Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't create run directory without suid-root #2310

Closed
reinerh opened this issue Dec 22, 2018 · 3 comments
Closed

Can't create run directory without suid-root #2310

reinerh opened this issue Dec 22, 2018 · 3 comments
Labels
bug Something isn't working enhancement New feature request

Comments

@reinerh
Copy link
Collaborator

reinerh commented Dec 22, 2018

I compiled firejail with --disable-suid and tried running it, but it fails to start:

Error mkdir: util.c:1014 create_empty_dir_as_root: Permission denied

It tries to create its runtime hierarchy in /run/firejail, which is not possible as unprivileged user.
If this is not supported, it should check the uid and print a more friendly error message if the user is not root.
If an unprivileged user should be able to run it (without suid-root), maybe it can create required directories in the user's home directory.
@Vincent43
Copy link
Collaborator

Vincent43 commented Dec 22, 2018
edited
Loading

I think --disable-suid is only for distros which don't allow packages with setuid binaries in their repos. In that case users are supposed to enable suid bit on firejail binary themselves. Otherwise --disable-suid works only when run as root user.

See also #1846 (comment)

@chiraag-nataraj
Copy link
Collaborator

Seems like this was answered. @reinerh, I'll go ahead and close this, but please feel free to re-open if you have further questions.

@reinerh
Copy link
Collaborator Author

reinerh commented May 22, 2019

It was actually more a bug report or feature request than a question...

If firejail does not support being run without suid-flag, then this should be checked and printed.
If only a subset of the features is working without suid, then it should give a better explanation what failed (other than "permission denied") and maybe workaround it if possbile (like falling back to a directory that is actually writable by the user).

@reinerh reinerh reopened this May 22, 2019
@chiraag-nataraj chiraag-nataraj added bug Something isn't working enhancement New feature request labels May 22, 2019
rusty-snake added a commit to rusty-snake/firejail that referenced this issue May 13, 2021
@rusty-snake
Try to fix netblue30#2310 -- Can't create run directory without suid-…
e1a1c71 
…root
rusty-snake added a commit to rusty-snake/firejail that referenced this issue May 13, 2021
@rusty-snake
Try to fix netblue30#2310 -- Can't create run directory without suid-…
3aecbcd 
…root
rusty-snake added a commit to rusty-snake/firejail that referenced this issue May 14, 2021
@rusty-snake
Try to fix netblue30#2310 -- Can't create run directory without suid-…
9e6b083 
…root
netblue30 added a commit that referenced this issue May 18, 2021
@netblue30
Merge pull request #4273 from rusty-snake/fix-2310
99e2f33 
Try to fix #2310 -- Can't create run directory without suid-root
@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
kmk3 added a commit to kmk3/firejail that referenced this issue Nov 24, 2021
@kmk3
build: Normalize HAVE_SUID
5ace711 
See commit 15d7938 ("Try to fix netblue30#2310 -- Can't create run directory
without suid-root", 2021-05-13) / PR netblue30#4273.

It is the only "HAVE_" option whose value is set by if/else on a
makefile.  Also, it is set in different places to either "yes", "no",
blank or "-DHAVE_SUID".  Set the value only on configure.ac and only to
either blank or to "-DHAVE_SUID".

Misc: The `ifeq ($(HAVE_SUID),-DHAVE_SUID)` comparison that this adds is
based on the existing `ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)`
comparison on Makefile.in.
kmk3 added a commit to kmk3/firejail that referenced this issue Nov 25, 2021
@kmk3
build: Normalize HAVE_SUID
6d42e13 
See commit 15d7938 ("Try to fix netblue30#2310 -- Can't create run directory
without suid-root", 2021-05-13) / PR netblue30#4273.

It is the only "HAVE_" option whose value is set by if/else on a
makefile.  Also, it is set in different places to either "yes", "no",
blank or "-DHAVE_SUID".  Set the value only on configure.ac and only to
either blank or to "-DHAVE_SUID".

Misc: The `ifeq ($(HAVE_SUID),-DHAVE_SUID)` comparison that this adds is
based on the existing `ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)`
comparison on Makefile.in.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

luarocks matu3ba/firejail
3 participants
@reinerh @chiraag-nataraj @Vincent43