Bug#1026928: wget: “Cannot write to ‘myfile.mp3’ (Permission denied).” when using the default profile.
Package: firejail Version: 0.9.64.4-2 Followup-For: Bug #1026928 X-Debbugs-Cc: debbug.firej...@sideload.33mail.com > I can't reproduce it yet. What do you mean with "local directory"? > Your home directory? Is there anything special about this directory? > Please provide full output when running firejail with --debug. I meant the "$CWD", which was something like /collection/music. There is nothing special about the directory. I have write permission and in fact it has no problem writing the file if I use --noprofile. I ran it again using --debug. There is a huge amount of output which would be cumbersome to sanitize, but not enough output at the very end where it fails: ===8<-- Current directory: /collection/music … Connecting to web.archive.org (web.archive.org)|207.241.237.3|:80... connected. HTTP request sent, awaiting response... 302 FOUND Location: http://web.archive.org/web/«url» [following] --«timestamp»-- http://web.archive.org/web/«url» Reusing existing connection to web.archive.org:80. HTTP request sent, awaiting response... 200 OK Length: 33763692 (35M) [audio/mpeg] myfile.mp3: Permission denied Cannot write to ‘myfile.mp3’ (Permission denied). Sandbox monitor: waitpid 15 retval 15 status 768 ===8<-- Perhaps it was fixed in a later version. I’m using Firejail 0.9.64.4-2 (apparently with cgroup=no for some reason) & GNU Wget 1.21.
Bug#1026928: wget: “Cannot write to ‘myfile.mp3’ (Permission denied).” when using the default profile.
Package: firejail Version: 0.9.64.4-2 Severity: normal X-Debbugs-Cc: debbug.firej...@sideload.33mail.com There is no problem if the --noprofile option is given. But if firejail is allowed to use the default profile (/etc/firejail/wget.profile), fetched files cannot be written to the local directory. ===8<-- $ firejail --net=vnet0 --dns="$mydns" --noblacklist=. wget --no-netrc "$url" --«timestamp»-- «url» Resolving web.archive.org (web.archive.org)... 207.241.237.3 Connecting to web.archive.org (web.archive.org)|207.241.237.3|:80... connected. HTTP request sent, awaiting response... 302 FOUND Location: http://web.archive.org/web/«url» [following] --«timestamp»-- http://web.archive.org/web/«url» Reusing existing connection to web.archive.org:80. HTTP request sent, awaiting response... 200 OK Length: 33763692 (36M) [audio/mpeg] myfile.mp3: Permission denied Cannot write to ‘myfile.mp3’ (Permission denied). ===8<-- This is /etc/firejail/wget.profile: ===8<-- # Firejail profile for wget # Description: Retrieves files from the web # This file is overwritten after every install/update quiet # Persistent local customizations include wget.local # Persistent global definitions include globals.local noblacklist ${HOME}/.netrc noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local #include disable-xdg.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all ipc-namespace machine-id netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary shell none tracelog private-bin wget private-cache private-dev # depending on workflow you can uncomment the below or put this private-etc in your wget.local #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc #private-tmp dbus-user none dbus-system none memory-deny-write-execute ===8<-- -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.6-10 ii libc6 2.31-13+deb11u5 ii libselinux1 3.1-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.64.4-2+deb11u1 ii iproute2 5.10.0-4 ii iptables 1.8.7-1 ii xauth 1:1.1-1 ii xdg-dbus-proxy 0.1.2-2 ii xpra 3.0.13+dfsg1-1 ii xvfb 2:1.20.11-1+deb11u3 firejail suggests no packages. -- Configuration Files: /etc/firejail/firejail.config changed: cgroup no -- no debconf information
Bug#1026109: firejail: “Error fbuilder: invalid program” when pairing --build & --env options together
Package: firejail Version: 0.9.64.4-2 Severity: normal X-Debbugs-Cc: debbug.firej...@sideload.33mail.com Ran this: ===8<-- $ LC_ALL=C firejail --build=kalium.profile --net=vnet0 --dns=$mydns --env=XDG_CONFIG_HOME="${myconfig_dir}" /usr/local/src/kalium/gradlew jvmTest ===8<-- Output: ===8<-- Error fbuilder: invalid program Firejail profile builder Usage: firejail [--debug] --build[=profile-file] program-and-arguments ===8<-- Omitting “--build=kalium.profile” is syntactically accepted, but it craps out with lots of other errors. Omitting “--env=…” is also syntactically accepted. Apparently “--build=kalium.profile” & “--env=…” options cannot be used together. -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.6-10 ii libc6 2.31-13+deb11u5 ii libselinux1 3.1-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.64.4-2+deb11u1 ii iproute2 5.10.0-4 ii iptables 1.8.7-1 ii xauth 1:1.1-1 ii xdg-dbus-proxy 0.1.2-2 ii xpra 3.0.13+dfsg1-1 ii xvfb 2:1.20.11-1+deb11u3 firejail suggests no packages. -- Configuration Files: /etc/firejail/firejail.config changed: cgroup no -- no debconf information