-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh: errors accessing shell file from /usr/share when using fish and mosh #5721
Comments
Basic debugging information is missing; please follow the bug report template: |
@kmk3 updated description according to template, left out the last part (logs) as I don't find it relevant |
What are the errors? Do they happen when invoking just ssh with firejail? Example: firejail /usr/bin/ssh <server>
What is the output with |
The errors are about missing functions ( No it does not happen when using Yes it works as expected when I invoke |
ssh.profile has whitelist-usr-share-common.inc, so the following workaround ~/.config/firejail/ssh.local:
Though I think that ideally this would be fixed in mosh (why does it source |
The ssh profile includes firejail/etc/profile-m-z/ssh.profile Line 23 in 0c00616
But that included file doesn't whitelist /usr/share/fish, so you'll need at least that. What happens when you add Also, due to mosh not having a separate firejail profile there might be additional things going awry (include logic or otherwise) that we can't see wihout logs. I can understand that you don't find those relevant, but at least double-check everything on your side if the above doesn't fix things. |
Those are not just auto-completion functions, they are fairly core functions that are typically called from user's |
Here's what's happening https://asciinema.org/a/4AitlLYB2xuA9qsYdNHoABBbI
|
FWIW, I actually did create firejail profiles for |
I think we need to find what exactly is running user's shell (fish in this case) and under what conditions. It seems it's not ssh, then it must be mosh, but why is it getting ssh.profile restrictions? When I |
But why would it (re-)source them locally? Does it re-spawn the user shell? Presumably these files would already have been sourced by the current shell
This seems to be a quirk of mosh, so such whitelisting (including any other But ideally we would first understand why it tries to do the sourcing. It could also be added to whitelist-usr-share-common.inc, but it seems |
/usr/local/bin usually takes precedence over /usr/bin in |
Here are my mosh profiles:
|
I actually don't see anything that 'weird' here. The ssh profile that's being called simply doesn't whitelist /usr/share/fish. A local override can fix that without doing anything else IMO. But let's wait and see what happens when @skrat uses these referenced mosh profiles. |
Nothing happens with those profile, same error. There's still no explanation why locally spawned user shell is getting ssh.profile restrictions. |
I know nothing about fish or about firejail, but when you mosh into a remote server, the |
Good.
Seems to contradict the above. If
But there is an explanation: (1) According to your opening post you've set your user to use fish shell in /etc/passwd. Please, I'm not intending to dispute what you're seeing, nor am I trying to be snug here. Based on what you've showed in this thread it all seems pretty straightforward. And fixable. |
Description
I'm using mosh , it's running ssh and doing UDP mumbo jumbo, that's beyond this report. I'm also using fish shell (set in /etc/passwd). Now mosh is running ssh to do its thing. This is where firejail is invoked to run ssh. Somehow it needs to run user's shell in that process, but suddenly the files that need to be loaded from /usr/share/fish are not accessible because of some firejail rules. This results in fish spewing errors locally. I'm not sure what to do about it, what to whitelist, etc.
Related:
mobile-shell/mosh#1262
Steps to Reproduce
Steps to reproduce the behavior
~/.config/fish/config.fish
such as calls tofish_add_path
or just add somealias ll=ls -l
mosh
to a remote server (needs to havemosh
installed and UDP ports accessible, see https://github.com/mobile-shell/mosh#how-it-works)Expected behavior
It would just connect, not complaining about unknown functions called in
~/.config/fish/config.fish
Actual behavior
Spews errors because functions are not loaded from
/usr/share/fish
Behavior without a profile
What changed calling
LC_ALL=C firejail --noprofile /path/to/program
in a terminal?Additional context
...
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)The text was updated successfully, but these errors were encountered: