Open blaa opened 1 year ago
Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir
The --tab
option works with --private
but not with --private=foo
. This could be made more clear in the man page, I agree.
See https://github.com/netblue30/firejail/issues/5204 for discussion and workaround.
Why doesn't it speak about .inputrc? Readline?
Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.
Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.
The notab behaviour is only triggered if you use whitelist ${HOME}/foo
or --private=${HOME}/foo
i.e. if the sandbox does not use your real home.
Why is "notab" a default? Does it impact "security"? How?
If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).
Why doesn't it speak about .inputrc? Readline?
Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.
.xinputrc
might be in fact implementation detail - agreed. The fact that it changes behaviour of all readline-driven applications is not. Man page is not right when it says 'shell tab completion'. Especially since it doesn't alter zsh behaviour.
I'm a user here and have a completely user perspective, wouldn't find it in developer documentation without a hint in a man page.
Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.
The notab behaviour is only triggered if you use
whitelist ${HOME}/foo
or--private=${HOME}/foo
i.e. if the sandbox does not use your real home.
Ok! Thanks. I was confused and misread that it alters completion in some whitelisted set of directories.
Maybe instead of sandboxes using private or whitelisted home directories
something like: that use private ...
? Still, that's a detail.
Why is "notab" a default? Does it impact "security"? How?
If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).
Especially since it's not enforced. Application can clear the .xinputrc or alter it and revert the behaviour. And it doesn't even work for all shells.
Description
GDB within firejail (I use jails for many things, including development) doesn't have working TAB-completion. Still, completion works in ZSH, Emacs, IPython, or the same GDB outside the jail.
Steps to Reproduce
Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir
firejail out of thin air creates .inputrc file with a single line set disable-completion on
This causes GDB (readline in general) to drop TAB-completion.
Expected behavior
Tab-completion in GDB within jail and outside working the same unless I explicitly ask to alter behaviour.
I'd expect jail software to not mess with readline configuration. I wasn't expecting this, didn't turn it on (with profile, option or anything else) and was flabbergasted for over 3 hours trying to solve it. I've checked various TERM options, stty, straced gdb process, etc.
My main problem was how to "find" the culprit. I was mostly searching for GDB related information which was a mistake. I should have searched for readline. But GDB was the only thing that didn't work (zsh worked, ipython, emacs every other thing I used was OK).
Manual doesn't have IMHO good description of the case:
Why doesn't it speak about .inputrc? Readline? Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.
Why is "notab" a default? Does it impact "security"? How?
Actual behavior
GDB doesn't auto-complete and instead of coding I'm debugging gdb. It's difficult issue to google. It should "just work". I was trying for 3 hours various TERM= options, stty, stracing GDB behaviour to no avail. Only after copying /etc/inputrc to ~/.inputrc (in jail) I fixed that, and later noticed that the file WAS THERE BEFORE COPYING, although I haven't created it. I've never messed with this file before so I didn't expect that.
Checklist
/usr/bin/vlc
) "fixes" it).Log