github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1450] firecfg incompletely installing #976

New issue
Closed
opened 2026-05-05 07:14:59 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 07:14:59 -06:00
Owner
Copy link

Originally created by @Boruch-Baum on GitHub (Aug 9, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1450

For firejail version 0.9.48, in debian, firecfg is not creating symlinks for all available profiles.

This proved to be very frustrating when trying to figure out why a process tree consisting of less / .lessfilter / highlight was being rejected by firejail. Once I manually created the symlink, the operation succeeded.

Just in case there might be a second issue here, the case was:

$ less /usr/share/doc/abook/README
Blacklist violations are logged to syslog
0;firejail /usr/bin/highlight --out-format=xterm256 /usr/share/doc/abook/README ^GParent pid 13631, child pid 13632
Parent is shutting down, bye...

Before I wised up and noticed the lack of the symlink, the following WOULD succeed:

firejail --noprofile less /usr/share/doc/abook/README
Originally created by @Boruch-Baum on GitHub (Aug 9, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1450 For firejail version 0.9.48, in debian, firecfg is not creating symlinks for all available profiles. This proved to be very frustrating when trying to figure out why a process tree consisting of less / .lessfilter / highlight was being rejected by firejail. Once I manually created the symlink, the operation succeeded. Just in case there might be a second issue here, the case was: $ less /usr/share/doc/abook/README Blacklist violations are logged to syslog 0;firejail /usr/bin/highlight --out-format=xterm256 /usr/share/doc/abook/README ^GParent pid 13631, child pid 13632 Parent is shutting down, bye... Before I wised up and noticed the lack of the symlink, the following WOULD succeed: firejail --noprofile less /usr/share/doc/abook/README
gitea-mirror 2026-05-05 07:14:59 -06:00
gitea-mirror commented 2026-05-05 07:15:04 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 10, 2017):

You can try the version on git mainline. less command was added after 0.9.48 release.

<!-- gh-comment-id:321422432 --> @netblue30 commented on GitHub (Aug 10, 2017): You can try the version on git mainline. less command was added after 0.9.48 release.
gitea-mirror commented 2026-05-05 07:15:05 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

Debian occasionally adds/removes stuff so maybe they put the less.profile in version 0.9.48, because it is there. What didn't happen was when I ran firecfg, it didn't create the symlink for very many commands that had profiles in the /etc/firejail directory, the first of which I noticed now when debugging my problem with less. Most of the missing symlinks are for programs not currenlty installed on my system.

Is firecfg supposed to create links for all profiles in the /etc/firejail directory?

If you mean that the file 'less.profile' really shouldn't be in my version (ie. debian patched it in), then should I manually write a simple one-liner script to create symlinks for everything in the directory?

<!-- gh-comment-id:321429005 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): Debian occasionally adds/removes stuff so maybe they put the less.profile in version 0.9.48, because it is there. What didn't happen was when I ran firecfg, it didn't create the symlink for very many commands that had profiles in the /etc/firejail directory, the first of which I noticed now when debugging my problem with less. Most of the missing symlinks are for programs not currenlty installed on my system. Is firecfg supposed to create links for all profiles in the /etc/firejail directory? If you mean that the file 'less.profile' really shouldn't be in my version (ie. debian patched it in), then should I manually write a simple one-liner script to create symlinks for everything in the directory?
gitea-mirror commented 2026-05-05 07:15:06 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Aug 10, 2017):

Is firecfg supposed to create links for all profiles in the /etc/firejail directory?

I think the intention is for all profiles in /etc/firejail/ to be linked, but in reality we've had to leave a few out for various reasons. You can see which programs should always be linked in src/firecfg/firecfg.config.

<!-- gh-comment-id:321434106 --> @Fred-Barclay commented on GitHub (Aug 10, 2017): > Is firecfg supposed to create links for all profiles in the /etc/firejail directory? I think the *intention* is for all profiles in /etc/firejail/ to be linked, but in reality we've had to leave a few out for various reasons. You can see which programs should always be linked in src/firecfg/firecfg.config.
gitea-mirror commented 2026-05-05 07:15:07 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

Thanks @Fred-Barclay. My install only created 62 of 309 symlinks.

I must admit that the whole resort to symlinks makes me a bit uneasy, as it will break for any scenario using absolute paths (eg. legacy scripts), and it makes firejail easy to intentionally circumvent. I expect you've hashed out the pros and cons already.

