option to change user

[the8472]

Currently it's only possible to bind-mount paths when called by root.

But calling as root prevents passing --noroot which in turn necessitates changing the user within the sandbox via su or sudo and possibly unshare to do what --noroot normally would.

But all those do require more capabilities/system calls than necessary.

So i think it would be useful to drop capabilities, change user and create a user namespace in one go.

[genodeftest]

Do you want to run e.g. firefox as a different user inside your own home directory?

[the8472]

the idea is to have a user and home directory dedicated to a specific application, that makes it much simpler to reason about file permissions

[genodeftest]

So for e.g. firefox you won't run it from /home/username but e.g. from /home/username.firefox, right?
And you could put your username.firefox inside the same group as username so you can create files writeable by username and readable by group.

[the8472]

My particular use case is to start daemons which need both network and filesystem access from root, which makes them prime candidates for jailing. Currently the choices for that are either calling su -c "firejail --noroot <daemon>" <user> or firejail ... su -c "<daemon>" <user>. Both have their own drawbacks.

Letting non-root users do that would seem tricky to get right, since it could be easily exploited to gain access to other users if not done right.

[netblue30]

I think I'll stay away from it, it creates to many security problems. In order to do it right, I'll end up duplicating all su code into firejail.

[the8472]

Would it be possible to delegate this task to su then and insert it between the parent and child firejail instances?

[netblue30]

The problem is you need to start the sandbox as root, otherwise I cannot let you change the user. Firejail is SUID binary and can change to any user, but we just cannot let it do it for a regular user.

Support for changing the user makes more sense when running servers. Maybe I'll add some support for it, but the user will need to be root to begin it.

[the8472]

Yes, starting it as root was my use-case.

[netblue30]

OK, that's easier. I'll implement it.

[netblue30]

I have it ready in the latest version in git. Example:

$ sudo firejail --user=some-other-user firefox

[gima]

$ firejail --user 
Error: invalid --user command line option

Is this feature still about to be included?

My use-case is this: I would need to overlay/bindmount a file to a directory, to which my user has no write access. I would need to use sudo to run firejail, but then the jailed executable is run as root and not as my user.

If it matters, the file in question is: /usr/lib/firefox/mozilla.cfg

[netblue30]

--user option was removed a long time ago. You would need to update your software.

[scruloose]

Wait, what?

In early 2016 you added the option to have Firejail seamlessly switch to another user (when called as root via sudo, naturally) so users could seamlessly combine sandboxing and Linux account separation to suit their use-case… but by a year and a half later it had been "removed a long time ago"?

What did I miss? Did this blow up in somebody's face?

I ask because I would really like that functionality. Being able to run graphical programs, sandboxed and as an entirely different Linux user, but exporting the window to my existing desktop? That would be super helpful. So if it was removed due to factors that can reasonably be resolved, I would ask about re-opening this issue — or I could start a new one; whatever's convenient for you. But if it's more like "Yeah we tried that and the answer is no", then I won't bother.

What do you think?