Firejail: When using non-default shell, FireJail shouldn't throw an error if Bash is missing inside the chroot

Can you provide more detail about error? Which version of firejail you are using?
firejail --shell=/bin/sh works for me on busybox system without /bin/bash.

@manevich

I used latest release:

root@srv01:/var/chroot/InstantSSH/shared_jail/etc# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled

I've created a chroot with makejail script and I've done some bind mounts as usually. I copied the busybox binary inside the chroot and created a symlink on it (/bin/ash to /bin/busybox ) inside the chroot. Then, I've set the --shell option to /bin/ash (not /bin/sh) but this should not change anything. In the chroot, I've not copied /bin/bash (expected since I want only ASH).

The problem is that when login through SSH, firejail throws an error because /bin/bash is missing inside the chroot. If I copy it, that works as expected and login shell is ASH as expected...

I'll reproduce the problem and show you the exact output in few minutes.

@manevich

Exact output:

nuxwin@dev:~$ ssh [email protected]
[email protected]'s password: 

  ___           _              _     ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_  / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __| \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_   ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__| |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v4.1.0
Copyright (c) 2014-2016 Laurent Declercq <[email protected]>

Last login: Sat Aug 13 00:09:11 2016 from 192.168.1.100
Error: cannot find /bin/bash in chroot directory
Error: invalid chroot
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

my passwd entry for the nuxwin user is as follow:

# getent passwd nuxwin
nuxwin:x:1003:1003:Laurent Declercq,,,:/home/nuxwin:/usr/local/bin/firejail

My login.users file is as follow:

root@srv01:/var/chroot/InstantSSH/shared_jail/bin# cat /usr/local/etc/firejail/login.users 
# /etc/firejail/login.users - restricted user shell configuration
#
# Each user entry consists of a user name and firejail
# program arguments:
#
#       user name: arguments
#
# For example:
#
#       netblue:--net=none --protocol=unix
#
# The extra arguments are inserted into program command line if firejail
# was started as a login shell.

nuxwin:--chroot=/var/chroot/InstantSSH/shared_jail --name=nuxwin --shell=/bin/ash

The /bin directory of the chroot (seen from outside) is as follow:

root@srv01:/var/chroot/InstantSSH/shared_jail/bin# ls -la
total 2264
drwxrwxr-x  2 root root    4096 août  13 01:28 .
drwxr-xr-x 14 root root    4096 août  13 01:28 ..
lrwxrwxrwx  1 root root      12 août  13 01:28 ash -> /bin/busybox
-rwxr-xr-x  1 root root 1837008 févr. 18  2015 busybox
-rwxr-xr-x  1 root root  150824 mars  14  2015 cp
-rwxr-xr-x  1 root root   27080 mars  14  2015 false
-rwxr-xr-x  1 root root  196016 juil. 16  2014 nano
-rwxr-xr-x  1 root root   93096 mars   6  2015 ps
lrwxrwxrwx  1 root root       8 août  13 01:28 sh -> /bin/ash

Info about my environment:

# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled.

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:    8.5
Codename:   jessie
root@srv01:/var/chroot/InstantSSH/shared_jail/bin#

Thanks, found it https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L1114
This is a bug.
Will look at it latter.

@manevich

Thank you so much ;)

Fixed on master branch, thanks for the bug.