Have you considered this option?: It's pretty clear that this project is going to single-handedly 'take over' the /usr/local/bin directory, which concerns me, from a 'big picture' perspective. Have you considered putting the symlinks in a dedicated directory (eg. /usr/bin/firejail, /usr/lib/firejail), and asking users (or distributions, or sysadmins) that as part of the install process they should add that dedicated directory to their $PATH ? That would keep /usr/local/bin for its original purpose and allow for firejail to operate upon real executables that a local sysadmin correctly wants to exist in that directory. I realise this suggestion is late in the game, so possibly introduce it as an option, or just mention in the documentation the notion of doing so manually (if there wouldn't be aproblem with that working).

<!-- gh-comment-id:321440484 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): Thanks @Fred-Barclay. My install only created 62 of 309 symlinks. I must admit that the whole resort to symlinks makes me a bit uneasy, as it will break for any scenario using absolute paths (eg. legacy scripts), and it makes firejail easy to intentionally circumvent. I expect you've hashed out the pros and cons already. Have you considered this option?: It's pretty clear that this project is going to single-handedly 'take over' the /usr/local/bin directory, which concerns me, from a 'big picture' perspective. Have you considered putting the symlinks in a dedicated directory (eg. /usr/bin/firejail, /usr/lib/firejail), and asking users (or distributions, or sysadmins) that as part of the install process they should add that dedicated directory to their $PATH ? That would keep /usr/local/bin for its original purpose and allow for firejail to operate upon real executables that a local sysadmin correctly wants to exist in that directory. I realise this suggestion is late in the game, so possibly introduce it as an option, or just mention in the documentation the notion of doing so manually (if there wouldn't be aproblem with that working).
gitea-mirror commented 2026-05-05 07:15:09 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 10, 2017):

My install only created 62 of 309 symlinks.

It'll only create symlinks for profiles that it has located in /etc/firejail and that are installed

it makes firejail easy to intentionally circumvent

Its not really meant to prevent a malicious user sitting at the computer, and more of reducing harm by exploits/malware.

putting the symlinks in a dedicated directory

That could probably be easily added as an option in firejail.config, eg. "firecfg-use-dedicated-dir", and then just have firecfg add a warning if it doesn't detect it in $PATH

<!-- gh-comment-id:321441414 --> @SkewedZeppelin commented on GitHub (Aug 10, 2017): > My install only created 62 of 309 symlinks. It'll only create symlinks for profiles that it has located in /etc/firejail and that are installed > it makes firejail easy to intentionally circumvent Its not really meant to prevent a malicious user sitting at the computer, and more of reducing harm by exploits/malware. > putting the symlinks in a dedicated directory That could probably be easily added as an option in firejail.config, eg. "firecfg-use-dedicated-dir", and then just have firecfg add a warning if it doesn't detect it in $PATH
gitea-mirror commented 2026-05-05 07:15:10 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

In practice, at this point, I'm tremendously gratified that firejail is easy to circumvent, as I've been going through more install pain. Here's a continuation:

As I mentioned in my opening comment, I have 'less' call a shell script called ~/.lessfilter, which decides how to colorize less output. For many files, it uses GNU highlight, and for log files, it uses ccze. When I open a root terminal to examine my syslog, I'm now getting the message:

# less /var/log/syslog
/root/.lessfilter: 32: /root/.lessfilter: cannot open /var/log/syslog: No such file

# firejail --whitelist=/var/log --whitelist=/var/log/syslog  --profile=/etc/firejail/less.profile less syslog
Warning: an existing sandbox was detected. /usr/bin/less will run without any additional sandboxing features
/root/.lessfilter: 32: /root/.lessfilter: cannot open /var/log/syslog: No such file

What seems to be happening is that the whitelists work for commands early in the script .lessfilter (eg. readlink, dirname), but not for a call to ccze (my line 32), in the form "ccze -A <"$1" , where $1 would be /var/log/syslog.

Note that if I try:

# firejail --profile=/etc/firejail/less.profile less syslog

without both whitelists, the script fails earlier, when trying to run dirname

What is going on? Do I need a separate profile for ccze? If so, why not for readlink and dirname? Why when explicitly calling less.profile does it behave differently than when called by default? Does the redirection in the script mess things up?

For colorizing log files, this is a tremendous waste of time, but for figuring out what's going on in firejail not so much.

