The error occurs when running `firejail` from the terminal (with any args that I tested). The error is fixed by re-installing with [+suid].
I can confirm the same error , which is fixed with suid flag.
Can you confirm bug still exists in latest version, please?
It's a different error message, but Firejail 0.9.56 still refuses to run as a regular user when built with USE="-suid": creideiki@orley ~ $ firejail Error: cannot create /run/firejail/profile/28807 creideiki@orley ~ $ ls -ld /run/firejail/profile/ drwxr-xr-x 2 root root 80 11 okt 09.28 /run/firejail/profile/ With USE="suid" it can create that file and runs happily.
What if you remove recursively "/run/firejail"?
(In reply to Amadeusz Żołnowski from comment #4) > What if you remove recursively "/run/firejail"? The I get the old error message: creideiki@luna ~ $ firejail Error mkdir: util.c:936 create_empty_dir_as_root: Permission denied And nothing new is created in /run/firejail/. It is recreated if I run firejail as root, but is again only writeable by root.
Would you mind reporting this upstream? netblue30 may ask you for more info. https://github.com/netblue30/firejail/issues
What firejail should do, is to create "firejail" directory in "/run/user/$UID/" when run without suid or, perhaps, even always create this dir in "/run/user/$UID".
I have the same error. Has this been reported upstream? I didn't find corresponding issue on github.
See https://github.com/netblue30/firejail/issues/2310 and https://github.com/netblue30/firejail/issues/1846
I can confirm the same exact problem after updating to the latest sys-apps/firejail-lts (firejail-lts-0.9.56.2-r1). Mind you, the *LTS* version, not the "normal" version of the package, as this bug originally referred to. Should it be reported in a different bug? Attaches is my output of emerge --info sys-apps/firejail-lts (it's too large to be written directly in the comment). Please let me know if there is anything wrong with it or if it's a genuine bug.
Created attachment 620672 [details] emerge --info sys-apps/firejail-lts
(In reply to inasprecali from comment #10) > I can confirm the same exact problem after updating to the latest > sys-apps/firejail-lts (firejail-lts-0.9.56.2-r1). Mind you, the *LTS* > version, not the "normal" version of the package, as this bug originally > referred to. Should it be reported in a different bug? > > Attaches is my output of emerge --info sys-apps/firejail-lts (it's too large > to be written directly in the comment). > > Please let me know if there is anything wrong with it or if it's a genuine > bug. Just some background: * This needs a bit more investigation. I'm not the maintainer and I don't use firejail. * In bug 687108, security stabilised and cleaned up firejail-lts, bringing in that new version you're seeing. There's upstream bugs linked in there with more discussion too. * Some notes from a discussion in security (this is not advice, just thoughts for anyone who wants to pick it up): >Question is if package should create rundir (maybe via tmpfiles). >But if multiple user will call firejail and all are sharing same rundir, you must be careful that you don't open another vulnerability. >Shared rundir isn't seemingly an issue if everything is run as root w/ setuid
Reading this and the other linked discussions, I think --disable-suid just is not going to work in Gentoo, at least not today. There is a useful suggestion of making a firejail group and making the setuid executable 4710 instead of 4711 (possibly gated by a new USE flag, to avoid silent breaking working installs?). So my inclination would be to make USE=suid no longer optional, but add an acct-group/firejail group. How would that sit with watchers of this bug who still care? :)
It seems reasonable to me, personally. But I'm just one user of this package.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f83326db36c6215b3fb69cf9630c5e3b53d32c43 commit f83326db36c6215b3fb69cf9630c5e3b53d32c43 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2022-02-07 04:40:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-18 02:38:46 +0000 sys-apps/firejail: version bump, remove old, Gentoo compat tweaks Upstream released a security bump. Also, added some fixes and workarounds for bits & configs that break on Gentoo. Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/832819 Closes: https://bugs.gentoo.org/694966 Closes: https://bugs.gentoo.org/663784 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Closes: https://github.com/gentoo/gentoo/pull/24102 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/firejail/Manifest | 3 +- sys-apps/firejail/files/firecfg.config.patch | 71 ++++++++++++++++ .../firejail/files/firejail-0.9.68-envlimits.patch | 12 +++ sys-apps/firejail/files/profile_display.local | 2 + sys-apps/firejail/files/profile_patch.local | 8 ++ sys-apps/firejail/files/profile_pdftotext.local | 2 + sys-apps/firejail/files/profile_wget.local | 5 ++ sys-apps/firejail/firejail-0.9.64.4.ebuild | 99 ---------------------- ...rejail-0.9.66.ebuild => firejail-0.9.68.ebuild} | 27 +++++- sys-apps/firejail/firejail-9999.ebuild | 8 +- 10 files changed, 128 insertions(+), 109 deletions(-)
