Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firejail does not work with a custom hosts file #2758

Closed
rmrgh opened this issue Jun 10, 2019 · 12 comments · Fixed by #4560
Closed

Firejail does not work with a custom hosts file #2758

rmrgh opened this issue Jun 10, 2019 · 12 comments · Fixed by #4560
Labels
bug Something isn't working

Comments

@rmrgh
Copy link

rmrgh commented Jun 10, 2019

When running firejail with a custom hosts file:
$ firejail --noprofile --private --hosts-file=hosts firefox -no-remote
it reports the following errors:

Parent pid 32480, child pid 32481
Error: invalid /etc/hosts file
Error: proc 32480 cannot sync with peer: unexpected EOF
Peer 32481 unexpectedly exited with status 1

My hosts file contains only:

127.0.0.1 sample.localhost

Even with an empty file, it report the same errors.

Firejail Version: 0.9.58
Linux Distribution: NixOS 19.03
@rmrgh rmrgh changed the title Firejail does not work with custom hosts file Firejail does not work with a custom hosts file Jun 10, 2019
@rusty-snake
Copy link
Collaborator

Can't reproduce with firejail 0.9.61 under Fedora 29.

$ firejail --private --noprofile --hosts-file=hfile firefox-wayland -no-remote
… No Error about hosts
$ cat hfile
127.0.0.1 some.localhost

@chiraag-nataraj
Copy link
Collaborator

I even just tried firejail --hosts-file=/dev/null and it worked.

@netblue30
Copy link
Owner

There could be two reasons it to fail: if the host file is a symbolic link, or if the user doesn't have read access to the file. Also, try to put a full path for the host file, something like "--host-file=/home/username/hostfile". Works fine on 0.9.58, that code didn't change in ages.

@rusty-snake rusty-snake added the information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required label Jun 11, 2019
@reinerh reinerh added bug Something isn't working and removed information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required labels Jun 12, 2019
@Nudin
Copy link

Nudin commented Mar 31, 2020

I got the same issue on Arch with firejail 0.9.62. The file is no symlink and readable by the user.

$ touch /home/michi/empty
$ chmod 777 /home/michi/empty
$ firejail --noprofile --hosts-file=/home/michi/empty
Parent pid 87979, child pid 87980
Error: invalid /etc/hosts file
Error: proc 87979 cannot sync with peer: unexpected EOF
Peer 87980 unexpectedly exited with status 1

@Enteee
Copy link

Enteee commented Mar 23, 2021
edited
Loading

Can confirm the same behavior as @rmrgh observed on NixOS (symlinked /etc/hosts). Firejail 0.9.64.4 does fail on firejail --hosts-file=/dev/null with:

Error: dumpable process
Remove read permission on fseccomp executable
Warning: cleaning all supplementary groups
Error: invalid /etc/hosts file
Error: proc 13962 cannot sync with peer: unexpected EOF
Peer 13963 unexpectedly exited with status 1

this is the check that fails:

firejail/src/firejail/fs_hostname.c

Lines 226 to 227 in 2609e5c

if (is_link("/etc/hosts"))
goto errexit;

Removing this check seem to be simple enough, but I am not quite sure why this is there in the first place.

For those who use NixOs: I have written an overlay that removes the check by patching firejail. Running the command is working, but the /etc/hosts file is not read. Inside the jail the file /etc/hosts points to is actually changed to whatever you set as --hosts-file but it is not actually used by the system resolve. Don't really know why...

self: super: {
  firejail = (super.firejail.overrideAttrs (oldAttrs: {
    patches = [
      (
      # Fix for https://github.com/netblue30/firejail/issues/2758
      super.writeText "fix-2758" ''
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 8a3bb71e..0d318744 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -222,9 +218,6 @@ void fs_mount_hosts_file(void) {
 	struct stat s;
 	if (stat("/etc/hosts", &s) == -1)
 		goto errexit;
-	// not a link
-	if (is_link("/etc/hosts"))
-		goto errexit;
 	// owned by root
 	if (s.st_uid != 0)
 		goto errexit;

      ''
      )
    ];
  }));
}

@deliciouslytyped
Copy link

@Enteee thanks, I ran into the same issue.

Low key note that copying the script into a config wont work if you use spaces because the source file uses tabs, it causes a small bit of confusion as to why the patch isn't applying.

@dunesong
Copy link

Had the same issue. In my case, /etc/hosts was not owned by root. Correcting that fixed the issue.

sudo chown root:root /etc/hosts

This was referenced Sep 18, 2021
Merged
Merged
Merged
@smitsohu
Copy link
Collaborator

smitsohu commented Sep 22, 2021
edited
Loading

@onny May I ask where the link points to in NixOS?

EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to /nix/store/something if I understand correctly.

@onny
Copy link
Contributor

onny commented Sep 24, 2021

@onny May I ask where the link points to in NixOS?

EDIT: Reading a bit more about NixOS this is probably a stupid question. It points to /nix/store/something if I understand correctly.

Yep thats right.

namei -l /etc/hosts
f: /etc/hosts
drwxr-xr-x root root   /
drwxr-xr-x root root   etc
lrwxrwxrwx root root   hosts -> /etc/static/hosts
drwxr-xr-x root root     /
drwxr-xr-x root root     etc
lrwxrwxrwx root root     static -> /nix/store/6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc/etc
drwxr-xr-x root root       /
drwxr-xr-x root root       nix
drwxrwxr-t root nixbld     store
dr-xr-xr-x root root       6z9wz2j0cv06hxf5iqhlil421mmnnz32-etc
dr-xr-xr-x root root       etc
lrwxrwxrwx root root     hosts -> /nix/store/ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts
drwxr-xr-x root root       /
drwxr-xr-x root root       nix
drwxrwxr-t root nixbld     store
-r--r--r-- root root       ppbg1m59fsw5740fgi1kz3xaap2bvzgm-hosts

@Enteee
Copy link

Enteee commented Sep 25, 2021

@netblue30 : why was this closed. I think the issue is still relevant.

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 25, 2021
edited
Loading

Because #4560 was merged and this issue is a linked issues in #4560.

@Enteee do you still get this error?

@Enteee
Copy link

Enteee commented Sep 25, 2021

I have not yet tested it. But I think before merging something that is more or less my suggested patch somebody should have falsified the following:

Inside the jail the file /etc/hosts points to is actually changed to whatever you set as --hosts-file but it is not actually used by the system resolve. Don't really know why...

kmk3 added a commit to kmk3/firejail that referenced this issue Jan 26, 2022
@kmk3
RELNOTES: add bugfixes
f3a5ebd 
Note: They are added in the order that the issues were fixed/closed.

Note2: The issues were found through the following url:

https://github.com/netblue30/firejail/issues?q=is%3Aclosed+label%3Abug+-label%3Asecurity+closed%3A%3E2021-06-29+

The date used is the release date of 0.9.66, so in theory the query
should return every bug closed after that.  Security-related issues are
excluded because they will be added separately.

Note3: All issues other than netblue30#4328 were fixed before 0.9.68rc1.

Relates to netblue30#2758 netblue30#4235 netblue30#4328 netblue30#4387 netblue30#4395 netblue30#4460 netblue30#4467 netblue30#4558 netblue30#4560 netblue30#4586.
@kmk3 kmk3 mentioned this issue Jan 26, 2022
Merged
@kmk3 kmk3 moved this to Done (on RELNOTES) in Release 0.9.68 Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Release 0.9.68
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove /etc/hosts is_link check onny/firejail