Reintroduce shell feature

[ganeshjkale]

#OS : Redhat 9.4
#Firejail : v0.9.72
#Command
firejail --shell=/bin/rbash --profile=/etc/firejail/abc.profile /usr/bin/gedit
firejail --shell=/bin/rbash /usr/bin/gedit
firejail --shell=/bin/rbash --noprofile /usr/bin/gedit

shell feature enables to provide more security , not able to find its alternative and documentation.
please help

[rusty-snake]

What do you mean with shell feature?

Why does it provide more security?

[kmk3]

Basic information is missing; please follow the feature request template:

• https://github.com/netblue30/firejail/issues/new?template=feature_request.md

[ganeshjkale]

For eg. combine firejail with rbash or custom shell

[rusty-snake]

firejail rbash?

You need to explain in more detail.

[ganeshjkale]

Firejail v0.9.70 below command.
firejail --shell=/bin/rbash application

[rusty-snake]

And why is a --shell required? Why not simply firejail /bin/rbash application?

[ganeshjkale]

#not working getting cannot execute binary gedit.
firejail /bin/rbash gedit

#working
firejail gedit

[rusty-snake]

Maybe you should outline why you even need/want a rbash.

not working getting cannot execute binary gedit

firejail /bin/bash -r -c gedit

[luitzifa]

IMHO this is a regression introduced in 0.9.72. The --shell feature was removed here: #5190
The feature is needed to use firejail directly as login shell.
This issue is somewhat related to #6206

[rusty-snake]

A small wrapper (e.g. firejail-sh) would fit this better IMHO.

[luitzifa]

I cannot get a wrapper like

root@notebook:~# cat /usr/local/bin/firejail-login.sh
#!/bin/sh
/usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash

to work with something like this:
ssh -o IdentityAgent=none [email protected] 'ls /dev'

I can login and execute the command, but i need to be able to execute the command directly over ssh in firejail.

[rusty-snake]

Passing arguments could help. Untested:

#!/bin/sh
exec /usr/bin/firejail --quiet --profile=/etc/firejail/myprofile.profile /bin/bash -- "$@"

[luitzifa]

I tested your wrapper. Did not work :( , also the login is broken too.

❯ ssh -o IdentityAgent=none [email protected]
[email protected]'s password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

Last login: Thu Nov 21 10:24:21 2024 from 127.0.0.1
/bin/bash: -c: No such file or directory
Connection to 127.0.0.1 closed.
❯ ssh -o IdentityAgent=none [email protected] 'ls /dev'
[email protected]'s password:
/bin/bash: -c: No such file or directory

[rusty-snake]

If passing non-file-arguments to bash is required, remove the --.

[luitzifa]

That did the trick. I will test it further:

❯ cat /usr/local/bin/firejail-login.sh
#!/bin/sh
/usr/bin/firejail --quiet --profile=/etc/firejail/myloginshell.profile /bin/bash "$@"
❯ grep testuser /etc/passwd
testuser:x:994:981::/home/testuser:/usr/local/bin/firejail-login.sh
testuser2:x:993:980::/home/testuser2:/usr/bin/firejail
❯ ssh -o IdentityAgent=none [email protected] 'ls -la /dev | grep random'
[email protected]'s password:
crw-rw-rw-   1 nobody nogroup   1, 8 Nov 21 10:35 random
crw-rw-rw-   1 nobody nogroup   1, 9 Nov 21 10:35 urandom

Thanks