github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1439] Supplementary groups not working #970

New issue

Closed

opened 2026-05-05 07:14:20 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:14:20 -06:00

Owner

Originally created by @graywolf on GitHub (Aug 7, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1439

Hi, I'm trying to run video using vlc under firejail. Profile file:

$ cat /etc/firejail/vlc.profile 
# Persistent global definitions go here
include /etc/firejail/globals.local

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/vlc.local

# VLC media player profile
noblacklist ${HOME}/.config/vlc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
#ipc-namespace
netfilter
# nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
shell none

private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
# private-dev
private-tmp

noexec ${HOME}
noexec /tmp

so it seems to me that groups should be available. However:

[wolf@dennas tmp]$  firejail --profile=/etc/firejail/vlc.profile  /usr/bin/bash
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: noroot option is not available
Parent pid 15200, child pid 15201
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 47.86 ms
[wolf@dennas tmp]$ groups
wolf

while normaly it is

[wolf@dennas tmp]$ groups
wolf shared

Firejail version:

$ firejail --version
firejail version 0.9.48

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

If you need any more info just let me know :)

Originally created by @graywolf on GitHub (Aug 7, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1439 Hi, I'm trying to run video using vlc under firejail. Profile file: ``` $ cat /etc/firejail/vlc.profile # Persistent global definitions go here include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/vlc.local # VLC media player profile noblacklist ${HOME}/.config/vlc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace netfilter # nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp shell none private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc # private-dev private-tmp noexec ${HOME} noexec /tmp ``` so it seems to me that groups should be available. However: ``` [wolf@dennas tmp]$ firejail --profile=/etc/firejail/vlc.profile /usr/bin/bash Reading profile /etc/firejail/vlc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: noroot option is not available Parent pid 15200, child pid 15201 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 47.86 ms [wolf@dennas tmp]$ groups wolf ``` while normaly it is ``` [wolf@dennas tmp]$ groups wolf shared ``` Firejail version: ``` $ firejail --version firejail version 0.9.48 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` If you need any more info just let me know :)

gitea-mirror

2026-05-05 07:14:20 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:14:25 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2017):

Is "shared" a regular group you created, or a system group? Run id command like this:

$ id
uid=1000(netblue) gid=1000(netblue) groups=1000(netblue),27(sudo)

1000(netblue) is a regular group, while 27(sudo) is a system group. Numbers smaller than 1000 are system groups.

Firejail will remove by default regular groups with the exception of the group associated with the current user. If this is the case, you can use --allusers to disable this functionality, something like this:

firejail --allusers --profile=/etc/firejail/vlc.profile  /usr/bin/bash

@netblue30 commented on GitHub (Aug 10, 2017): Is "shared" a regular group you created, or a system group? Run id command like this: ````` $ id uid=1000(netblue) gid=1000(netblue) groups=1000(netblue),27(sudo) ````` 1000(netblue) is a regular group, while 27(sudo) is a system group. Numbers smaller than 1000 are system groups. Firejail will remove by default regular groups with the exception of the group associated with the current user. If this is the case, you can use --allusers to disable this functionality, something like this: ````` firejail --allusers --profile=/etc/firejail/vlc.profile /usr/bin/bash `````

gitea-mirror commented

2026-05-05 07:14:27 -06:00

Author

Owner

@graywolf commented on GitHub (Aug 10, 2017):

I think it should be regular:

[wolf@dennas root]$ id
uid=1000(wolf) gid=1000(wolf) groups=1000(wolf),1001(shared)

So if I understand correctly, all regular supplementary groups are removed by default and nogroups disables what's left (== system supplementary groups)?

As for the --allusers, will try in the evening if that help or not, but cannot find it in the documentation. Is there a way to achieve the same thing from profile?

@graywolf commented on GitHub (Aug 10, 2017): I think it should be regular: ``` [wolf@dennas root]$ id uid=1000(wolf) gid=1000(wolf) groups=1000(wolf),1001(shared) ``` So if I understand correctly, all regular supplementary groups are removed by default and `nogroups` disables what's left (== system supplementary groups)? As for the `--allusers`, will try in the evening if that help or not, but cannot find it in the [documentation](https://firejail.wordpress.com/features-3/man-firejail-profile/). Is there a way to achieve the same thing from profile?

gitea-mirror commented

2026-05-05 07:14:29 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2017):

Yes, by default all regular users are removed with the exception of the current user. I'll have to document it, thanks.

@netblue30 commented on GitHub (Aug 10, 2017): Yes, by default all regular users are removed with the exception of the current user. I'll have to document it, thanks.

gitea-mirror commented

2026-05-05 07:14:31 -06:00

Author

Owner

@graywolf commented on GitHub (Aug 11, 2017):

Yes, thanks for the help, I changed the gid of shared to 991 and it works now :) As for the enhancing the documentation, that would be nice. Also it would be nice to have possibility of using allusers in profile file and not just as argument to firejail.

@graywolf commented on GitHub (Aug 11, 2017): Yes, thanks for the help, I changed the gid of `shared` to 991 and it works now :) As for the enhancing the documentation, that would be nice. Also it would be nice to have possibility of using `allusers` in profile file and not just as argument to `firejail`.

gitea-mirror commented

2026-05-05 07:14:33 -06:00

Author

Owner

@startx2017 commented on GitHub (Aug 15, 2017):

Fixed. allusers is already supported in profile files in release 0.9.48

@startx2017 commented on GitHub (Aug 15, 2017): Fixed. allusers is already supported in profile files in release 0.9.48

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#970

No description provided.

Rows
Columns