firejail inside firejail broken

[rusty-snake]

preparation

• install firejail from git
• sudo firecfg

syntax

$: regular user shell
%: shell inside firejail
>: comment
$PRG$: any program with a firecfg symlink

Issue 1

Outer firejail with private-etc without passwd.

$ firejail --private-etc="empty" --noprofile bash
% $PRG$
Error getpwuid: main.c:299 init_cfg: No such file or directory
% firejail echo
Error getpwuid: main.c:299 init_cfg: No such file or directory

Issue 2

Let's fix 1 and add passwd to private-etc.

Outer firejail with private-etc without login.defs.

adding firejail to private-etc because of 3.

$ firejail --private-etc="passwd,firejail" --noprofile bash
% firejail echo "Hello, Wolrd!"
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. echo will run without any additional sandboxing features
Hello, Wolrd!
> Ugly message, but works.

Issue 3

$ firejail --private-etc="passwd,login.defs" --noprofile bash
% $PRG$
Error: Firejail configuration file /etc/firejail/firejail.config not found
% firejail echo "Hello, World!"
Error: Firejail configuration file /etc/firejail/firejail.config not found

Bad commit: 8bff773 @smitsohu

3.1

$ firejail --private-etc="passwd,login.defs" --noprofile $PRG$
Error: Firejail configuration file /etc/firejail/firejail.config not found

Workaround: private-bin

$ firejail --private-etc="passwd,login.defs" --noprofile --shell=none --private-bin="$PRG$" $PRG$

or

$ firejail --private-etc="passwd,login.defs" --noprofile --private-bin="$PRG$,SHELL" $PRG$

[netblue30]

I guess it was broken for some time now, thanks!

[smitsohu]

Bad commit: 8bff773 @smitsohu

Regarding this commit specifically, we maybe can just revert most of it. The proposed alternative (updating /etc/passwd) is the cleaner solution anyway.