<!-- gh-comment-id:321475036 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): In practice, at this point, I'm tremendously gratified that firejail is easy to circumvent, as I've been going through more install pain. Here's a continuation: As I mentioned in my opening comment, I have 'less' call a shell script called ~/.lessfilter, which decides how to colorize less output. For many files, it uses GNU highlight, and for log files, it uses ccze. When I open a root terminal to examine my syslog, I'm now getting the message: # less /var/log/syslog /root/.lessfilter: 32: /root/.lessfilter: cannot open /var/log/syslog: No such file # firejail --whitelist=/var/log --whitelist=/var/log/syslog --profile=/etc/firejail/less.profile less syslog Warning: an existing sandbox was detected. /usr/bin/less will run without any additional sandboxing features /root/.lessfilter: 32: /root/.lessfilter: cannot open /var/log/syslog: No such file What seems to be happening is that the whitelists work for commands early in the script .lessfilter (eg. readlink, dirname), but not for a call to ccze (my line 32), in the form "ccze -A <"$1" , where $1 would be /var/log/syslog. Note that if I try: # firejail --profile=/etc/firejail/less.profile less syslog without both whitelists, the script fails earlier, when trying to run dirname What is going on? Do I need a separate profile for ccze? If so, why not for readlink and dirname? Why when explicitly calling less.profile does it behave differently than when called by default? Does the redirection in the script mess things up? For colorizing log files, this is a tremendous waste of time, but for figuring out what's going on in firejail not so much.
gitea-mirror commented 2026-05-05 07:15:10 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 10, 2017):

That's not an issue with your script.
By default firejail only mounts a minimal /var/log into the sandbox.
See:

$ firejail --quiet --noprofile ls -l /var/log | grep syslog
$ firejail --quiet --noprofile --writable-var-log ls -l /var/log | grep syslog
-rw-r----- 1 root          adm              2873 Aug 10 10:17 syslog
-rw-r----- 1 root          adm            189753 Aug 10 10:02 syslog.1
-rw-r----- 1 root          adm             27305 Aug  9 11:08 syslog.2.gz
-rw-r----- 1 root          adm             24887 Aug  8 11:28 syslog.3.gz
-rw-r----- 1 root          adm             25024 Aug  7 12:18 syslog.4.gz
-rw-r----- 1 root          adm             15226 Aug  6 11:24 syslog.5.gz
-rw-r----- 1 root          adm             22555 Aug  5 12:39 syslog.6.gz
-rw-r----- 1 root          adm             29515 Aug  4 12:17 syslog.7.gz

If you need this, you can add writable-var-log to your local less profile.

<!-- gh-comment-id:321484339 --> @reinerh commented on GitHub (Aug 10, 2017): That's not an issue with your script. By default firejail only mounts a minimal /var/log into the sandbox. See: ``` $ firejail --quiet --noprofile ls -l /var/log | grep syslog $ firejail --quiet --noprofile --writable-var-log ls -l /var/log | grep syslog -rw-r----- 1 root adm 2873 Aug 10 10:17 syslog -rw-r----- 1 root adm 189753 Aug 10 10:02 syslog.1 -rw-r----- 1 root adm 27305 Aug 9 11:08 syslog.2.gz -rw-r----- 1 root adm 24887 Aug 8 11:28 syslog.3.gz -rw-r----- 1 root adm 25024 Aug 7 12:18 syslog.4.gz -rw-r----- 1 root adm 15226 Aug 6 11:24 syslog.5.gz -rw-r----- 1 root adm 22555 Aug 5 12:39 syslog.6.gz -rw-r----- 1 root adm 29515 Aug 4 12:17 syslog.7.gz ``` If you need this, you can add `writable-var-log` to your local less profile.
gitea-mirror commented 2026-05-05 07:15:11 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

Thanks, @reinerh! What a relief!

However, this raises another question? This is the kind of setting that should be default for any user with admin privileges probably for many command profiles, so how are such people (sysadmins, root account) expected to use firejail? Must they / we manually copy and customize all profiles to /root/.config/firejail ?

<!-- gh-comment-id:321486145 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): Thanks, @reinerh! What a relief! However, this raises another question? This is the kind of setting that should be default for any user with admin privileges probably for many command profiles, so how are such people (sysadmins, root account) expected to use firejail? Must they / we manually copy and customize all profiles to /root/.config/firejail ?
gitea-mirror commented 2026-05-05 07:15:12 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 10, 2017):

If you intend to use less on for example /var/log/syslog and don't do it that often, you could use the command line flag.
If you use it more often you could put it into /etc/firejail/less.local (which is loaded in the /etc/firejail/less.profile profile).
If you use it even more with also other tools, you can put it into /etc/firejail/globals.local, which is loaded by all profiles.

