Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firejail inside firejail broken #2877

Open
rusty-snake opened this issue Jul 29, 2019 · 2 comments
Open

firejail inside firejail broken #2877

rusty-snake opened this issue Jul 29, 2019 · 2 comments
Labels
bug Something isn't working

Comments

@rusty-snake
Copy link
Collaborator

preparation

  • install firejail from git
  • sudo firecfg

syntax

$: regular user shell
%: shell inside firejail
>: comment
$PRG$: any program with a firecfg symlink

Issue 1

Outer firejail with private-etc without passwd.

$ firejail --private-etc="empty" --noprofile bash
% $PRG$
Error getpwuid: main.c:299 init_cfg: No such file or directory
% firejail echo
Error getpwuid: main.c:299 init_cfg: No such file or directory

Issue 2

Let's fix 1 and add passwd to private-etc.

Outer firejail with private-etc without login.defs.

adding firejail to private-etc because of 3.

$ firejail --private-etc="passwd,firejail" --noprofile bash
% firejail echo "Hello, Wolrd!"
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. echo will run without any additional sandboxing features
Hello, Wolrd!
> Ugly message, but works.

Issue 3

$ firejail --private-etc="passwd,login.defs" --noprofile bash
% $PRG$
Error: Firejail configuration file /etc/firejail/firejail.config not found
% firejail echo "Hello, World!"
Error: Firejail configuration file /etc/firejail/firejail.config not found

Bad commit: 8bff773 @smitsohu

3.1

$ firejail --private-etc="passwd,login.defs" --noprofile $PRG$
Error: Firejail configuration file /etc/firejail/firejail.config not found

Workaround: private-bin

$ firejail --private-etc="passwd,login.defs" --noprofile --shell=none --private-bin="$PRG$" $PRG$

or

$ firejail --private-etc="passwd,login.defs" --noprofile --private-bin="$PRG$,SHELL" $PRG$
@rusty-snake rusty-snake added the bug Something isn't working label Jul 29, 2019
@netblue30
Copy link
Owner

I guess it was broken for some time now, thanks!

@smitsohu
Copy link
Collaborator

smitsohu commented Aug 1, 2019

Bad commit: 8bff773 @smitsohu

Regarding this commit specifically, we maybe can just revert most of it. The proposed alternative (updating /etc/passwd) is the cleaner solution anyway.

smitsohu added a commit that referenced this issue Aug 9, 2019
@smitsohu
rewrite/partial revert of 8bff773
d325099 
the commit in question introduced an early check of Firejail configuration
file, which broke "firejail in firejail" for some sandboxes.

see issue #2877
@rusty-snake rusty-snake mentioned this issue Sep 8, 2019
Closed
@rusty-snake rusty-snake mentioned this issue Jul 27, 2020
Closed
@rusty-snake rusty-snake mentioned this issue Jan 29, 2021
Closed
@rusty-snake rusty-snake mentioned this issue Dec 25, 2021
Closed
@rusty-snake rusty-snake mentioned this issue Aug 18, 2022
Open
7 tasks
@glitsj16 glitsj16 mentioned this issue Feb 8, 2023
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@netblue30 @smitsohu @rusty-snake