What’s the intended error state for “force-nonewprivs yes” + chromium? #5106
-
Hi there, From reading this: https://firejail.wordpress.com/documentation-2/basic-usage/#suid, I’m aware I shouldn’t be using chromium if I’ve set “force-nonewprivs yes” in /etc/firejail/firejail.config. Which is fair enough. But I’m wondering what’s meant to happen if I throw all logic to the wind and try it anyway? Because on my current install (with force-nonewprivs set to yes) chromium successfully launches with firejail, appears in firejail --tree, but has unrestricted access to my home folder. Is that intended behavior? I had assumed “force-nonewprivs yes” would just cause fire-jailed chromium to not launch, so I was, perhaps foolishly, trying to use that as an indicator that I’d correctly configured “force-nonewprivs yes”. I only ask because I just finished a rather convoluted manual install process where I compiled firejail on a different machine and wanted to check I hadn’t accidentally caused some weird undesirable behavior where any program which attempt to rise privileges spontaneously escapes the sandbox. Anyway, fire-jail is a lovely tool so thanks everyone who’s contributed to it and thank you anyone who entertains my bizarre questions. Just to clarify for anyone who speed read that, I’m not looking to make chromium work, I understand it shouldn’t with “force-nonewprivs yes”. I’m just wondering what it “not working” looks like for everyone else. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
How did you check? Did you saw the view of chromium to the filesystem or the filechooser dialog of a portal?
If unprivileged userns are disable chromium* will not start. If they are enabled everything¹ works fine and you should enable chromium-common-hardened.inc. ¹ with chromium* but other programs like wireshark still break.
|
Beta Was this translation helpful? Give feedback.
How did you check? Did you saw the view of chromium to the filesystem or the filechooser dialog of a portal?
If unprivileged userns are disable chromium* will not start. If they are enabled everything¹ works fine and you should enable chromium-common-hardened.inc.
¹ with chromium* but other programs like wireshark still break.
firejail [ARGS] sudo …