GitHub (Jul 31, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1419 Hello everyone, I am on Archlinux and due to the network restriction the following archive managers aren't able to access/extract to/from network shared folders: file-roller xarchiver ark I can manually edit the .conf but it will be overwritten after each update? Or to .local files always trump .profile files? Besides that I think it should still be possible for those application to exttract to network folders? Thanks in advance !
gitea-mirror 2026-05-05 07:13:51 -06:00
gitea-mirror commented 2026-05-05 07:13:56 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 1, 2017):

You can always put

include /etc/firejail/file-roller.profile
ignore net

or something in a profile in ~/.config/firejail/file-roller.profile.

I do disagree, though, that archive managers should have access to the network. If you need it to extract something on the network, the right way (IMHO) is to mount that filesystem to a local mount point (e.g. using sshfs) and then treat it as a local resource. Because the sshfs process is running outside the sandbox, you won't have any problems regarding actually writing the files.

<!-- gh-comment-id:319379267 --> @chiraag-nataraj commented on GitHub (Aug 1, 2017): You can always put ```` include /etc/firejail/file-roller.profile ignore net ```` or something in a profile in `~/.config/firejail/file-roller.profile`. I do disagree, though, that archive managers should have access to the network. If you need it to extract something on the network, the right way (IMHO) is to mount that filesystem to a local mount point (e.g. using sshfs) and then treat it as a local resource. Because the sshfs process is running outside the sandbox, you won't have any problems regarding actually writing the files.
gitea-mirror commented 2026-05-05 07:13:57 -06:00
Author
Owner
Copy link

@Utini2000 commented on GitHub (Aug 2, 2017):

Hmm I am on Arch + Gnome and mounted an locally shared hdd via SMB in Nemo. That didnt work

<!-- gh-comment-id:319759838 --> @Utini2000 commented on GitHub (Aug 2, 2017): Hmm I am on Arch + Gnome and mounted an locally shared hdd via SMB in Nemo. That didnt work
gitea-mirror commented 2026-05-05 07:13:59 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 2, 2017):

Interesting. I know that it works for sshfs. I ssh in and mount a certain directory to /media/ccv. Then I can open up a jailed x-terminal-emulator (urxvt in my case) which does not have internet access and still read from/write to /media/ccv.

<!-- gh-comment-id:319760415 --> @chiraag-nataraj commented on GitHub (Aug 2, 2017): Interesting. I know that it works for `sshfs`. I `ssh` in and mount a certain directory to `/media/ccv`. Then I can open up a jailed `x-terminal-emulator` (`urxvt` in my case) _which does not have internet access_ and still read from/write to `/media/ccv`.
gitea-mirror commented 2026-05-05 07:14:00 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 2, 2017):

The gvfs-* providers seem to be incompatible compared to sshfs. Most likely because sshfs creates an actual mount instead of just a weird virtual directory. See https://askubuntu.com/a/87702

Oddly even after giving file-roller network access I was still unable to compress files accessed via gvfs-sftp.

<!-- gh-comment-id:319770592 --> @SkewedZeppelin commented on GitHub (Aug 2, 2017): The gvfs-* providers seem to be incompatible compared to sshfs. Most likely because sshfs creates an actual mount instead of just a weird virtual directory. See https://askubuntu.com/a/87702 Oddly even after giving file-roller network access I was still unable to compress files accessed via gvfs-sftp.
gitea-mirror commented 2026-05-05 07:14:01 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 3, 2017):

Huh...I see. Yeah, I guess I stopped using gvfs stuff a long time ago xD

<!-- gh-comment-id:319836439 --> @chiraag-nataraj commented on GitHub (Aug 3, 2017): Huh...I see. Yeah, I guess I stopped using gvfs stuff a long time ago xD
gitea-mirror commented 2026-05-05 07:14:02 -06:00
Author
Owner
Copy link

@Utini2000 commented on GitHub (Aug 3, 2017):

Hmm so even grqnting network access wont help?
How to fix this then? :o

<!-- gh-comment-id:320016870 --> @Utini2000 commented on GitHub (Aug 3, 2017): Hmm so even grqnting network access wont help? How to fix this then? :o
gitea-mirror commented 2026-05-05 07:14:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 11, 2017):

@Utini2000, are you using smbnetfs? You could give that a try rather than gvfs (I think smbnetfs uses FUSE instead).

<!-- gh-comment-id:321739165 --> @chiraag-nataraj commented on GitHub (Aug 11, 2017): @Utini2000, are you using `smbnetfs`? You could give that a try rather than `gvfs` (I think `smbnetfs` uses FUSE instead).
gitea-mirror commented 2026-05-05 07:14:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 7, 2018):

I'm having the same issue atm with Firejail 0.9.54, where or what do I edit to have this working again, I need access to my drive asap. I've removed it for now until I can figure this out or get help.

System is Kubuntu 18.04 LTS and my WD Passport drive is attached to my router (Asus RT-AC86U)

<!-- gh-comment-id:395549348 --> @ghost commented on GitHub (Jun 7, 2018): I'm having the same issue atm with Firejail 0.9.54, where or what do I edit to have this working again, I need access to my drive asap. I've removed it for now until I can figure this out or get help. System is Kubuntu 18.04 LTS and my WD Passport drive is attached to my router (Asus RT-AC86U)
gitea-mirror commented 2026-05-05 07:14:04 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jun 7, 2018):

@GeoffK59 See if #1560 helps.

<!-- gh-comment-id:395564484 --> @chiraag-nataraj commented on GitHub (Jun 7, 2018): @GeoffK59 See if #1560 helps.
gitea-mirror commented 2026-05-05 07:14:05 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 7, 2018):

@chiraag-nataraj I read that thread but I'm still a bit confused as to what or where to edit and or be able to restrict access at will. Honestly I don't understand why Firejail is restricting this as I'm root and should therefore have access no matter what.

<!-- gh-comment-id:395574915 --> @ghost commented on GitHub (Jun 7, 2018): @chiraag-nataraj I read that thread but I'm still a bit confused as to what or where to edit and or be able to restrict access at will. Honestly I don't understand why Firejail is restricting this as I'm root and should therefore have access no matter what.
gitea-mirror commented 2026-05-05 07:14:06 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 16, 2018):

@GeoffK59 firejail is just restricting based on its profile. It doesn't care about whether you're root or another user (unless you're trying to use a feature which is restricted to root, of course).

If you're using a FUSE filesystem (e.g. sshfs), try mounting with -o allow_others.

<!-- gh-comment-id:405136803 --> @chiraag-nataraj commented on GitHub (Jul 16, 2018): @GeoffK59 `firejail` is just restricting based on its profile. It doesn't care about whether you're root or another user (unless you're trying to use a feature which is restricted to root, of course). If you're using a FUSE filesystem (e.g. sshfs), try mounting with `-o allow_others`.
gitea-mirror commented 2026-05-05 07:14:07 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

I think allowing archive managers to access the network is bad as a default. In general, a more secure workflow is copying the file to a shared directory (say, ~/Downloads) and using the archive manager there. Of course, if people want to locally allow network access, that makes sense. But I don't think we should do that by default.

@GeoffK59 I'm going to close this due to no response. If you try that and still can't get it to work, please feel free to reopen.

<!-- gh-comment-id:406891785 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): I think allowing archive managers to access the network is bad as a default. In general, a more secure workflow is copying the file to a shared directory (say, `~/Downloads`) and using the archive manager there. Of course, if people want to locally allow network access, that makes sense. But I don't think we should do that by default. @GeoffK59 I'm going to close this due to no response. If you try that and still can't get it to work, please feel free to reopen.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#965
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?