Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shell not starting on login #6206

Open
4 of 7 tasks
intereglementet opened this issue Feb 12, 2024 · 10 comments
Open
4 of 7 tasks

Shell not starting on login #6206

intereglementet opened this issue Feb 12, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@intereglementet
Copy link

Description

Trying to use firejail to execute a login shell (for user "service").

Grateful for input on this.

Steps to Reproduce

Firejail is set as shell.

sudo grep service /etc/passwd
service:x:1001:1001:test user,,,:/home/service:/usr/local/bin/firejail

And a shell profile that is included from login.users exists:

cat /usr/local/etc/firejail/service_user.profile | grep -v #
include /usr/local/etc/firejail/default.profile
private-bin bash,ls,sh

If no shell is provided no command is found:

cat /usr/local/etc/firejail/login.users | grep -v #
service: --profile=/usr/local/etc/firejail/service_user.profile

Password:
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
firejail version 0.9.73

Parent pid 1120188, child pid 1120189
4 programs installed in 40.29 ms
Base filesystem installed in 124.87 ms
Child process initialized in 281.18 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

Fair enough, so provide a shell:

cat /usr/local/etc/firejail/login.users | grep -v #
service: --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

su -l service
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
firejail version 0.9.73

Parent pid 1119897, child pid 1119898
4 programs installed in 74.39 ms
Base filesystem installed in 110.83 ms
Child process initialized in 304.28 ms
Error: no suitable SHELL=/usr/local/bin/firejail executable found

Parent is shutting down, bye...

Expected behavior

Bash as login shell

Actual behavior

Firejail is unable to find a working shell path

Behavior without a profile

cat /usr/local/etc/firejail/login.users | grep -v #
service: --noprofile /bin/bash

su -l service
firejail version 0.9.73

Parent pid 1123115, child pid 1123116
Base filesystem installed in 0.22 ms
Child process initialized in 20.72 ms
Error: no suitable SHELL=/usr/local/bin/firejail executable found

Parent is shutting down, bye...

Environment

/usr/local/bin/firejail --version
firejail version 0.9.73

uname -a
Linux ubuntu 5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

git rev-parse HEAD
bb45aa5

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

cat /usr/local/etc/firejail/login.users | grep -v \#
service: --debug --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

su -l service
Reading profile /usr/local/etc/firejail/service_user.profile
Reading profile /usr/local/etc/firejail/default.profile
Found disable-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-common.inc
Found disable-programs.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-programs.inc
[profile] combined protocol list: "unix,inet,inet6"
Building quoted command line: '/bin/bash' 
Command name #bash#
firejail version 0.9.73

