github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1440] What's the difference between --chroot= and --private= ? #971

New issue
Closed
opened 2026-05-05 07:14:20 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 07:14:20 -06:00
Owner
Copy link

Originally created by @taoeffect on GitHub (Aug 8, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1440

I tried searching for an answer before opening this issue but could not find a clear one.

Some newb questions I have are:

  • What is the difference in purpose between the two flags?
  • When would one want to use one over the other?
  • Is it OK to use both? If so, what kinds of circumstances might one want to do that, and if not, why not?

Thanks so much for any help with figuring this out!

Originally created by @taoeffect on GitHub (Aug 8, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1440 I tried searching for an answer before opening this issue but could not find a clear one. Some newb questions I have are: - What is the difference in purpose between the two flags? - When would one want to use one over the other? - Is it OK to use both? If so, what kinds of circumstances might one want to do that, and if not, why not? Thanks so much for any help with figuring this out!
gitea-mirror commented 2026-05-05 07:14:25 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Aug 8, 2017):

--chroot= changes the root directory for the jail to the specified directory (check the man page for the actual system call here or on your local system for more info on what exactly is done). This is quite literally the oldest type of sandboxing on UNIX systems, and ironically wasn't intended originally for that purpose (and by itself is insufficient for sandboxing). In the case of firejail, it mostly provides some limited degree of insurance that's only significant if the other protections fail. As far as usage goes, the general rule is that unless you know you need to use --chroot=, you don't need it. It provides no measurable extra security, and can make setting up a jail much more complicated.

--private= creates an ephemeral instance (temporary for the duration of the jail) of the specified directory inside the jail (the stuff in the jail can't see the contents of the real version of that directory, and things outside the jail can't read the private instance). It builds on the technology firejail is already using, and is intended for hiding files from things running in the jail (or providing a customized view of those files). This is actually used in a number of profiles to hide things like system configuration files, and is sometimes used for things like web browsers to create throw-away profiles that get deleted when the browser exits.

The only circumstances I can think of that actually need both involve using firejail for traditional whole-system containers (that is LXC/LXD or VServer style containers), and there are much better options for such a use case than firejail.

<!-- gh-comment-id:320928871 --> @Ferroin commented on GitHub (Aug 8, 2017): `--chroot=` changes the root directory for the jail to the specified directory (check the man page for the actual system call [here](https://linux.die.net/man/2/chroot) or on your local system for more info on what exactly is done). This is quite literally the oldest type of sandboxing on UNIX systems, and ironically wasn't intended originally for that purpose (and by itself is insufficient for sandboxing). In the case of firejail, it mostly provides some limited degree of insurance that's only significant if the other protections fail. As far as usage goes, the general rule is that unless you know you need to use `--chroot=`, you don't need it. It provides no measurable extra security, and can make setting up a jail much more complicated. `--private=` creates an ephemeral instance (temporary for the duration of the jail) of the specified directory inside the jail (the stuff in the jail can't see the contents of the real version of that directory, and things outside the jail can't read the private instance). It builds on the technology firejail is already using, and is intended for hiding files from things running in the jail (or providing a customized view of those files). This is actually used in a number of profiles to hide things like system configuration files, and is sometimes used for things like web browsers to create throw-away profiles that get deleted when the browser exits. The only circumstances I can think of that actually need both involve using firejail for traditional whole-system containers (that is LXC/LXD or VServer style containers), and there are much better options for such a use case than firejail.
gitea-mirror commented 2026-05-05 07:14:27 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 8, 2017):

--chroot is for running programs in a different root directory. For example you could have a different Linux distribution installed in /srv/chroot/ubuntu. The program from inside this new filesystem hierarchy is then called and jailed, instead of the one of your main system.

--private is for hiding directories from jailed applications. Without arguments to --private, the home directories will be made "private", so they will be mostly empty for jailed applications. And any changes to those directories will be discarded when the jail is ended.

Yes, you can combine both, as they are two completely separate functionalities.

<!-- gh-comment-id:320928897 --> @reinerh commented on GitHub (Aug 8, 2017): --chroot is for running programs in a different root directory. For example you could have a different Linux distribution installed in /srv/chroot/ubuntu. The program from inside this new filesystem hierarchy is then called and jailed, instead of the one of your main system. --private is for hiding directories from jailed applications. Without arguments to --private, the home directories will be made "private", so they will be mostly empty for jailed applications. And any changes to those directories will be discarded when the jail is ended. Yes, you can combine both, as they are two completely separate functionalities.
gitea-mirror commented 2026-05-05 07:14:28 -06:00
Author
Owner
Copy link

@taoeffect commented on GitHub (Aug 8, 2017):

Thanks guys! That's super helpful!

One last question (and maybe consider linking to these answers from the website docs? I bet I'm not the only person that would find them enlightening!):

Yes, you can combine both, as they are two completely separate functionalities.

