I confirm that my $PATH variable isn’t right. I fixed it in the .zshrc, restarted a console, but man problem still persist
The /etc/firejail/firejail.users
contains only maltemo, so that’s good.
I installed IPSE/L2TP via apt install strongswan
Finaly, I tried firejail --debug
and I got this output :
Autoselecting /usr/bin/zsh as shell
Command name #/usr/bin/zsh#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Reading profile /etc/firejail/default.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 4341, child pid 4342
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null)
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/nginx
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/lighttpd
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/maltemo/.local/share/Trash
Disable /home/maltemo/.bash_history
Disable /home/maltemo/.node_repl_history
Disable /home/maltemo/.zsh_history
Disable /home/maltemo/.config/autostart
Disable /home/maltemo/.config/openbox
Disable /home/maltemo/.config/startupconfig
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/maltemo/.Xauthority
Disable /home/maltemo/.config/khotkeysrc
Disable /home/maltemo/.config/kscreenlockerrc
Disable /home/maltemo/.config/kwinrc
Disable /home/maltemo/.config/plasma-org.kde.plasma.desktop-appletsrc
Mounting read-only /home/maltemo/.config/kdeglobals
Mounting read-only /home/maltemo/.kde/share/config/kdeglobals
Disable /var/lib/systemd
Disable /usr/bin/zuluCrypt-cli
Disable /usr/bin/zuluMount-cli
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/cron.hourly
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/profile.d
Disable /etc/rc0.d
Disable /etc/rc1.d
Disable /etc/rc2.d
Disable /etc/rc3.d
Disable /etc/rc4.d
Disable /etc/rc5.d
Disable /etc/rc6.d
Disable /etc/rcS.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/selinux
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/adduser.conf
Mounting read-only /home/maltemo/.bashrc
Mounting read-only /home/maltemo/.oh-my-zsh
Mounting read-only /home/maltemo/.profile
Mounting read-only /home/maltemo/.zshrc
Mounting read-only /home/maltemo/.emacs
Mounting read-only /home/maltemo/.vim
Mounting read-only /home/maltemo/.viminfo
Mounting read-only /home/maltemo/.vimrc
Mounting read-only /home/maltemo/.local/bin
Mounting read-only /home/maltemo/.config/menus
Mounting read-only /home/maltemo/.local/share/applications
Disable /home/maltemo/.gnupg
Disable /home/maltemo/.local/share/keyrings
Disable /home/maltemo/.pki
Disable /home/maltemo/.local/share/pki
Disable /home/maltemo/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /sbin
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /bin/fusermount
Disable /usr/bin/gpasswd
Disable /bin/mount
Disable /bin/nc.traditional (requested /bin/nc)
Disable /usr/bin/newgrp
Disable /bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /bin/su
Disable /usr/bin/sudo
Disable /bin/umount
Disable /usr/bin/xev
Disable /usr/bin/mate-terminal (requested /usr/local/bin/gnome-terminal)
Disable /usr/bin/mate-terminal
Disable /usr/bin/mate-terminal.wrapper
Disable /usr/bin/bwrap
Disable /home/maltemo/.config/KeePass
Disable /home/maltemo/.AndroidStudio3.3
Disable /home/maltemo/.android
Disable /home/maltemo/.config/akregatorrc
Disable /home/maltemo/.config/caja
Disable /home/maltemo/.config/clipit
Disable /home/maltemo/.config/discord
Disable /home/maltemo/.config/emaildefaults
Disable /home/maltemo/.config/geany
Disable /home/maltemo/.config/katepartrc
Disable /home/maltemo/.config/kateschemarc
Disable /home/maltemo/.config/katesyntaxhighlightingrc
Disable /home/maltemo/.config/katevirc
Disable /home/maltemo/.config/libreoffice
Disable /home/maltemo/.config/mate/eom
Disable /home/maltemo/.config/pcmanfm
Disable /home/maltemo/.config/pluma
Disable /home/maltemo/.config/torbrowser
Disable /home/maltemo/.config/vlc
Disable /home/maltemo/.config/wireshark
Disable /home/maltemo/.emacs
Disable /home/maltemo/.emacs
Disable /home/maltemo/.gitconfig
Disable /home/maltemo/.gradle
Disable /home/maltemo/.java
Disable /home/maltemo/.local/share/torbrowser
Disable /home/maltemo/.local/share/vlc
Disable /home/maltemo/.mozilla
Disable /tmp/ssh-catZiSaoXbDb
Disable /home/maltemo/.cache/atril
Disable /home/maltemo/.cache/mozilla
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
1269 1115 0:71 /pulse /home/maltemo/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1269 fsname=/pulse dir=/home/maltemo/.config/pulse fstype=tmpfs
Current directory: /home/maltemo
DISPLAY=:0.0 parsed as 0
Dropping all capabilities
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null)
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1
No supplementary groups
line OP JT JF K
=================================
0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 15 01 00 00000029 jeq socket 0006 (false 0005)
0005: 06 00 00 7fff0000 ret ALLOW
0006: 20 00 00 00000010 ld data.args[0]
0007: 15 00 01 00000001 jeq 1 0008 (false 0009)
0008: 06 00 00 7fff0000 ret ALLOW
0009: 15 00 01 00000002 jeq 2 000a (false 000b)
000a: 06 00 00 7fff0000 ret ALLOW
000b: 15 00 01 0000000a jeq a 000c (false 000d)
000c: 06 00 00 7fff0000 ret ALLOW
000d: 06 00 00 0005005f ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp.32 (null)
Dropping all capabilities
Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1
No supplementary groups
line OP JT JF K
=================================