DISPLAY is not set
Using the local network stack
Parent pid 1123476, child pid 1123477
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
Drop privileges: pid 3, uid 1001, gid 1001, force_nogroups 0
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1418 114 8:5 /etc /etc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1418 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1419 1418 8:5 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1419 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1420 114 8:5 /var /var ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1420 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1421 1420 8:5 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1421 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1422 114 8:5 /usr /usr ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1422 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot open /run/user/1001 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/sr0 file
mounting /run/firejail/mnt/dev/hidraw0 file
Process /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/bash
Checking /usr/bin/bash
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
Checking /usr/local/bin/ls
Checking /usr/bin/ls
sbox run: /run/firejail/lib/fcopy /usr/bin/ls /run/firejail/mnt/bin 
Checking /usr/local/bin/sh
Checking /usr/bin/sh
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
4 programs installed in 53.82 ms
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Creating a new /etc/hostname file
Creating empty /run/firejail/mnt/hostname file
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /proc/kmsg
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /tmp, check owner: no
1381 114 0:71 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=1381 fsname=/ dir=/tmp fstype=tmpfs
Whitelisting /tmp/.X11-unix
1608 1381 8:5 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1608 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Add path entry /usr/local/sbin
Add path entry /usr/local/bin
Add path entry /usr/sbin
Add path entry /usr/bin
Add path entry /sbin
...skip path /bin
Add path entry /usr/games
Add path entry /usr/local/games
Add path entry /snap/bin
Number of path entries: 8
Disable /etc/systemd/network
Disable /etc/systemd/system
Disable /var/lib/systemd
Disable /etc/init.d
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/docker.sock (requested /var/run/docker.sock)
Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/adduser.conf
Disable /etc/anacrontab
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/cron.hourly
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/default
Disable /etc/grub.d
Disable /etc/kernel
Disable /etc/kerneloops.conf
Disable /etc/kernel-img.conf
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/rc.local
Disable /etc/rc3.d
Disable /etc/rc5.d
Disable /etc/rcS.d
Disable /etc/rc2.d
Disable /etc/rc4.d
Disable /etc/rc1.d
Disable /etc/rc6.d
Disable /etc/rc0.d
Disable /etc/logcheck
Mounting read-only /home/service/.bash_logout
1655 1432 8:5 /home/service/.bash_logout /home/service/.bash_logout ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1655 fsname=/home/service/.bash_logout dir=/home/service/.bash_logout fstype=ext4
Mounting read-only /home/service/.bashrc
1656 1432 8:5 /home/service/.bashrc /home/service/.bashrc ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1656 fsname=/home/service/.bashrc dir=/home/service/.bashrc fstype=ext4
Mounting read-only /home/service/.profile
1657 1432 8:5 /home/service/.profile /home/service/.profile ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1657 fsname=/home/service/.profile dir=/home/service/.profile fstype=ext4
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /etc/sudoers
Disable /etc/sudoers.d
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Disable /usr/lib/eject/dmcrypt-get-device
Disable /usr/lib/openssh
Disable /usr/lib/policykit-1/polkit-agent-helper-1
Disable /usr/lib/xorg/Xorg.wrap
Disable /snap
Disable /usr/lib/snapd
Disable /var/lib/snapd
Disable /var/snap
Mounting read-only /tmp/.X11-unix
1679 1608 8:5 /tmp/.X11-unix /tmp/.X11-unix ro,relatime master:1 - ext4 /dev/sda5 rw,errors=remount-ro
mountid=1679 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
Base filesystem installed in 128.62 ms
Mounting noexec /run/firejail/mnt/pulse
1682 1415 0:58 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1682 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/service/.config/pulse
1683 1432 0:58 /pulse /home/service/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1683 fsname=/pulse dir=/home/service/.config/pulse fstype=tmpfs
Current directory: /home/service
DISPLAY is not set
Install protocol filter: unix,inet,inet6
configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 8, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 9, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
Dual 32/64 bit seccomp filter configured
configuring 79 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 10, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
seccomp filter configured
Install namespaces filter
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces 
Dropping all capabilities
Drop privileges: pid 11, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 
Dropping all capabilities
Drop privileges: pid 12, uid 1001, gid 1001, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
==snip===============================
Mounting read-only /run/firejail/mnt/seccomp
1685 1415 0:58 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1685 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             200 .
drwxr-xr-x root     root             340 ..
-rw-r--r-- service  service          632 seccomp
-rw-r--r-- service  service          432 seccomp.32
-rw-r--r-- service  service          207 seccomp.list
-rw-r--r-- service  service          208 seccomp.namespaces
-rw-r--r-- service  service          208 seccomp.namespaces.32
-rw-r--r-- service  service            0 seccomp.postexec
-rw-r--r-- service  service            0 seccomp.postexec32
-rw-r--r-- service  service          184 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
/run/firejail/mnt/seccomp/seccomp.namespaces
/run/firejail/mnt/seccomp/seccomp.namespaces.32
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1001, gid 1001, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Child process initialized in 347.26 ms
Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found
monitoring pid 13

Sandbox monitor: waitpid 13 retval 13 status 256

Parent is shutting down, bye...

@glitsj16
Copy link
Collaborator

service: --profile=/usr/local/etc/firejail/service_user.profile

Longshot. There might be some confusion about correct syntax in login.users.

firejail/etc/login.users

Line 6 in 5d3b61d

# user name: arguments

Yet, there's NO space between the user name and the program arguments:

firejail/etc/login.users

Line 10 in 5d3b61d

# netblue:--net=none --protocol=unix

firejail/etc/login.users

Line 14 in 5d3b61d

# user*: --private

Have you tried dropping that space yet? So:

$ cat /usr/local/etc/firejail/login.users | grep -v #
 service:--profile=/usr/local/etc/firejail/service_user.profile

@intereglementet
Copy link
Author

intereglementet commented Feb 12, 2024
edited
Loading

Well spotted. I tried a few different login.users variants without that space; unfortunately that was not it, that made no difference. I did however notice that additional arguments change the error message in a peculiar way.

service:--debug --private-bin=bash --profile=/usr/local/etc/firejail/service_user.profile /bin/bash

Error: no suitable HOME=/home/service executable found

@glitsj16
Copy link
Collaborator

Ah well, the 'space' thing would have been too easy I guess :-)

Other idea: the allusers option. But to avoid stabbing in the dark indefinately, you could try with our weakest (most permissive) profile and determine of you can get that to work:

$ cat foo
service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash

@intereglementet
Copy link
Author

Well, at this point stabbing is fine by me =)

service:--debug --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash

*:--allusers --profile=/usr/local/etc/firejail/noprofile.profile /bin/bash

...both gets:

Error: no suitable PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin executable found

@glitsj16
Copy link
Collaborator

glitsj16 commented Feb 15, 2024
edited
Loading

Found some time to come back to this. I can confirm that - at the very least - the restricted shell feature isn't working as described in the documentation. Perhaps I'm missing something vital though, I never tried using it before (simply because I only have single-user laptops).

