Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mkdir in profile does not respect --private=<directory> #903

Open
pyamsoft opened this issue Nov 9, 2016 · 17 comments
Open

mkdir in profile does not respect --private=<directory> #903

pyamsoft opened this issue Nov 9, 2016 · 17 comments
Labels
enhancement New feature request

Comments

@pyamsoft
Copy link

pyamsoft commented Nov 9, 2016

Latest stable firejail: 0.9.44

The command line option --private=<directory> states that firejail uses the given directory as a new home.

--private=directory
      Use directory as user home.

      Example:
      $ firejail --private=/home/netblue/firefox-home firefox

This works fine, and all whitelist and blacklist commands work as expected with respect to the private directory. However, using mkdir in a profile incorrectly creates the directory in the real home.

You can observe this in the shipped Dropbox profile for example, which makes calls to mkdir in its profile:

firejail --private=/home/pyamsoft/dropboxtesting dropbox

You can observe similar errors in the shipped firefox profile.

firejail --private=/home/pyamsoft/firefoxtesting firefox

You will see that a Dropbox folder will be created in the actual home directory, instead of the private home at ~/dropboxtesting. You will also see the firefox directories like ~/.mozilla being created in the real home. I would expect that mkdir will respect the private home directory just as whitelist and blacklist do, so I believe this behavior to be a bug.

@valoq
Copy link
Contributor

valoq commented Nov 9, 2016

I can confirm the behaviour. Seems like a bug to me.

@netblue30 netblue30 added the bug Something isn't working label Nov 9, 2016
@netblue30
Copy link
Owner

Fixed, thanks for the bug.

@okcomputerik
Copy link

okcomputerik commented Mar 4, 2017

Although marked as fixed, I see the same behavior running firejail 0.9.44.8 with the dropbox profile. Am I missing something here? Thanks!

@netblue30 netblue30 reopened this Mar 5, 2017
@netblue30
Copy link
Owner

I'll look into it, thanks.

@sunho0301
Copy link

Are there any updates on this issue?? I'm having the same problem.
Thanks!

@chiraag-nataraj
Copy link
Collaborator

Is this still an issue? If so, let's figure out what's going on :)

@chiraag-nataraj
Copy link
Collaborator

Yes, this is still an issue. The question becomes the following:
If we write mkdir ${HOME}/<somedir>, do we mean the real ${HOME} or what the sandbox will see as ${HOME}?

@chiraag-nataraj
Copy link
Collaborator

@netblue30 Is this intended behavior? If we use ${HOME} in, say, mkdir, do we want ${HOME} to be resolved after things like --private have been resolved or do we want to resolve it before those predicates? That will change the behavior as I understand it, and either one is fine as long as we document it.

@chiraag-nataraj
Copy link
Collaborator

Sorry to dredge up so many old issues, but @netblue30, is this intended behavior? If so, we can close. Otherwise, we should fix this.

rusty-snake pushed a commit that referenced this issue Jun 16, 2019
containing:
 - files forgotten in 4beaf8f
 - workarounds for #903
 - commented useless private-etc lines removed
 - remove commented seccomp.keep lines
 - much more
@matu3ba
Copy link
Contributor

matu3ba commented Apr 9, 2020

@rusty-snake @chiraag-nataraj
If the folder does not exist, firejail prompts Error: invalid private directory and exists. If nesting of firejails is forbidden, the error could maybe be simplified to Error: folder not usable as private directory. However I am not sure about this.
Otherwise suggestion to close this.

@rusty-snake
Copy link
Collaborator

@matu3ba it's not about the private directory does not work. The mkdir does not respect it. Like this:

$ cat tmp.profile
mkdir ${HOME}/foo
private
mkdir ${HOME}/bar
$ firejail --profile=tmp.profile true
$ [ -e foo ] && echo "foo exists"
foo exists
$ [ -e bar ] && echo "bar exists"
bar exists

@vinc17fr
Copy link
Contributor

In fact, mkdir creates a directory in both the real home directory and the sandbox. And mkfile has the same issue:

$ cat > .config/firejail/test.profile
mkdir ${HOME}/fj-dir
mkfile ${HOME}/fj-file
$ mkdir fj-priv
$ ls -d fj-dir fj-file fj-priv/*
ls: cannot access 'fj-dir': No such file or directory
ls: cannot access 'fj-file': No such file or directory
ls: cannot access 'fj-priv/*': No such file or directory
$ firejail --private=fj-priv --profile=test sh
Reading profile /home/vinc17/.config/firejail/test.profile
Parent pid 52414, child pid 52417
Child process initialized in 12.93 ms
$ exit
sh: 1: Cannot set tty process group (No such process)

Parent is shutting down, bye...
$ ls -d fj-dir fj-file fj-priv/*
fj-dir  fj-file  fj-priv/fj-dir  fj-priv/fj-file

@smitsohu
Copy link
Collaborator

smitsohu commented Oct 19, 2021

To illustrate what probably was the reasoning behind this design, let's take Firefox. The profile uses whitelist in user home, so if the program is never run outside of Firejail, all application files and directories (~/.mozilla, ~/.cache/mozilla, ...) are ever created only in the tmpfs, and are always discarded when the sandbox shuts down. There will never be any persistence, which is not how whitelist is supposed to work, and is closer to what private is supposed to do.

One possible solution is to create needed files and directories beforehand as the user in the real file system, so that whitelist can properly bind mount them in the sandbox.

The downside is that some profiles create quite a clutter in the file system, which is also not so nice. As a workaround you can add

ignore mkfile
ignore mkdir

to /etc/firejail/globals.local and create files manually, or run applications once outside Firejail, which is usually sufficient to get all required directories and files.

@rusty-snake
Copy link
Collaborator

FTR: #4285

@smitsohu smitsohu added enhancement New feature request and removed bug Something isn't working labels Oct 19, 2021
@smitsohu
Copy link
Collaborator

Maybe we could postpone mkdir and mkfileuntil after private option processing, but handle them before whitelist.

kmk3 pushed a commit to glitsj16/firejail that referenced this issue Aug 10, 2023
Changes:

* comment `include whitelist-common.inc` when using `private`
* drop `private` on profiles that access files in `${HOME}`
* use `#` in comments

Relates to netblue30#903.
glitsj16 added a commit that referenced this issue Aug 11, 2023
Changes:

* comment `include whitelist-common.inc` when using `private`
* drop `private` on profiles that access files in `${HOME}`
* use `#` in comments

Relates to #903.
@colons
Copy link

colons commented Dec 20, 2023

hi. i don't know that this issue has any actual security consequences, but it is extremely disconcerting to see your home directory littered with directories related to something you launched with the promise that it'd be contained to a directory you specified. if nothing else, it's a violation of what --private says it'll do, and it requires active tidying up after it has its effect

@spikethehobbitmage
Copy link

Maybe we could postpone mkdir and mkfileuntil after private option processing, but handle them before whitelist.

This is exactly what needs to happen. overlay options should* also be processed before mk* since they also discard jailed changes.

*This may already be the case but overlay is disabled on my system so I can't test it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature request
Projects
None yet
Development

No branches or pull requests