search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.82k stars 567 forks source link

Reintroduce shell feature #6490

Open ganeshjkale opened 1 month ago

ganeshjkale commented 1 month ago

OS : Redhat 9.4

Firejail : v0.9.72

Command

firejail --shell=/bin/rbash --profile=/etc/firejail/abc.profile /usr/bin/gedit firejail --shell=/bin/rbash /usr/bin/gedit firejail --shell=/bin/rbash --noprofile /usr/bin/gedit

shell feature enables to provide more security , not able to find its alternative and documentation. please help

rusty-snake commented 1 month ago

What do you mean with shell feature?

Why does it provide more security?

kmk3 commented 1 month ago

Basic information is missing; please follow the feature request template:

ganeshjkale commented 1 month ago

For eg. combine firejail with rbash or custom shell

rusty-snake commented 1 month ago

firejail rbash?

You need to explain in more detail.

ganeshjkale commented 1 month ago

Firejail v0.9.70 below command. firejail --shell=/bin/rbash application

rusty-snake commented 1 month ago

And why is a --shell required? Why not simply firejail /bin/rbash application?

ganeshjkale commented 1 month ago

not working getting cannot execute binary gedit.

firejail /bin/rbash gedit

working

firejail gedit

rusty-snake commented 1 month ago

Maybe you should outline why you even need/want a rbash.

not working getting cannot execute binary gedit

firejail /bin/bash -r -c gedit

luitzifa commented 7 hours ago

IMHO this is a regression introduced in 0.9.72. The --shell feature was removed here: https://github.com/netblue30/firejail/issues/5190 The feature is needed to use firejail directly as login shell. This issue is somewhat related to https://github.com/netblue30/firejail/issues/6206

rusty-snake commented 7 hours ago

A small wrapper (e.g. firejail-sh) would fit this better IMHO.

luitzifa commented 6 hours ago

I cannot get a wrapper like

root@notebook:~# cat /usr/local/bin/firejail-login.sh
#!/bin/sh
/usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash

to work with something like this: ssh -o IdentityAgent=none testuser2@127.0.0.1 'ls /dev'

I can login and execute the command, but i need to be able to execute the command directly over ssh in firejail.

rusty-snake commented 5 hours ago

Passing arguments could help. Untested:

#!/bin/sh
exec /usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash -- "$@"