Error fcopy: invalid ownership for file caused by --private-etc

[crocket]

I want to run a sandboxed program with

sudo -u xxx firejail --private-etc=file prog

--private-etc=file results in

Error fcopy: invalid ownership for file /etc/file

because

$ ls -lh /etc/file
-rw-r----- 1 xxx xxx ... /etc/file

Let's say owner and group are xxx which is neither root nor a regular user that runs my desktop environment.

A workaround is

--whitelist=/etc/file

Version

$ firejail --version
firejail version 0.9.66

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

OS: Gentoo Linux

[kmille]

I don't know what changed, but my signal-desktop suddenly is also broken:

kmille@linbox: signal-desktop             
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /home/kmille/.config/firejail/globals.local
Reading profile /etc/firejail/electron.profile
Reading profile /home/kmille/.config/firejail/electron.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/kmille/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 115237, child pid 115241
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 115237 cannot sync with peer: unexpected EOF
Peer 115241 unexpectedly exited with status 1

In signal-desktop.profile, there is

private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl

Temporary fix is to add ignore private-etc in ~/.config/firejail/signal-desktop.local.

[kmk3]

I don't know what changed, but my signal-desktop suddenly is also broken:

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 115237 cannot sync with peer: unexpected EOF
Peer 115241 unexpectedly exited with status 1

In signal-desktop.profile, there is

private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl

Temporary fix is to add ignore private-etc in ~/.config/firejail/signal-desktop.local.

What is the firejail version and distribution name/version?

What is the output of ls -l /etc/resolv.conf?

Does it happen with firejail-git?

[kmille]

I'm running firejail version 0.9.72 on Arch-Linux. By the way the same happened for Nextcloud client.

kmille@linbox:~ ls -l /etc/resolv.conf 
-rw-r--r-- 1 systemd-resolve systemd-resolve 56 Nov 26 11:53 /etc/resolv.conf

UPDATE: Nothing changes if I use firejail-git (0.9.72.r740.g8f55f6c9a-1). I'm a bit suprised that tag 0.9.72 if from Jan 2023 ... UPDATE2: Thunderbird also doesn't start. Seems like my whole system is affacted. Am I the only one? I ignore private-etc in my globals.conf for now

[tredondo]

Is #6296 the same error?