Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delimitate execution permissions for firejail #5288

Closed
emerajid opened this issue Aug 2, 2022 · 2 comments
Closed

Delimitate execution permissions for firejail #5288

emerajid opened this issue Aug 2, 2022 · 2 comments
Labels
documentation Issues and pull requests related to the documentation

Comments

@emerajid
Copy link

emerajid commented Aug 2, 2022

Problem: According to what I hear, firejail is targeted at single-user systems. Partly because of not knowing this, many people complain about firejail being a huge bulk of suid code. Personally I think (and therefore write this issue) that single-user design is a pity, because even regular users may have situations where they need to share their laptop.

Solution I'd like: Do what sudo does. Simple accessible only by root file with declarative syntax defining which users are allowed to use firejail. I would even suggest allowing users to turn on authorization in case they feel something very unexpected might happen.

If I propose futile feature, I would dearly like to know why, since I'm not much of a developer.
@rusty-snake
Copy link
Collaborator

How is your suggestion different from firejail.users and Create a special firejail group?

@emerajid
Copy link
Author

emerajid commented Aug 2, 2022

Thank you.

I think if you mention the file in man firejail somewhere in top, it would be much easier no notice. But it's off topic, so closing the issue.

@emerajid emerajid closed this as completed Aug 2, 2022
@kmk3 kmk3 added question_old (Deprecated; use "needinfo" or "question" instead) Further information is requested documentation Issues and pull requests related to the documentation labels Aug 2, 2022
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 3, 2022
@kmk3
docs: mention risk of SUID binaries and also firejail-users(5)
e076cc0 
People might assume (and have assumed) that firejail can be executed by
any user by default, which makes the SUID issue seem more encompassing
than it is.

So on the introduction of firejail(1), mention the main risk of SUID
binaries and that by default, only the root user is allowed to run
firejail (and also how to allow more users).

Suggested by @emerajid on netblue30#5288.

Relates to netblue30#4601.
@kmk3 kmk3 mentioned this issue Aug 3, 2022
Merged
@kmk3 kmk3 removed the question_old (Deprecated; use "needinfo" or "question" instead) Further information is requested label Aug 3, 2022
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 5, 2022
@kmk3
docs: mention risk of SUID binaries and also firejail-users(5)
ba0ac27 
On the introduction of firejail(1), mention the main risk of SUID
binaries and that by default, only trusted users should be allowed to
run firejail (and how to accomplish that).

Note: The added comment line is completely discarded (so there is no
extraneous blank line); see groff_man(7) for details.

Suggested by @emerajid on netblue30#5288.

Relates to netblue30#4601.
@kmk3 kmk3 changed the title Delimitate execution permissions for firejail. Delimitate execution permissions for firejail Aug 11, 2022
kmk3 added a commit that referenced this issue Aug 18, 2022
@kmk3
RELNOTES: add build and docs items
df00c13 
Relates to #5288 #5290 #5296 #5310.
@glitsj16 glitsj16 mentioned this issue Jun 3, 2024
Open
7 tasks
@kmk3 kmk3 moved this to Done (on RELNOTES) in Release 0.9.72 Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Issues and pull requests related to the documentation
Projects
Release 0.9.72
Status: Done (on RELNOTES)
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kmk3 @rusty-snake @emerajid