0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 15 30 00 00000015 jeq 15 0035 (false 0005)
0005: 15 2f 00 00000034 jeq 34 0035 (false 0006)
0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007)
0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008)
0008: 15 2c 00 00000155 jeq 155 0035 (false 0009)
0009: 15 2b 00 00000156 jeq 156 0035 (false 000a)
000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b)
000b: 15 29 00 00000080 jeq 80 0035 (false 000c)
000c: 15 28 00 0000015e jeq 15e 0035 (false 000d)
000d: 15 27 00 00000081 jeq 81 0035 (false 000e)
000e: 15 26 00 0000006e jeq 6e 0035 (false 000f)
000f: 15 25 00 00000065 jeq 65 0035 (false 0010)
0010: 15 24 00 00000121 jeq 121 0035 (false 0011)
0011: 15 23 00 00000057 jeq 57 0035 (false 0012)
0012: 15 22 00 00000073 jeq 73 0035 (false 0013)
0013: 15 21 00 00000067 jeq 67 0035 (false 0014)
0014: 15 20 00 0000015b jeq 15b 0035 (false 0015)
0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016)
0016: 15 1e 00 00000087 jeq 87 0035 (false 0017)
0017: 15 1d 00 00000095 jeq 95 0035 (false 0018)
0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019)
0019: 15 1b 00 00000157 jeq 157 0035 (false 001a)
001a: 15 1a 00 000000fd jeq fd 0035 (false 001b)
001b: 15 19 00 00000150 jeq 150 0035 (false 001c)
001c: 15 18 00 00000152 jeq 152 0035 (false 001d)
001d: 15 17 00 0000015d jeq 15d 0035 (false 001e)
001e: 15 16 00 0000011e jeq 11e 0035 (false 001f)
001f: 15 15 00 0000011f jeq 11f 0035 (false 0020)
0020: 15 14 00 00000120 jeq 120 0035 (false 0021)
0021: 15 13 00 00000056 jeq 56 0035 (false 0022)
0022: 15 12 00 00000033 jeq 33 0035 (false 0023)
0023: 15 11 00 0000007b jeq 7b 0035 (false 0024)
0024: 15 10 00 000000d9 jeq d9 0035 (false 0025)
0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026)
0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027)
0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028)
0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029)
0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a)
002a: 15 0a 00 00000101 jeq 101 0035 (false 002b)
002b: 15 09 00 00000112 jeq 112 0035 (false 002c)
002c: 15 08 00 00000114 jeq 114 0035 (false 002d)
002d: 15 07 00 00000126 jeq 126 0035 (false 002e)
002e: 15 06 00 0000013d jeq 13d 0035 (false 002f)
002f: 15 05 00 0000013c jeq 13c 0035 (false 0030)
0030: 15 04 00 0000003d jeq 3d 0035 (false 0031)
0031: 15 03 00 00000058 jeq 58 0035 (false 0032)
0032: 15 02 00 000000a9 jeq a9 0035 (false 0033)
0033: 15 01 00 00000082 jeq 82 0035 (false 0034)
0034: 06 00 00 7fff0000 ret ALLOW
0035: 06 00 00 00000000 ret KILL
Dual 32/64 bit seccomp filter configured
configuring 74 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp (null)
Dropping all capabilities
Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1
No supplementary groups
line OP JT JF K
=================================
0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005)
0005: 35 01 00 00000000 jge read 0007 (false 0006)
0006: 06 00 00 00050001 ret ERRNO(1)
0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b)
000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035)
0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036)
0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043)
0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
0044: 15 04 00 00000143 jeq userfaultfd 0049 (false 0045)
0045: 15 03 00 00000065 jeq ptrace 0049 (false 0046)
0046: 15 02 00 00000087 jeq personality 0049 (false 0047)
0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048)
0048: 06 00 00 7fff0000 ret ALLOW
0049: 06 00 01 00000000 ret KILL
seccomp filter configured
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
Supplementary groups: 29 44
starting application
LD_PRELOAD=(null)
Running /usr/bin/zsh command through /usr/bin/zsh
execvp argument 0: /usr/bin/zsh
execvp argument 1: -c
execvp argument 2: /usr/bin/zsh
Child process initialized in 89.12 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp.protocol seccomp filter
monitoring pid 6
[oh-my-zsh] Insecure completion-dependent directories detected:
drwxrwsr-x 1 nobody nogroup 28 févr. 23 11:41 /usr/local/share/zsh
drwxrwsr-x 1 nobody nogroup 0 févr. 23 11:41 /usr/local/share/zsh/site-functions
[oh-my-zsh] For safety, we will not load completions from these directories until
[oh-my-zsh] you fix their permissions and ownership and restart zsh.
[oh-my-zsh] See the above list for directories with group or other writability.
[oh-my-zsh] To fix your permissions you can do so by disabling
[oh-my-zsh] the write permission of "group" and "others" and making sure that the
[oh-my-zsh] owner of these directories is either root or your current user.
[oh-my-zsh] The following command may help:
[oh-my-zsh] compaudit | xargs chmod g-w,o-w
[oh-my-zsh] If the above didn't help or you want to skip the verification of
[oh-my-zsh] insecure directories you can set the variable ZSH_DISABLE_COMPFIX to
[oh-my-zsh] "true" before oh-my-zsh is sourced in your zshrc file.
zsh compinit: insecure directories, run compaudit for list.
Ignore insecure directories and continue [y] or abort compinit [n]?
So I responded yes, and then tried man atp
.
It worked !
But this is a temporary solution because when I stop the console, I exit the debug mode and I got the same error that I got before.
So I think this is a configuration that I have to make on firejail, am I right ?
Thank you for the assistance so far @s1udge , you’ve been patient and nice.