Debian Bug report logs - #1015816
firejail: Unable to create a whitelisted config file

version graph

Package: firejail; Maintainer for firejail is Reiner Herrmann <[email protected]>; Source for firejail is src:firejail (PTS, buildd, popcon).

Reported by: anonymous coward <[email protected]>

Date: Thu, 21 Jul 2022 17:57:01 UTC

Severity: normal

Found in version firejail/0.9.64.4-2

Full log

đź”— View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#1015816: firejail: Unable to create a whitelisted config file
Reply-To: anonymous coward <[email protected]>, [email protected]
Resent-From: anonymous coward <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected], Reiner Herrmann <[email protected]>
X-Loop: [email protected]
Resent-Date: Mon, 25 Jul 2022 09:51:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 1015816
X-Debian-PR-Package: firejail
X-Debian-PR-Keywords: 
References: <165842600140.221973.12296094293058223021.reportbug@cypher>
X-Debian-PR-Source: firejail
Received: via spool by [email protected] id=B1015816.16587425803137
          (code B ref 1015816); Mon, 25 Jul 2022 09:51:02 +0000
Received: (at 1015816) by bugs.debian.org; 25 Jul 2022 09:49:40 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2-bugs.debian.org_2005_01_02
	(2018-09-13) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.1 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE,
	KHOP_HELO_FCRDNS,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_ZBI,RCVD_IN_PBL,
	RCVD_IN_SBLXBL,RCVD_IN_SBLXBL_CBL,SPF_SOFTFAIL,TXREP,XMAILER_REPORTBUG
	autolearn=ham autolearn_force=no
	version=3.4.2-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 15; hammy, 149; neutral, 56; spammy,
	1. spammytokens:0.946-+--H*r:bugs.debian.org
	hammytokens:0.000-+--followup-for, 0.000-+--followupfor,
	0.000-+--FollowupFor, 0.000-+--Followup-For, 0.000-+--X-Debbugs-Cc
Received: from tor-exit-5.zbau.f3netze.de ([185.220.100.244]:23662 helo=[127.0.0.1])
	by buxtehude.debian.org with esmtp (Exim 4.92)
	(envelope-from <[email protected]>)
	id 1oFuge-0000K8-63
	for [email protected]; Mon, 25 Jul 2022 09:49:40 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
From: anonymous coward <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Message-ID: <165874245482.74914.2993275670472134453.reportbug@cypher>
X-Mailer: reportbug 7.10.3+deb11u1
Date: Mon, 25 Jul 2022 11:47:34 +0200

Package: firejail
Version: 0.9.64.4-2
Followup-For: Bug #1015816
X-Debbugs-Cc: [email protected]

To cover all bases, I also tried enabling the read-write perms,
effectively running:

  $ firejail --env=XDG_CONFIG_HOME="$HOME"/my_config_files\
             --whitelist="$(readlink $HOME/.config)"toot/config.json\
             --noblacklist="$(readlink $HOME/.config)"toot/config.json\
             --profile=<(printf '%s\n' 'mkdir ~/tools/conf/toot')\
             --read-write="$HOME"/my_config_files/toot\
             --read-write="$HOME"/my_config_files/toot/config.json\
             toot login

It made no difference. It still just leaves the empty directory
"$HOME"/my_config_files/toot.

As a possible secondary bug in the docs, the man page contains:

===8<------------------------------
  --read-write=dirname_or_filename
          Set directory or file read-write. Only files or directories belonging to the current user are allowed for this  operation.
          File globbing is supported, see FILE GLOBBING section for more details.  Example:

          $ mkdir ~/test
          $ touch ~/test/a
          $ firejail --read-only=~/test --read-write=~/test/a
===8<------------------------------

The man page does not state what the default perms are.  The whitelist
option in the man page says: “Modifications to whitelisted files are
persistent”. This seems to imply that the read-write option is the
default setting on whitelisted dirs, but makes no mention of what
happens if read-write is used on a non-whitelisted dir.  The example
given somewhat implies that read-write is useful when giving different
perms to a subdir than the parent dir.  But it does not outright state
this so users are left guessing.

I should also say it’s unclear whether the noblacklist option is
useful or redundant.  Does --whitelist imply --noblacklist
automatically?  The man page should make that clear.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 17:51:13 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.