Firejail: Can't create run directory without suid-root
I compiled firejail with --disable-suid and tried running it, but it fails to start:
Error mkdir: util.c:1014 create_empty_dir_as_root: Permission denied
It tries to create its runtime hierarchy in /run/firejail, which is not possible as unprivileged user.
If this is not supported, it should check the uid and print a more friendly error message if the user is not root.
If an unprivileged user should be able to run it (without suid-root), maybe it can create required directories in the user's home directory.
reinerh
All 3 comments
I think --disable-suid is only for distros which don't allow packages with setuid binaries in their repos. In that case users are supposed to enable suid bit on firejail binary themselves. Otherwise --disable-suid works only when run as root user.
See also https://github.com/netblue30/firejail/issues/1846#issuecomment-378348886
Vincent43
on 22 Dec 2018
Seems like this was answered. @reinerh, I'll go ahead and close this, but please feel free to re-open if you have further questions.
chiraag-nataraj
on 22 May 2019
It was actually more a bug report or feature request than a question...
If firejail does not support being run without suid-flag, then this should be checked and printed.
If only a subset of the features is working without suid, then it should give a better explanation what failed (other than "permission denied") and maybe workaround it if possbile (like falling back to a directory that is actually writable by the user).
reinerh
on 22 May 2019
Related issues
francoism90
路
4Comments
thiswillbeyourgithub
路
3Comments
ghost
路
3Comments
Vincent43
路
3Comments
SkewedZeppelin
路
3Comments
Most helpful comment
It was actually more a bug report or feature request than a question...
If firejail does not support being run without suid-flag, then this should be checked and printed.
If only a subset of the features is working without suid, then it should give a better explanation what failed (other than "permission denied") and maybe workaround it if possbile (like falling back to a directory that is actually writable by the user).