However, I prefer to install Steam manually and run it inside Firejail. This article is a reminder to myself, in case I forget how I did it.
Hopefully this information will also be useful to someone else. But I guarantee nothing. This procedure works for me, on my computer, with the few games that I tested. It may or may not work for you.
Firejail is a tool to run another program in a sandbox while preventing it from messing with the rest of the system. It restricts write access to disk, restricts access to your home directory and blocks many forms of interaction between the sandboxed program and other processes on the system.
This kind of sandbox is sorely needed for Steam. Note that playing a game in Steam involves downloading a closed-source program from the Steam store, running that program on your computer while (in many cases) performing complex interaction with untrusted game servers on the Internet. In other words, the attack surface is huge. Even if we assume that no Steam games contain deliberate malicious code, some of them will certainly have bugs that can be remotely exploited to break into your computer. To my knowledge Steam itself does not do any kind of sandboxing, so I need Firejail to do that job.
The easiest way to install Firejail is via Debian Backports.
/etc/apt/sources.list and add a repository for
Then simply run
and remove the backports repository again, unless you want general access to backported packages. Firejail does not need configuring. The default security profile works fine with Steam.
Note that the security provided by Firejail is still quite limited. Once a malicious (or hacked) program is running on your computer, it has many opportunities to take control or steal information. Even from within Firejail, programs can still capture your screen and log your keystrokes.
Go to store.steampowered.com.
Click on the green button at the top of the page that says "Install Steam", then "Install Steam Now".
That button will let you download
If the green button tries to download
SteamSetup.exe, ignore the button and instead click on "Also available for Linux".
DO NOT INSTALL THE .DEB PACKAGE.
One does not download commercial closed-source programs and blindly run the installation script as root.
Even assuming the Steam developers are not actively malicious, you just don't know what stunts those people may pull to "provide you with a great user experience"
They might install a background service to automatically install updates; they might override security settings, reconfigure the firewall, change graphics drivers, all in the name of a great experience.
I'm not saying Steam currently does any of these things, but I don't trust them to not mess up my system at some point in the future.
So, leave the
.deb file for now.
We will install it manually once we are safely inside the Firejail.
Prepare the system to run Steam
Like most reasonable people, I run Debian on amd64 (i.e. 64-bit Linux). However, Steam is still stuck on i386, that is, Steam games are 32-bit programs. A full set of 32-bit system libraries must be installed before Steam can run.
Debian supports multiarch, allowing 32-bit libraries to be installed via the normal package system without any conflict between the 32-bit and 64-bit worlds.
Enabling multiarch is done by adding i386 as an extra architecture in
dpkg and updating the package cache.
Then install the following required 32-bit packages and other depedencies for Steam.
We will run Firejail with a private home directory so that Steam can not access the real user homedir. Start by creating a private directory for Steam. Also move the Steam installation package to that directory to make it available within the Firejail.
Now start Firejail with the new Steam directory as private homedir.
While still in Firejail, unpack (not install) the Steam Debian package, extract the important files, then run the Steam installer.
Pretty soon, a pop-up window appears with a bunch of text and a confirmation prompt. Don't read what it says, nobody does. Just type Y.
Steam then proceeds to download and install updates. That may take a while. In the mean time, Steam spouts error messages on the terminal. That is apparently normal behaviour for modern software. Eventually, a pop-up appears with the login and password prompt. After logging in, the main user interface window with the game library will appear. At that point Steam should be fully functional: browsing the store, installing and playing games should all just work.
Shortcut for running Steam in Firejail
Now that Steam is fully installed, we need a convenient way to start Steam inside Firejail.
Conceptually this is a two-step process: First start the Firejail by invoking
Then inside the Firejail, run
./steam to start up Steam.
But those two actions can also be done in a single command:
Create a tiny shell script
$HOME/bin/runsteam.sh with this command, or set it up as a desktop icon if you want.
Steam (or game) does not start
If Steam refuses to start or some game refuses to play, look for an error message in the terminal. Somewhere between the heap of "expected" error messages, there is often a message that reveals the cause of the problem. A common problem is a missing library (missing libXYZ.so). In that case, figure out which Debian package contains that library file and use apt to install the i386-version of the package.
Does sound work outside the Firejail? Does sound work from a shell prompt inside the Firejail? (Try playing an MP3 with mplayer). I had an issue with
.asoundrc unrelated to Steam or Firejail.