joining an existing sandbox/permissions issue

[Rosika2]

Hi all, 👋

I have a query about (probably) firejail permissions.

My system is: Linux Lite 6.2, 64 bit (which is based on Ubuntu).

Here´s the scenario:

I start a browser instance (w3m) in a private directory the following way:

firejail --private=/home/rosika/Musik/kgw/ --dns=1.1.1.1 --dns=9.9.9.9 w3m "duckduckgo.com"

To check the working state of the DNS settings I join the sandbox identified by PID thus (the pid of the running sandbox instance is 30391):
firejail --join=30391
From here I´d like to issue the nslookup command, which doesn´t seem to be allowed:
(BTW: my default shell is fish)

nslookup duckduckgo.com
fish: Unknown command: nslookup

Now I change to bash and try to use the command from there:

[...]
bash: /usr/bin/nslookup: Permission denied

Curious thing though: The same procedure seems to work when using it on my Debian system.
What might be the cause of not being allowed to use the nslookup command this way ❓
Is there a way around it?

Thanks a lot in advance.
Many greetings from Rosika 🙂

[rusty-snake]

You can not execute nslookup because it is not listed in private-bin

firejail/etc/profile-m-z/w3m.profile

Line 61 in e55c3bf

private-bin perl,sh,w3m

To fix this you can either temporarly add it when you start w3m with --private-bin=nslookup or pass a fd for it when you join.

The same applies to bash and fish. However if you do not specify a command when joining, firejail uses your shell and has special handling to work even when it's missing in the sandbox IIRC.

[Rosika2]

@rusty-snake :
Thanks for your answer:

I tried it:

firejail --private-bin=nslookup,perl,sh,w3m --private=/home/rosika/Musik/kgw/ --dns=1.1.1.1 --dns=9.9.9.9 w3m "duckduckgo.com"

It started the browser alright, but joing still failed:

 firejail --join=37784 nslookup duckduckgo.com
Switching to pid 37785, the first child process inside the sandbox
Child process initialized in 11.10 ms
fish: Unknown command: nslookup
'nslookup' 'duckduckgo.com' 
^

...

or pass a fd for it when you join.

Sorry, but I don´t quite understand. Could you explain it further?

Many greetings
Rosika 🙂

P.S.:

I also tried

firejail --join=40280 sh -c 'nslookup duckduckgo.com'
Switching to pid 40281, the first child process inside the sandbox
Child process initialized in 16.53 ms
sh: 1: nslookup: Permission denied

It didn´t work either.

[rusty-snake]

Forgot, we also blacklist nslookup => --nobacklist='${PATH}/nslookup --private-bin=nslookup.

[rusty-snake]

Sorry, but I don´t quite understand. Could you explain it further?

firejail --keep-fd=4 --join=PID /proc/self/fd/4 4</usr/bin/nslookup duckduckgo.com

[Rosika2]

So sorry, still no luck:
firejail --noblacklist=/usr/bin/nslookup --private-bin=nslookup,perl,sh,w3m --private=/home/rosika/Musik/kgw/ --dns=1.1.1.1 --dns=9.9.9.9 w3m "duckduckgo.com"

That´s o.k. Then:

firejail --join=42788 sh -c 'nslookup duckduckgo.com'
Switching to pid 42789, the first child process inside the sandbox
Child process initialized in 17.24 ms
sh: 1: nslookup: Permission denied

also:

firejail --keep-fd=4 --join=42788 /proc/self/fd/4 4</usr/bin/nslookup duckduckgo.com
Error: invalid --keep-fd=4 command line option

Thanks and cheers
Rosika 🙂

[rusty-snake]

1. What does it show if you replace w3m with ls -l /usr/bin/nslookup
2. If you use an old firejail version, just omit the --keep-fd.

[rusty-snake]

1. You have to use --noblacklist='${PATH}/nslookup' or start nslookup with the path you have noblacklisted.

[Rosika2]

@rusty-snake :

Hi again and thanks for your help.
With your help I got it working now:

• step 1: firejail --private-bin=nslookup,perl,sh,w3m --private=/home/rosika/Musik/kgw/ --dns=1.1.1.1 --dns=9.9.9.9 w3m "duckduckgo.com"
• step 2: firejail --join=15298 /proc/self/fd/4 4</usr/bin/nslookup duckduckgo.com

So (step 2) provided me with this output now:

Switching to pid 15299, the first child process inside the sandbox
Child process initialized in 15.65 ms
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	duckduckgo.com
Address: 40.114.177.156

... which confirms that indeed the DNS server 1.1.1.1 is used by the first command.

If you use an old firejail version, just omit the --keep-fd

That must have been it. It seems my firejail is version 0.9.66. This one doesn´t seem to support "--keep-fd" option.

...

