Closed glitsj16 closed 4 months ago
rusty-snake
commented
4 months ago Shell redirection is a feature of your shell. i.e. the process that writes to ~/.bashrc in the following process tree is the bash process that wraps/starts firejail.
-bash
|-firejail --private
|-cat
kmk3
commented
4 months ago @rusty-snake on Jul 6:
Shell redirection is a feature of your shell. i.e. the process that writes to
~/.bashrcin the following process tree is the bash process that wraps/starts firejail.
The shell indeed opens the file and sets up the redirection before firejail starts, though I think that technically the child process is still the one that writes to the stream.
@glitsj16
Can you reproduce this without shell redirects?
rusty-snake
commented
4 months ago Well, technically your right. Though it only helps if you understand the difference between open and read/write.
glitsj16
commented
4 months ago Can you reproduce this without shell redirects?
All good without shell redirection:
$ firejail --quiet --private -- sh -c 'echo "#test" >> "${HOME}/.bashrc"'
sh: line 1: /home/glitsj16/.bashrc: Read-only file systemfirejail --quiet --private --blacklist="${HOME}/.bashrc" -- sh -c 'echo "#test" >> "${HOME}/.bashrc"'
sh: line 1: /home/glitsj16/.bashrc: Permission deniedSorry for the noise.
Yesterday on IRC something odd came up regarding the
privateoption. Expecting this option to create a sandbox in which all modifications getdiscardedat shutdown, it turns out this isn't respected.The following command variations all allow editing ${HOME}/.bashrc:
So, to summarize:
read-onlyviadisable-common.inc(included fromdefault.profile) is not being enforced;privateshouldn't allow this;blacklisting${HOME}/.bashrc is not preventing this from happening.This easy and unexpected circumvention of the above restrictions make me wonder what is actually causing this (besides apparent shell redirection). I could use a sanity check here :)
Note: I'm seeing this on my
firejail-git, but a user confirmed this also happens on0.9.72.