<!-- gh-comment-id:321488016 --> @reinerh commented on GitHub (Aug 10, 2017): If you intend to use less on for example /var/log/syslog and don't do it that often, you could use the command line flag. If you use it more often you could put it into /etc/firejail/less.local (which is loaded in the /etc/firejail/less.profile profile). If you use it even more with also other tools, you can put it into /etc/firejail/globals.local, which is loaded by all profiles.
gitea-mirror commented 2026-05-05 07:15:13 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

@reinerh, your solution worked like a charm.

So in a multi-user environment that would mean, for example,
creating a file /root/.config/firejail/globals.local?

I imagine as firejail becomes more popular, this type of dual-use issue will arise often and consistently, because even a single-user device that maintains a distinction between a normal and a privileged state (eg sudo), will need some special ruleset for the privileged account(s).

<!-- gh-comment-id:321495129 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): @reinerh, your solution worked like a charm. So in a multi-user environment that would mean, for example, creating a file /root/.config/firejail/globals.local? I imagine as firejail becomes more popular, this type of dual-use issue will arise often and consistently, because even a single-user device that maintains a distinction between a normal and a privileged state (eg sudo), will need some special ruleset for the privileged account(s).
gitea-mirror commented 2026-05-05 07:15:14 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 10, 2017):

$HOME/.config/firejail/globals.local would not work, because this file is nowhere included.
What you could do (but would be a bit more effort) is creating user-local profiles that load the normal profile and a user-local global overwrite, like this (/root/.config/firejail/less.profile):

include /root/.config/firejail/globals.local
include /etc/firejail/less.profile

Then you can put your user-specific global overwrites to this globals.local file.

<!-- gh-comment-id:321496284 --> @reinerh commented on GitHub (Aug 10, 2017): $HOME/.config/firejail/globals.local would not work, because this file is nowhere included. What you could do (but would be a bit more effort) is creating user-local profiles that load the normal profile and a user-local global overwrite, like this (/root/.config/firejail/less.profile): ``` include /root/.config/firejail/globals.local include /etc/firejail/less.profile ``` Then you can put your user-specific global overwrites to this globals.local file.
gitea-mirror commented 2026-05-05 07:15:15 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Aug 10, 2017):

Thanks. At this point, for me personally, the issue could be closed as solved, but it would be considerate for other users maybe to keep it open for a conversation / decision about whether / what something should be done in the package to address this for others. The people deciding to install / deploy firejail are going to be sysadmins themselves (at least in some sense of the word), and the current situation will give them a frustrating first impression that may cause them to just ditch the idea of using firejail if its a hassle for them.

<!-- gh-comment-id:321498442 --> @Boruch-Baum commented on GitHub (Aug 10, 2017): Thanks. At this point, for me personally, the issue could be closed as solved, but it would be considerate for other users maybe to keep it open for a conversation / decision about whether / what something should be done in the package to address this for others. The people deciding to install / deploy firejail are going to be sysadmins themselves (at least in some sense of the word), and the current situation will give them a frustrating first impression that may cause them to just ditch the idea of using firejail if its a hassle for them.
gitea-mirror commented 2026-05-05 07:15:16 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 10, 2017):

I put a fix in git. It turns out we already have a --writable-var-log command line option and profile command to disable the sandboxing of /var/log. Also, let's not add private-bin to the profile, ~/.lessfilter seems to be quite popular with power users.

In the next version we'll add another way to handle desktop integration based on a LD_PRELOAD library, so you wouldn't have to mess with /usr/local/bin.

<!-- gh-comment-id:321589639 --> @netblue30 commented on GitHub (Aug 10, 2017): I put a fix in git. It turns out we already have a --writable-var-log command line option and profile command to disable the sandboxing of /var/log. Also, let's not add private-bin to the profile, ~/.lessfilter seems to be quite popular with power users. In the next version we'll add another way to handle desktop integration based on a LD_PRELOAD library, so you wouldn't have to mess with /usr/local/bin.
gitea-mirror commented 2026-05-05 07:15:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

Is there anything left to do here?

<!-- gh-comment-id:578390340 --> @rusty-snake commented on GitHub (Jan 25, 2020): Is there anything left to do here?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#976
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?