This is the part that confuses me, as isn't the home folder within root? So if you change the root, doesn't that by itself change the home directory, rendering --private meaningless...?

<!-- gh-comment-id:321024898 --> @taoeffect commented on GitHub (Aug 8, 2017): Thanks guys! That's super helpful! One last question (and maybe consider linking to these answers from the website docs? I bet I'm not the only person that would find them enlightening!): > Yes, you can combine both, as they are two completely separate functionalities. This is the part that confuses me, as isn't the home folder within root? So if you change the root, doesn't that by itself change the home directory, rendering `--private` meaningless...?
gitea-mirror commented 2026-05-05 07:14:31 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 8, 2017):

What you change in the chroot directory is persistent. So even though you have a different home directory, it is not a temporary one (just a different one).
--private gives your application a private/temporary home directory, but the rest of your system stays the same (i.e., same Linux distribution, same installed applications etc.).
With --chroot you run the application in a completely different Linux "environment" (it doesn't need to be the same distribution), for example with different versions of your applications, different configurations etc. Another common use case for chroots is having one for different architecture binaries, for example you have a 64bit host system, but a separate 32bit system in a chroot directory.

<!-- gh-comment-id:321035722 --> @reinerh commented on GitHub (Aug 8, 2017): What you change in the chroot directory is persistent. So even though you have a different home directory, it is not a temporary one (just a different one). --private gives your application a private/temporary home directory, but the rest of your system stays the same (i.e., same Linux distribution, same installed applications etc.). With --chroot you run the application in a completely different Linux "environment" (it doesn't need to be the same distribution), for example with different versions of your applications, different configurations etc. Another common use case for chroots is having one for different architecture binaries, for example you have a 64bit host system, but a separate 32bit system in a chroot directory.
gitea-mirror commented 2026-05-05 07:14:33 -06:00
Author
Owner
Copy link

@taoeffect commented on GitHub (Aug 8, 2017):

Thanks so much @reinerh!

So it sounds like if you use --chroot=[dir] with --private=[dir] then it will both change the root and also replace the home directory in the new root with a persistent home directory outside of it. (Please correct me if that understanding is mistaken!)

I'm going to close this issue now since my question has been answered, I think, quite well.

If you'd like to update the website with a link to this issue to help others understand the differences that would be grand.

Cheers and have a wonderful day!

<!-- gh-comment-id:321106425 --> @taoeffect commented on GitHub (Aug 8, 2017): Thanks so much @reinerh! So it sounds like if you use `--chroot=[dir]` with `--private=[dir]` then it will *both* change the root and also replace the home directory in the new root with a persistent home directory outside of it. (Please correct me if that understanding is mistaken!) I'm going to close this issue now since my question has been answered, I think, quite well. If you'd like to update the website with a link to this issue to help others understand the differences that would be grand. Cheers and have a wonderful day!
gitea-mirror commented 2026-05-05 07:14:34 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 8, 2017):

it sounds like if you use --chroot=[dir] with --private=[dir] then it will both change the root and also replace the home directory in the new root with a persistent home directory outside of it.

Not quite. --chroot will change the root directory, and --private will use a temporary/non-persistent home directory.
If you use --chroot=/srv/chroot/ubuntu without --private, then your newly created files will stay in e.g. /srv/chroot/ubuntu/home/username/foo.txt, with --private they will get lost.

Here is an example that shows you the behavior:

(reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/
total 0
(reiner@apollo) ~ $ > firejail --quiet --chroot=/srv/chroot/jessie
(jessie)reiner@apollo:~$ touch foo
(jessie)reiner@apollo:~$ exit
(reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/
total 0
-rw-r--r-- 1 reiner reiner 0 Aug  9 01:29 foo
(reiner@apollo) ~ $ > firejail --quiet --chroot=/srv/chroot/jessie --private
(jessie)reiner@apollo:~$ ls -l
total 0
(jessie)reiner@apollo:~$ touch bar
(jessie)reiner@apollo:~$ exit
(reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/
total 0
-rw-r--r-- 1 reiner reiner 0 Aug  9 01:29 foo
(reiner@apollo) ~ $ >
<!-- gh-comment-id:321110145 --> @reinerh commented on GitHub (Aug 8, 2017): > it sounds like if you use --chroot=[dir] with --private=[dir] then it will both change the root and also replace the home directory in the new root with a persistent home directory outside of it. Not quite. --chroot will change the root directory, and --private will use a temporary/non-persistent home directory. If you use `--chroot=/srv/chroot/ubuntu` without --private, then your newly created files will stay in e.g. /srv/chroot/ubuntu/home/username/foo.txt, with --private they will get lost. Here is an example that shows you the behavior: ``` (reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/ total 0 (reiner@apollo) ~ $ > firejail --quiet --chroot=/srv/chroot/jessie (jessie)reiner@apollo:~$ touch foo (jessie)reiner@apollo:~$ exit (reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/ total 0 -rw-r--r-- 1 reiner reiner 0 Aug 9 01:29 foo (reiner@apollo) ~ $ > firejail --quiet --chroot=/srv/chroot/jessie --private (jessie)reiner@apollo:~$ ls -l total 0 (jessie)reiner@apollo:~$ touch bar (jessie)reiner@apollo:~$ exit (reiner@apollo) ~ $ > ls -l /srv/chroot/jessie/home/reiner/ total 0 -rw-r--r-- 1 reiner reiner 0 Aug 9 01:29 foo (reiner@apollo) ~ $ > ```
gitea-mirror commented 2026-05-05 07:14:35 -06:00
Author
Owner
Copy link

