Bug 30858

Summary: firetools update, have a couple wrinkles
Product: Mageia Reporter: Morgan Leijström <fri>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: firetools-0.9.62-2.mga8.src.rpm CVE:
Status comment:

Description Morgan Leijström 2022-09-17 16:02:50 CEST 
Description of problems

While testing firejail update Bug 30528, I notice that for both our current update and the update testing version:


1) the command firetools from package firetools only produce a popup error message "Can not run Firejail sandbox, you may not have the correct permissions to access this program". No matter if launched by Plasma menu, or in terminal.

2) firetools-ui works, but enabling
  [x] Trace system and network access
Then it exits, with output in terminal from where i started it: 
  "Cannot open trace log file: No such device or address"


I notice mga8 have firejail 0.9.64 but only firetools 0.9.62.
We should have updated firetools too - last version is 0.9.64, and it have added suport for firejail 0.9.64, listed at https://firejailtools.wordpress.com/release-notes/ :

Maybe an update will fix the problems?
Anyway that seems like a good first step.

And now we have firejail 0.9.70 in updates testing - we should keep an eye on if a new firetool version is coming upstream soon.

Assigning to Jani, as he updated firejail
Comment 1 Jani Välimaa 2022-09-17 19:52:37 CEST Comment hidden (obsolete)

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 2 Jani Välimaa 2022-09-17 21:11:57 CEST 
Firetools fails because firejail can't read UID_MIN and/or GID_MIN from non world readable /etc/login.defs and therefore prints "Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default" to stderr [1][2]. Firetool interpret that as an error and exits [3].

We install /etc/login.defs from shadow-utils for unknown reason with:
%attr(0640,root,shadow) %config(noreplace) %{_sysconfdir}/login.defs

[1] https://github.com/netblue30/firejail/blob/0.9.70/src/lib/firejail_user.c#L44
[2] https://github.com/netblue30/firejail/blob/0.9.70/src/lib/firejail_user.c#L89
[3] https://github.com/netblue30/firetools/blob/0.9.64/src/firetools/mainwindow.cpp#L49
Comment 3 Jani Välimaa 2022-09-17 22:00:55 CEST 
I guess I'll have to patch firejail in mga8 to output only a warning if /etc/login.defs is non-readable.

In cauldron this is fixed by changing /etc/login.defs to world readable.
Comment 4 Jani Välimaa 2022-09-17 22:20:32 CEST 
(In reply to Jani Välimaa from comment #3)
> I guess I'll have to patch firejail in mga8 to output only a warning if
> /etc/login.defs is non-readable.
> 

Pushed updated firejail for bug 30528 to also fix new firetools. Please test firetools-0.9.64-1.1.mga8 from core/updates_testing with firejail-0.9.70-1.1.mga8.

New firetools release adds stricter reqs for firejail.

RPMS/SRPMS:
firetools-0.9.64-1.1.mga8
Comment 5 Morgan Leijström 2022-09-18 08:49:09 CEST 
Progressing :)

OK: In drakrpm selected firetools-0.9.64-1.1.mga8, and pulled in firejail-0.9.70-1.1.mga8 too.

---

Nitpick: I now spotted a typo in description:

 firetools - Graphical user interface for Firajail​    

"Firajail" no need to push update for that, but maybe fix source.

---

OK: firetools now launch correctly, and from its launcher i can double click applications to start.  I can also right click and get a menu.

---

Fail: custom security profile, even using all default values

Launch firetools-ui, select Network, Firefox.
If you keep
 "(o) Use a default security profile"
and click Continue, Done - Firefox get launched OK.

But if you instead select 
 "(o) Build a custom security profile"
And continue with all default, it fail to launch.

  Last lines in terminal:
Warning: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Reading profile /tmp/firejail-ui-IiQ7KJ
Reading profile /etc/firejail/disable-common.inc
Error: cannot access profile file: /etc/firejail/disable-passwdmgr.inc
Sandbox started, exiting firejail-ui...

---

Fail: Logging.
Still as Comment 0 point 2

---

By the way: Maybe also update
  fdns - Firejail DNS-over-HTTPS Proxy Server​
so we have the full "suite" updated.
I have found nothing saying update is needed and have not tested it at all, but our version is two and a half year old.
Comment 6 Jani Välimaa 2022-09-18 18:22:23 CEST 
disable-passwdmgr.inc was removed in firejail 0.9.68 [1]. I'll push another firetools release without disable-passwdmgr.inc includes.

[1] https://github.com/netblue30/firejail/commit/ca8603c09d8ec0ac05e5853485707fe9f96499f2
Comment 7 Jani Välimaa 2022-09-18 18:30:50 CEST 
(In reply to Jani Välimaa from comment #6)
> disable-passwdmgr.inc was removed in firejail 0.9.68 [1]. I'll push another
> firetools release without disable-passwdmgr.inc includes.
> 
> [1]
> https://github.com/netblue30/firejail/commit/
> ca8603c09d8ec0ac05e5853485707fe9f96499f2

Please test firetools-0.9.64-1.2.mga8 from mga8 core/udpates_testing. New release fixes typo in summary and doesn't try to include nonexistent disable-passwdmgr.inc.

SRPMS/RPMS:
firetools-0.9.64-1.2.mga8
Comment 8 Morgan Leijström 2022-09-18 22:08:02 CEST 
Custom profile seem to be fixed (from my Comment 5
(BTW my typo there: wrote firetools-ui, meant firejail-ui)

Logging still fail like Comment 0 point 2.
Comment 9 Jani Välimaa 2022-09-20 18:04:37 CEST 
(In reply to Morgan Leijström from comment #8)
> Custom profile seem to be fixed (from my Comment 5
> (BTW my typo there: wrote firetools-ui, meant firejail-ui)
> 
> Logging still fail like Comment 0 point 2.

Does it also happen with one from Core Release?
Comment 10 Morgan Leijström 2022-09-20 19:58:51 CEST 
$ sudo urpmi --downgrade --search-media 'Core Release' firetools
$ firejail-ui --version
Firejail-ui version 0.9.62
$ firejail --version
firejail version 0.9.70


-> Yes same problem.

But manually launching with tracing seem to work
$ firejail --trace firefox

(Firefox runs, but I have not investigated what tracing really achieve...)
Comment 11 Herman Viaene 2022-09-24 10:14:01 CEST 
Selecting firetools package in QArepo, then trying to install it, gives me
"firetools-0.9.64-1.2.mga8.x86_64 (due to unsatisfied firejail[>= 0.9.70-1.1])"

CC: (none) => herman.viaene

Comment 12 Morgan Leijström 2022-09-24 12:01:00 CEST 
firejail-0.9.70-1.1.mga8.x86_64.rpm is in core/updates_testing/
Comment 13 Herman Viaene 2022-09-24 12:05:22 CEST 
I had similar problems on another update so I guees there is some mirror synching at play. Will try later.
Comment 14 Herman Viaene 2022-09-26 10:24:19 CEST 
Tested version indicated in Comment 7:
$ firejail --version
Warning: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
firejail version 0.9.70
Comment 15 Morgan Leijström 2022-09-26 10:41:16 CEST 
? comment 7 states firetools version.

Anyway you now run latest firejail, and that Warning seem to be harmless.
Comment 16 Herman Viaene 2022-09-26 11:35:04 CEST 
MGA8-64 plasma on Acer Aspire 5253
No installation issues
Launched firetools, picked Okular from the listed applications , run it, and opened a pdf file in it. Works OK.

Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2022-09-26 14:22:08 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 17:17:39 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2022-10-01 19:49:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2022-0130.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED