Firejail: What is the best way to move a file outside a private jail ?
Hi,
Here's the situation : I occasionnaly create private jails to run firefox using firejail --private firefox -no-remote -private, this way it is in no way altered by the amount of extensions and addons I have normally running ^^.
The issue is that sometimes I end up having to download a file using this instance of firefox and I can't access it with the rest of the system. Sure using firejail --join=XXXX I can see it in the terminal but I can't seem to move it anywhere outside the chroot. Which in a way is good, it shows great security.
So here's my question : what is the best way to access a file downloaded in a private jail and move it outside the jail ? if there's any.
Your lights on this would really help :)
Thanks !
thiswillbeyourgithub
All 3 comments
You can switch to using --private=directory, but if you goal is to prevent writing to disk that wouldn't work.
You can use mkdir /tmp/xyz, --private=/tmp/xyz and later rm -rf but it'd be a bit tedious.
I guess you could make a bash script like
#!/bin/bash
fjdir=$(mktemp -d)
echo "Saving files to $fjdir, please copy them out before exiting"
firejail --private=$fjdir $1
rm -rf $fjdir
save somewhere and just invoke it like "./fjtmp firefox"
you can also substitute rm -rf with srm -rfv
be warned there are a few distros in which /tmp is written to disk and not simply in ram
SkewedZeppelin
on 12 Mar 2018
You can grab them with --get=XXXX - in the man page:
`````
FILE TRANSFER
These features allow the user to inspect the filesystem container of
an existing sandbox and transfer files from the container to the host
filesystem.
--get=name|pid filename
Retrieve the container file and store it on the host in the
current working directory. The container is specified by name
or PID.
--ls=name|pid dir_or_filename
List container files. The container is specified by name or
PID.
--put=name|pid src-filename dest-filename
Put src-filename in sandbox container. The container is speciā
fied by name or PID.
Examples:
$ firejail --name=mybrowser --private firefox
$ firejail --ls=mybrowser ~/Downloads
drwxr-xr-x netblue netblue 4096 .
drwxr-xr-x netblue netblue 4096 ..
-rw-r--r-- netblue netblue 7847 x11-x305.png
-rw-r--r-- netblue netblue 6800 x11-x642.png
-rw-r--r-- netblue netblue 34139 xpra-clipboard.png
$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
$ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
clipboard.png
`````
netblue30
on 13 Mar 2018
Oh no I totally missed this in the manual :(. Thanks a lot I'm really sorry for the trouble ! I'll close this.
thiswillbeyourgithub
on 13 Mar 2018
Related issues
Vincent43
Ā·
3Comments
yourcelf
Ā·
4Comments
nuxwin
Ā·
3Comments
reinerh
Ā·
3Comments
dandelionred
Ā·
3Comments
Most helpful comment
You can grab them with --get=XXXX - in the man page:
`````
FILE TRANSFER
These features allow the user to inspect the filesystem container of
an existing sandbox and transfer files from the container to the host
filesystem.
`````