Firejail: Error running ssh commands with arguments

Just to understand the problem. I have user test set with /usr/bin/firejail shell in /etc/passwd. I try to:
$ ssh test@0 "mkdir -p ~/crash"
In my case it does nothing after login, just sits there. Is this your setup?

I have the same setup with /usr/bin/firejail as the shell in /etc/passwd. However, on ssh login, I get:

"/bin/bash: mkdir -p ~/crash: No such file or directory"

If i run something like "uname" I get a valid response. It's only running commands with arguments.

Try without the quotes. firejail -c mkdir -p ~/crash worked just fine for me right here (note that firejail -c mkdir -p /var/crash gave me mkdir: cannot create directory ‘/var/crash’: Read-only file system as expected).

If there is a potential ambiguity, you can use firejail -c -- program [args] to ensure all other arguments are passed to the program.

You're correct on the quotes with -c. It works once you remove the quotes.

[root@netdump-poc-01 ~]# firejail --profile=/etc/firejail/default.profile -c touch ~/LOCAL_FILE
[root@netdump-poc-01 ~]# ls -al ~/LOCAL_FILE
-rw-r--r-- 1 root root 0 Mar 30 17:53 /root/LOCAL_FILE

However, doing this through an SSH session it does fail. Below is a snippet:

[root@vm-client ~]# ssh -qv netdump@netdump-poc-01 -i /etc/kdump_id_rsa touch /tmp/FROM_REMOTE
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
.....
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: touch /tmp/FROM_REMOTE
/bin/bash: touch /tmp/FROM_REMOTE: No such file or directory
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2880, received 3756 bytes, in 0.1 seconds
Bytes per second: sent 36638.8, received 47783.1
debug1: Exit status 127
[root@vm-client ~]#

Hmmm...I tried running
*chiraag@chiraag@14:05:+31%:~ $ ssh -qv localhost /usr/bin/firejail touch /tmp/test
and it worked:

...
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: /usr/bin/firejail touch /tmp/test
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2248, received 2292 bytes, in 0.2 seconds
Bytes per second: sent 12132.4, received 12369.9
debug1: Exit status 0
*chiraag@chiraag@14:05:+31%:~ $ ls -la /tmp/test 
-rw-r--r-- 1 chiraag chiraag 0 Mar 30 14:05 /tmp/test

I didn't directly test the case where firejail is my shell, but wouldn't this effectively be what it runs? If not, this should hopefully help bisect the problem.

Agreed. I just ran with a different user, with /bin/bash as the shell and it worked.

ssh -qv netdump3@netdump-poc-01 -i /etc/kdump_id_rsa /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3
.....
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: /usr/bin/firejail --profile=/etc/firejail/default.profile -c touch /users/netdump3/FROM_REMOTE_3
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2952, received 3672 bytes, in 0.1 seconds
Bytes per second: sent 31848.4, received 39616.3
debug1: Exit status 0

So looks to be something with how it interprets commands passed over SSH.

It's similar to https://github.com/netblue30/firejail/issues/887

Any chance on getting this fixed?

I'm going to mess around with my Debian VM to figure out what's going on and if I can replicate.

Hello,

Same problem here, in remote SSH access or in local access the arguments not working :

seccomp filter configured
noroot user namespace installed
Dropping all capabilities
Drop privileges: pid 1, uid 1002, gid 1002, nogroups 0
starting application
LD_PRELOAD=(null)
Running 'ls -alh'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'ls -alh' 
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
/bin/bash: ls -alh : command not found
monitoring pid 113

Firejail version : 0.9.56~rc1-1
O/S : Debian 9.4
Kernel : 4.9.0-6-amd64 (Debian)

Thanks in advance for your next fix !

Yeah, this is definitely a bug (I just replicated in my VM). Probably related to #1644 as well.

I'm actually getting a hang when I try to actually run a program, and --debug isn't working as an argument. There's something really wrong going on with argument parsing when firejail is used as the shell.

Shit. I see what's happening. The problem seems to be that since argc != 1, login_shell is never set to 1, which breaks a ton of things.

@netblue30 We should probably look into this. firejail-as-shell seems to be pretty broken currently (unless this was fixed in 0.9.56... @chtaylo2?)

@chiraag-nataraj @netblue30 - Hey, I checked the new version and it doesn't fix the above issue. Same thing is happening.

Thanks

Hello dev team's,

Any news for this issue ?

Thank you :)

Even with the recent updates to the repo, I'm still seeing this issue.
Is there a plan for getting this fixed?
Thanks!

Hello... is there any update/plan this getting fixed? Thanks.

Well it's more than 6 months since last comment. Any update on this issue? When will fix be available?