/proc/self/fd/4 4</usr/bin/nslookup duckduckgo.com
This part is still a mystery to me. I´ll have to investigate further. But it did the trick. 👍

What does it show if you replace w3m with ls -l /usr/bin/nslookup

Issuing the command with ls -l /usr/bin/nslookup instead of w3m provides this output:

firejail --private-bin=nslookup,perl,sh,w3m --private=/home/rosika/Musik/kgw/ --dns=1.1.1.1 --dns=9.9.9.9 ls -l /usr/bin/nslookupReading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 16655, child pid 16656

DNS server 1.1.1.1
DNS server 9.9.9.9

Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
5 programs installed in 30.88 ms
Warning: cleaning all supplementary groups
Child process initialized in 149.55 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

Thanks so much for your help.

Many greetings from Rosika 🙂

[Rosika2]

From man proc I found out:

/proc/self
When a process accesses this magic symbolic link, it resolves to
the process's own /proc/[pid] directory

I was just wondering what the "fs" part stands for. Might it be "file descriptor" by any chance?

Cheers from Rosika 🙂

[rusty-snake]

Correct, it file descriptor number 4

and 4</path/to/file is shell Syntax to open file AS FD number 4.

[Rosika2]

Thanks @rusty-snake for the confirmation and explanation.

Wow, that´s really a clever command you came up with
firejail --join=15298 /proc/self/fd/4 4</usr/bin/nslookup duckduckgo.com
... and it does the job as expected.

I´m glad I could prove now that setting the DNS server the desired way really works.

Yet there´s still one thing which puzzles me:

In the man pages of firejail it says:

−−dns=address
Set a DNS server for the sandbox. Up to three DNS servers can be defined. Use this option if you
don’t trust the DNS setup on your network.
Example:
$ firejail −−dns=8.8.8.8 −−dns=8.8.4.4 firefox
Note: this feature is not supported on systemd-resolved setups.

Well, with your help I could prove it works. But my system is Linux Lite 6.2 (based on Ubuntu) and it
is using systemd-resolved, it seems:

ps ax | grep systemd
    386 ?        S<s    0:00 /lib/systemd/systemd-journald
    424 ?        Ss     0:00 /lib/systemd/systemd-udevd
    782 ?        Ss     0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
    814 ?        Ss     0:00 /lib/systemd/systemd-logind
    815 ?        Ss     0:00 /lib/systemd/systemd-machined
    816 ?        Ssl    0:00 /usr/sbin/thermald --systemd --dbus-enable --adaptive
    955 ?        Ss     0:00 /lib/systemd/systemd-networkd
    978 ?        Ss     0:00 /lib/systemd/systemd-resolved
   1522 ?        Ss     0:00 /lib/systemd/systemd --user
   1532 ?        Ss     0:01 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  12617 pts/4    S+     0:00 grep --color=auto systemd

So why the note "this feature is not supported on systemd-resolved setups." ❓

Am I missing something here?

Many greetings from Rosika 🙂

[rusty-snake]

It depends on your nsswitch.conf and maybe on nsswitch.conf beging accessiable inside the sandbox, maybe on available sockets in the sandbox and maybe nslookup does not use the glibc/nss functions that may ignore resolv.conf and always use resolved.conf. (A lot maybes here).

If you want I can post later (Friday) some details on of my hardened dns-setup.

[Rosika2]

Hi @rusty-snake 👋

thanks so much for your answer.
The reason I asked was: At present I´m the middle of a dsicussion with a friend of mine who uses firejail as well but cannot get the dns option to work.

He said (regarding the DNS settings):

my Debian based systems ( including Devuan and MX) do not work. Yours [# Linux Lite 6.2] do.
He isuued this command (in Devuan):

firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote

and got this:

Reading profile /etc/firejail/firefox.profile
[...]
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
firejail: util.c:910: create_empty_dir_as_root: Assertion `(s.st_mode & 07777) == (mode)' failed.
Error: proc 21256 cannot sync with peer: unexpected EOF
Peer 21259 unexpectedly killed (Segmentation fault)

But thanks for the explanation you provided. We´ll look closer at it. 🙂

If you want I can post later (Friday) some details on of my hardened dns-setup.

That would be highly appreciated. ❤️
Thanks a lot in advance.

Many greetings from Rosika 🙂

[rusty-snake]

>> #5828

[Rosika2]

Hi @rusty-snake, 👋

thank you so much for providing your hardened DNS setup. It´s much appreciated. 😗
You certainly put a lot of time and effort into it. And it´s impressive indeed.

To be honest, I have to take a very close look at it a few times more in order to even begin to understand it a little. But it´s worth the effort.

I use Fedora and everything here assumes the default of Fedora.

O.K.
Well, Linux Lite 6.2, which I am using, is Ubuntu-based.

E.g. I noticed that
/etc/NetworkManager/NetworkManager.conf:
looks different on my system:

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=true

[device]
wifi.scan-rand-mac-address=no

So I might download Fedora and install it in a virtual machine to be able to follow your steps.

I´ll also draw my friend´s attention to it as he is also very interested in your DNS setup.

BTW:
My friend could resolve the problem he encountered by installing a newer version of firejail in MX.
The DNS settings now work as desired with him as well. 😉

Thanks a lot again for your kind help and perseverance. ❤️

Many greetings from Rosika 🙂