Below are some observations, for a newly created user guest.

$ sudo grep guest /etc/password
guest:x:1002:1002:guest@lab16,,,,:/home/guest:/usr/bin/firejail
$ cat /etc/firejail/login.users
# /etc/firejail/login.users - restricted user shell configuration
#
# Each user entry consists of a user name and firejail
# program arguments:
#
#       user name: arguments
#
# For example:
#
#       netblue:--net=none --protocol=unix
#
# Wildcard patterns are accepted in the user name field:
#
#       user*: --private
#
# The example will do --private for user1, user2, and so on.
#
# The extra arguments are inserted into program command line if firejail
# was started as a login shell.

## all restricted users:
#+ have throwaway data [--private]
#+ are provided a very restricted shell [--private-bin=bash,ls,sh]
#+ have tab-completion [--tab]
*:--quiet --private --private-bin=bash,ls,sh --tab

What isn't working:

$ su -l guest
Password:
Cannot start application: No such file or directory
$ su guest
Password:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/landlock-common.inc
Reading profile /etc/firejail/landlock-common.local

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.73

Parent pid 51288, child pid 51290

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 84.97 ms
Child process initialized in 150.05 ms
Cannot start application: Permission denied

Parent is shutting down, bye...
$ su -l guest /bin/bash
Password:
Error: no suitable HOME=/home/guest executable found

What seems to work:

$ su guest /bin/bash
Password:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/landlock-common.inc
Reading profile /etc/firejail/landlock-common.local

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.73

Parent pid 54796, child pid 54798

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 90.97 ms
Child process initialized in 159.25 ms
[guest@lab16 ~]$ cat .bashrc
#
# ~/.bashrc
#

# If not running interactively, don't do anything
[[ $- != *i* ]] && return

alias ls='ls --color=auto'
alias grep='grep --color=auto'
PS1='[\u@\h \W]\$ '
[guest@lab16 ~]$ echo "I should be discarded after closing the sandbox due to --private" > discard.me
[guest@lab16 ~]$ exit
exit

Parent is shutting down, bye...

glitsj16@lab16 $ sudo cat /home/guest/discard.me
I should be discarded after closing the sandbox due to --private

I used _seems_ to work above because the configured options from /etc/firejail/login.users are NOT respected:

  • the --quiet option is there, yet I see firejail's output
  • the --private option isn't working, I can see discard.me in the real filesystem after closing the sandbox
  • the --private-bin=bash,ls,sh doesn't mention cat, yet I can use that regardless (just like I could any other command from inside the sandbox BTW)

Side-note:
Login from TTY isn't possible at all: Login incorrect

Marking this as a bug.

@glitsj16 glitsj16 added the bug Something isn't working label Feb 15, 2024
@kmk3
Copy link
Collaborator

kmk3 commented Feb 15, 2024

Trying to use firejail to execute a login shell

I didn't look into this too closely, but could it be related to --shell being
removed in 0.9.72 (#5190 / #5196)?

0.9.73 also had some related changes which might affect this (for example, see
#5605).

Does it work in 0.9.70 or 0.9.72?

@intereglementet
Copy link
Author

A workaround seems to be putting the firejail command in a login shell script, like:

# cat login.sh

#!/bin/sh
/usr/bin/firejail --quiet --profile=/path/service_user.profile /bin/bash

# chsh -s /path/login.sh service

@glitsj16
Copy link
Collaborator

@intereglementet

Thanks for the workaround. Can your user service login from TTY with that? Or did you need something else in your service_user.profile?

@intereglementet
Copy link
Author

This is an embedded system, so at this point I have only been able to test su -l and ssh. Nothing special was needed in the profile for that. Will get back to you if I get a chance to test tty.

@glitsj16
Copy link
Collaborator

@intereglementet

No problem. Nice to see firejail being used on embedded systems. Thanks again for reporting this. Now we're aware of the issue we can work towards a fix that actually respects what is in login.users.

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glitsj16 @kmk3 @intereglementet