@taoeffect commented on GitHub (Aug 8, 2017):

Not quite. --chroot will change the root directory, and --private will use a temporary/non-persistent home directory.

That's not what the documentation says? That only happens when --private is used without any parameters?

<!-- gh-comment-id:321113142 --> @taoeffect commented on GitHub (Aug 8, 2017): > Not quite. --chroot will change the root directory, and --private will use a temporary/non-persistent home directory. That's not what the documentation says? That only happens when `--private` is used without any parameters?
gitea-mirror commented 2026-05-05 07:14:36 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 8, 2017):

Oh sorry, I didn't see in your other reply that you mean --private=directory (instead of --private).
In that case you are absolutely right, the specified directory will be used and the files are persisted in there.

<!-- gh-comment-id:321114239 --> @reinerh commented on GitHub (Aug 8, 2017): Oh sorry, I didn't see in your other reply that you mean --private=directory (instead of --private). In that case you are absolutely right, the specified directory will be used and the files are persisted in there.
gitea-mirror commented 2026-05-05 07:14:37 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Aug 9, 2017):

That said, I don't think it documents anywhere what order those are evaluated in. There's a pretty big difference between evaluating the --private= option before versus after the chroot happens.

<!-- gh-comment-id:321226006 --> @Ferroin commented on GitHub (Aug 9, 2017): That said, I don't think it documents anywhere what order those are evaluated in. There's a pretty big difference between evaluating the `--private=` option before versus after the chroot happens.
gitea-mirror commented 2026-05-05 07:14:38 -06:00
Author
Owner
Copy link

@Raj2032 commented on GitHub (Mar 25, 2019):

--chroot= changes the root directory for the jail to the specified directory (check the man page for the actual system call here or on your local system for more info on what exactly is done). This is quite literally the oldest type of sandboxing on UNIX systems, and ironically wasn't intended originally for that purpose (and by itself is insufficient for sandboxing). In the case of firejail, it mostly provides some limited degree of insurance that's only significant if the other protections fail. As far as usage goes, the general rule is that unless you know you need to use --chroot=, you don't need it. It provides no measurable extra security, and can make setting up a jail much more complicated.

--private= creates an ephemeral instance (temporary for the duration of the jail) of the specified directory inside the jail (the stuff in the jail can't see the contents of the real version of that directory, and things outside the jail can't read the private instance). It builds on the technology firejail is already using, and is intended for hiding files from things running in the jail (or providing a customized view of those files). This is actually used in a number of profiles to hide things like system configuration files, and is sometimes used for things like web browsers to create throw-away profiles that get deleted when the browser exits.

The only circumstances I can think of that actually need both involve using firejail for traditional whole-system containers (that is LXC/LXD or VServer style containers), and there are much better options for such a use case than firejail.

Using --private= can I create another directory and install programs in that specific folder?

<!-- gh-comment-id:476093282 --> @Raj2032 commented on GitHub (Mar 25, 2019): > `--chroot=` changes the root directory for the jail to the specified directory (check the man page for the actual system call [here](https://linux.die.net/man/2/chroot) or on your local system for more info on what exactly is done). This is quite literally the oldest type of sandboxing on UNIX systems, and ironically wasn't intended originally for that purpose (and by itself is insufficient for sandboxing). In the case of firejail, it mostly provides some limited degree of insurance that's only significant if the other protections fail. As far as usage goes, the general rule is that unless you know you need to use `--chroot=`, you don't need it. It provides no measurable extra security, and can make setting up a jail much more complicated. > > `--private=` creates an ephemeral instance (temporary for the duration of the jail) of the specified directory inside the jail (the stuff in the jail can't see the contents of the real version of that directory, and things outside the jail can't read the private instance). It builds on the technology firejail is already using, and is intended for hiding files from things running in the jail (or providing a customized view of those files). This is actually used in a number of profiles to hide things like system configuration files, and is sometimes used for things like web browsers to create throw-away profiles that get deleted when the browser exits. > > The only circumstances I can think of that actually need both involve using firejail for traditional whole-system containers (that is LXC/LXD or VServer style containers), and there are much better options for such a use case than firejail. Using `--private=` can I create another directory and install programs in that specific folder?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#971
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?