Firejail: Can't use 'less' on many files in own home directory - is that normal?

Created on 10 Jul 2019  路  7Comments  路  Source: netblue30/firejail

Hey there,

I've just switched to a new distro (Parrot OS) which comes with firejail (and AppArmor) preinstalled. While I appreciate the move to more security in general, I was pretty surprised to find out that it blocks me from reading many of the files in my home directory with the 'less' pager ('permission denied'), while other ways of accessing the file contents work fine (editors like vim, nano, or even just 'cat'). I'm still trying to wrap my head around what exactly is going on, but i think the reason for the permission errors come from /etc/firejail/disable-programs.profile.

Is this really the intended behaviour or is my system misbehaving? What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine?

Can anybody shed some light please?
Thanks!

question
Source
picture flipsa

Most helpful comment

Alternatively we may remove include disable-common.inc and include disable-programs.inc from less profile. Maybe make all ${HOME} except .lesshst read-only?

picture Vincent43 on 10 Jul 2019
👍3

All 7 comments

  1. everything's working fine on your system.
  2. > What benefit is there in blocking a specific app like less from even reading a file that belongs to me and is in my own home directory, while other programs can display and even modify the same files just fine?

less: is firejailed by default after running firecfg
cat: hasn't a firejail profile
vim, nano: must be enabled by the user

May helpfull for future understanding:
firejail --list: list all running firejail sandboxes
which PROGRAM/where PROGRAM: see what be execute when running PROGRM
firecfg --list/ls -l /usr/local/bin | grep firejail: list all programs how are firejailed by default when starting.

rusty-snake picture rusty-snake on 10 Jul 2019

Thanks @rusty-snake for your answer, that clears things up a bit.

As a follow up question in regards to ease of use / convenience: I do work at lot in the terminal, and viewing files (esp the ones in my own directory) is a very common occurence. Given that, what is the suggested way of dealing with that use-case without punching too big / too many holes into firejail? Does one allow (whitelist ?) individual files whenever one notices a permission denied error? Is there another / better way? Just trying to find out how to i) make use of firejail, while ii) don't interrupting my work-flow every few minutes. Is there something like a best-practice document?

flipsa picture flipsa on 10 Jul 2019

I would recommend disabling less in our firecfg.config

Vincent43 picture Vincent43 on 10 Jul 2019

@flipsa

  • allow temporary: firejail --noblacklist="${HOME}/.foo/bar less .foo/bar
  • allow common used files: ~/.config/firejail/less.local:
noblacklist ${HOME}/.foo/bar
noblacklist ${HOME}/.foo/baz
  • allow always: comment include disable-programms.incin /etc/firejail/less.profile
  • don't firejail less by default (as @Vincent43 suggested)
rusty-snake picture rusty-snake on 10 Jul 2019

That answers my question - closing this issue as solved.
Thanks to both of you!

flipsa picture flipsa on 10 Jul 2019

Alternatively we may remove include disable-common.inc and include disable-programs.inc from less profile. Maybe make all ${HOME} except .lesshst read-only?

Vincent43 picture Vincent43 on 10 Jul 2019
👍3

I changed this in https://github.com/netblue30/firejail/commit/ef97d0c5d250362e089ed2b9d78e5575c4dd287a

Vincent43 picture Vincent43 on 10 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

semente picture semente  路  4Comments
ericschdt picture ericschdt  路  3Comments
ghost picture ghost  路  3Comments
fl-chris picture fl-chris  路  4Comments
francoism90 picture francoism90  路  4Comments