-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: too long environment variables, please use --rmenv #3678
Comments
There is more detailed info on protecting against
While patching and recompiling might 'fix' your issue, please be aware of the potential pitfalls of doing so in this context. The thread referenced above should provide a safer way out for your LS_COLORS issue. |
@glitsj16 Thx for the link, that makes sense. However that still does not address the problem with the |
There's also some info on #3350. I think the proper fix to finalize #3322. Then the environment for Firejail itself is controlled and only a very small number of whitelisted, length checked variables are allowed inside the set-uid program. The variables are restored for the application itself and then the length checks could be relaxed. But even if #3322 was ready, I don't think it would be a good idea to push it just now when we're close to release. Checking total environment size is a nice idea. Now we allow 256*(4096B+32B) = ~1MB of variables, when in reality maybe 64kB could be plenty while still allowing more or larger variables. Though this would be obsolete with #3322. |
So #3322 fixes this, right? |
I prefer #3322, because it protects Firejail fully but it also allows applications to get less restricted environment. To finalize it, I still have to check all paths where Firejail executes something to ensure that the set of env variables is correct for each case. |
I also ran into the same error message using the $ git status
On branch master
Your branch and 'origin/master' have diverged,
and have 1 and 1 different commits each, respectively.
(use "git pull" to merge the remote branch into yours)
nothing to commit, working tree clean but
so there must be firejail working in the background when I use and The main difference I've found so far is the last call before the error happens in the $ ll /usr/lib/git-core/git
lrwxrwxrwx 1 root root 13 Mar 27 09:27 /usr/lib/git-core/git -> ../../bin/git I don't know why this error happens, at all. Ok my PS1 and _OLD_VIRTUAL_PS1 variables are pretty long which produce a beautiful prompt I really want to keep. Running $ firejail --rmenv=PS1 --rmenv=_OLD_VIRTUAL_PS1 /usr/bin/git pull
Already up to date. works as expected. But this doesn't explain why firejail is involved in the plain My setupapparmor (3.0.1) $ firejail --rmenv=PS1 --rmenv=_OLD_VIRTUAL_PS1 --version
firejail version 0.9.64.4
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled yes running OS=Archlinux with kernel 5.10.27
|
@MaelStor Odd indeed. Firejail has had a git.profile for a while now, and it definately is in the 0.9.64.4 package on Arch. Can you confirm there is no /etc/firejail/git.profile on your system? Also, what does |
Sorry, yes indeed there is a profile for git
Seems I mixed things up with I tried running the same Setting
|
It's |
@glitsj16 @rusty-snake Thanks. Now it makes sense. However putting rmenv into a local profile for ssh
didnt' help. I still cannot run git commands if ssh is involved because I cannot pass the In addition I always have to run IMHO It would help if I would be noticed about running ssh in a sandbox when I execute git, like it happens when running a program directly with firejail not in quiet mode. Also in the debug output of |
Use firemon (e.g.
There is no ssh.profile loaded if you firejail git. |
Using However if I switch to bash with a shorter PS1 I've got |
|
Yes these are the only ones. It's not me who's exporting them, at least in zsh. I've tried unsetting themwith EDIT: Got it working. I've overseen a command at the end of the file |
It would be great if I could get rid of the |
Any alias is just a workaround tho. A real fix would either allow rmenv in the config, or simply not choke on long env variables ;) |
We accept PR's. Feel free to provide one that offers at least the same level of protection against stack smashing attacks as currently implemented. You can always drop LS_COLORS if security > shiny setups. |
Wait, this is intentional? My impression was it was just a bug. Tho I admit it makes sense to bail out before config parsing begins. In that case, the bail-out message could probably clarify that only btw, it's just not shiny. I have other long env variables for varaious reasons, that my alias needs to exclude. |
How about using an extra environment.global file in |
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
I just ran into this error.
My LS_COLORS env var is rather big (~5kb), which lead to:
Error: too long environment variables, please use --rmenv
I also can not work around the problem by passing
--rmenv=LS_COLORS
settingrmenv LS_COLORS
in globals.local does also not work.The problem is that calling
unsetenv(*ptr)
in main does not modify theenvp
passed tomain()
,extern char ** environ;
should be used instead. Also I guess, that the profile is loaded after the check, so setting it in a profile won't work. Maybe this should be supported?Also I don't understand what this check is trying to accomplish, any explanation would be appreciated.
For now I can just increase the limit by patching and recompiling myself.
The text was updated successfully, but these errors were encountered: