github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1581] Authentication in Firefox does not work #1053

New issue
Closed
opened 2026-05-05 07:22:01 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 07:22:01 -06:00
Owner
Copy link

Originally created by @derba on GitHub (Sep 29, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1581

I visited a site (I am not allowed to give you exact name, unfortunately) where Firefox stops responding. When run Firefox without Firejail then the page works fine, makes a pop up authentication window appear. That window is a real window, not an HTML one. When I removed seccomp line from firefox.profile that page works fine in Firefox even with Firejail.

In Chromium that page works fine. Well, there is no seccomp in chromium.profile by default. Actually Chromium does not even start up with seccomp. That is a good reason to prefer Firefox.

This is not a bug, I think, just FYI.

Originally created by @derba on GitHub (Sep 29, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1581 I visited a site (I am not allowed to give you exact name, unfortunately) where Firefox stops responding. When run Firefox without Firejail then the page works fine, makes a pop up authentication window appear. That window is a real window, not an HTML one. When I removed seccomp line from firefox.profile that page works fine in Firefox even with Firejail. In Chromium that page works fine. Well, there is no seccomp in chromium.profile by default. Actually Chromium does not even start up with seccomp. That is a good reason to prefer Firefox. This is not a bug, I think, just FYI.
gitea-mirror 2026-05-05 07:22:01 -06:00
gitea-mirror commented 2026-05-05 07:22:05 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 29, 2017):

Which versions of Firefox and Firejail do you use? There was a problem with the default seccomp filter and Firefox Nightly that got fixed in Firejail 0.9.50.

Failing that, and without wanting to lure you into making sensitive information public, would it be possible to share some more information with us, like for example if there is a browser extension or a plugin involved?

Regarding your note about Chromium: It comes already with a built-in sandbox, and the Firejail seccomp filter prevents Chromium from setting it up. Thanks to its own sandbox, firejailed Chromium is about as not less safe than a firejailed Firefox. If you are interested in some more technical details, take a peek at #554.

<!-- gh-comment-id:333134678 --> @smitsohu commented on GitHub (Sep 29, 2017): Which versions of Firefox and Firejail do you use? There was a problem with the default seccomp filter and Firefox Nightly that got fixed in [Firejail 0.9.50](https://sourceforge.net/projects/firejail/files/firejail/). Failing that, and without wanting to lure you into making sensitive information public, would it be possible to share some more information with us, like for example if there is a browser extension or a plugin involved? Regarding your note about Chromium: It comes already with a built-in sandbox, and the Firejail seccomp filter prevents Chromium from setting it up. Thanks to its own sandbox, firejailed Chromium is ~~about as~~ not less safe than a firejailed Firefox. If you are interested in some more technical details, take a peek at #554.
gitea-mirror commented 2026-05-05 07:22:06 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Oct 1, 2017):

@smitsohu

Regarding your note about Chromium: It comes already with a built-in sandbox, and the Firejail seccomp filter prevents Chromium from setting it up.

As mentioned in #554 that depends on the distro and on how the kernel is configured. FWIW, on my Fedora 26 system it works with:

seccomp.keep access,arch_prctl,bind,brk,capget,capset,chdir,chmod,chroot,clock_getres,clone,close,connect,creat,dup,dup2,epoll_create,epoll_ctl,epoll_wait,eventfd2,execve,faccessat,fadvise64,fchmod,fcntl,fdatasync,fstat,fstatfs,ftruncate,futex,getdents,getdents64,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getpriority,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,kill,listen,lseek,lstat,madvise,memfd_create,mkdir,mmap,mprotect,munmap,nanosleep,newfstatat,open,openat,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rmdir,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_getscheduler,sched_setscheduler,sched_yield,seccomp,select,sendmsg,sendto,setpriority,setrlimit,set_robust_list,setsockopt,set_tid_address,shutdown,socket,socketpair,stat,statfs,symlink,sysinfo,umask,uname,unlink,unshare,wait4,waitid,write,writev,setresuid,setresgid,exit_group,tgkill,exit,utimensat,personality,setxattr,mremap,clock_gettime,fchown,getcwd,prlimit64,fallocate,msync

caps.drop all

noroot
nogroups
nonewprivs

private-dev

shell none
ipc-namespace
machine-id

Thanks to its own sandbox, firejailed Chromium is not less safe than a firejailed Firefox.

I disagree. As mentioned here, only the renderer processes are sandboxed in Chromium but the broker process is not. With Firejail it is, though, which means that Chromium is much better confined than it is out of the box.

<!-- gh-comment-id:333368678 --> @curiosity-seeker commented on GitHub (Oct 1, 2017): @smitsohu > Regarding your note about Chromium: It comes already with a built-in sandbox, and the Firejail seccomp filter prevents Chromium from setting it up. As mentioned in #554 that depends on the distro and on how the kernel is configured. FWIW, on my Fedora 26 system it works with: ``` seccomp.keep access,arch_prctl,bind,brk,capget,capset,chdir,chmod,chroot,clock_getres,clone,close,connect,creat,dup,dup2,epoll_create,epoll_ctl,epoll_wait,eventfd2,execve,faccessat,fadvise64,fchmod,fcntl,fdatasync,fstat,fstatfs,ftruncate,futex,getdents,getdents64,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getpriority,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,kill,listen,lseek,lstat,madvise,memfd_create,mkdir,mmap,mprotect,munmap,nanosleep,newfstatat,open,openat,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rmdir,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_getscheduler,sched_setscheduler,sched_yield,seccomp,select,sendmsg,sendto,setpriority,setrlimit,set_robust_list,setsockopt,set_tid_address,shutdown,socket,socketpair,stat,statfs,symlink,sysinfo,umask,uname,unlink,unshare,wait4,waitid,write,writev,setresuid,setresgid,exit_group,tgkill,exit,utimensat,personality,setxattr,mremap,clock_gettime,fchown,getcwd,prlimit64,fallocate,msync caps.drop all noroot nogroups nonewprivs private-dev shell none ipc-namespace machine-id ``` > Thanks to its own sandbox, firejailed Chromium is not less safe than a firejailed Firefox. I disagree. As mentioned [here](https://github.com/netblue30/firejail/issues/554#issuecomment-303071330), only the renderer processes are sandboxed in Chromium but the broker process is not. With Firejail it is, though, which means that Chromium is much better confined than it is out of the box.
gitea-mirror commented 2026-05-05 07:22:08 -06:00
Author
Owner
Copy link

@derba commented on GitHub (Oct 2, 2017):

Sorry, I forgot to add details. I use Fedora 26, and... I just tried to find my firejail version using rpm when I realized that I compiled it from git source back in April. I completely forgot about that, since I am used to get the latest version by upgrading. It is shocking that Fedora (unlike Ubuntu) does not ship such a very basic tool. I cannot imagine a desktop without it.

<!-- gh-comment-id:333546832 --> @derba commented on GitHub (Oct 2, 2017): Sorry, I forgot to add details. I use Fedora 26, and... I just tried to find my firejail version using rpm when I realized that I compiled it from git source back in April. I completely forgot about that, since I am used to get the latest version by upgrading. It is shocking that Fedora (unlike Ubuntu) does not ship such a very basic tool. I cannot imagine a desktop without it.
gitea-mirror commented 2026-05-05 07:22:10 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Oct 2, 2017):

@derba I was actually recently looking into what it would take to get Firejail in the official Fedora repos, but it seems to be quite a lot of work.

https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
https://fedoraproject.org/wiki/Packaging:Guidelines

And you can thank @reinerh for Firejail being in Debian and its derivatives.

To confirm though assuming you've now updated to 0.9.50, is this still an issue?

<!-- gh-comment-id:333549007 --> @SkewedZeppelin commented on GitHub (Oct 2, 2017): @derba I was actually recently looking into what it would take to get Firejail in the official Fedora repos, but it seems to be quite a lot of work. https://fedoraproject.org/wiki/Join_the_package_collection_maintainers https://fedoraproject.org/wiki/Packaging:Guidelines And you can thank @reinerh for Firejail being in Debian and its derivatives. To confirm though assuming you've now updated to 0.9.50, is this still an issue?
gitea-mirror commented 2026-05-05 07:22:11 -06:00
Author
Owner
Copy link

@derba commented on GitHub (Oct 2, 2017):

I pulled the latest master, compiled and installed it.

$ firejail --version
firejail version 0.9.51

Still, the issue seems to be reproducible. Is there any way I could help finding out what is going on?

<!-- gh-comment-id:333552687 --> @derba commented on GitHub (Oct 2, 2017): I pulled the latest master, compiled and installed it. ``` $ firejail --version firejail version 0.9.51 ``` Still, the issue seems to be reproducible. Is there any way I could help finding out what is going on?
gitea-mirror commented 2026-05-05 07:22:13 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 2, 2017):

@derba Do you find something in your syslog? Instructions here in the syslog section.

<!-- gh-comment-id:333578307 --> @smitsohu commented on GitHub (Oct 2, 2017): @derba Do you find something in your syslog? Instructions [here](https://firejail.wordpress.com/documentation-2/seccomp-guide) in the syslog section.
gitea-mirror commented 2026-05-05 07:22:14 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 2, 2017):

@curiosity-seeker You're right in all your points, but reading the OP it looks that Chromium is setting up SUID jails here, so important Firejail features are not available for the broker process, and the conclusion which browser has better confinement is not as straightforward as in your case.

But agreed that Chromium with Firejail is always better than Chromium without, even more so if you can install ipc- and network namespaces.

<!-- gh-comment-id:333591796 --> @smitsohu commented on GitHub (Oct 2, 2017): @curiosity-seeker You're right in all your points, but reading the OP it looks that Chromium is setting up SUID jails here, so important Firejail features are not available for the broker process, and the conclusion which browser has better confinement is not as straightforward as in your case. But agreed that Chromium with Firejail is always better than Chromium without, even more so if you can install ipc- and network namespaces.
gitea-mirror commented 2026-05-05 07:22:16 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Oct 3, 2017):

@derba : Since you're using Fedora you can simply execute

journalctl -e | grep syscall

followed by

firejail --debug-syscalls | grep xxx

where xxx is the syscall number shown in the journal.

Hint: As I'm a lazy bugger I've added those aliases to ~/.bashrc in order to simplify these things:

alias jcsys="journalctl -e | grep syscall"
alias firesys="firejail --debug-syscalls | grep"
<!-- gh-comment-id:333804757 --> @curiosity-seeker commented on GitHub (Oct 3, 2017): @derba : Since you're using Fedora you can simply execute `journalctl -e | grep syscall` followed by `firejail --debug-syscalls | grep xxx` where xxx is the syscall number shown in the journal. Hint: As I'm a lazy bugger I've added those aliases to ~/.bashrc in order to simplify these things: ``` alias jcsys="journalctl -e | grep syscall" alias firesys="firejail --debug-syscalls | grep" ```
gitea-mirror commented 2026-05-05 07:22:17 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Oct 3, 2017):

@smitsohu

but reading the OP it looks that Chromium is setting up SUID jails here, so important Firejail features are not available for the broker process,

@derba also uses Fedora 26 (like myself), and chrome://sandbox/ reports that SUID is not used but a namespace sandbox. So my settings above should also work for him.

Btw., even with a SUID jail the filesystem container would still apply. This is probably what @netblue30 was referring to when he once wrote:

The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.

The last sentence obviously applies to the broker process.

<!-- gh-comment-id:333807435 --> @curiosity-seeker commented on GitHub (Oct 3, 2017): @smitsohu > but reading the OP it looks that Chromium is setting up SUID jails here, so important Firejail features are not available for the broker process, @derba also uses Fedora 26 (like myself), and `chrome://sandbox/` reports that SUID is **not** used but a namespace sandbox. So my settings above should also work for him. Btw., even with a SUID jail the [filesystem container](https://firejail.wordpress.com/features-3/) would still apply. This is probably what @netblue30 was referring to when he once [wrote](https://l3net.wordpress.com/2014/09/19/firejail-a-security-sandbox-for-mozilla-firefox/): > The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open. The last sentence obviously applies to the broker process.
gitea-mirror commented 2026-05-05 07:22:18 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 4, 2017):

@curiosity-seeker all you write looks pretty uncontroversial to me, and if @derba can install a seccomp filter for Chromium, the better.

But one final question, you got me curious. Do we have disagreement on

important Firejail features are not available for the broker process

when renderer processes run in SUID jails?

<!-- gh-comment-id:334141698 --> @smitsohu commented on GitHub (Oct 4, 2017): @curiosity-seeker all you write looks pretty uncontroversial to me, and if @derba can install a seccomp filter for Chromium, the better. But one final question, you got me curious. Do we have disagreement on > important Firejail features are not available for the broker process when renderer processes run in SUID jails?
gitea-mirror commented 2026-05-05 07:22:20 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Oct 4, 2017):

@smitsohu : No, we don't disagree here ;-)

<!-- gh-comment-id:334145875 --> @curiosity-seeker commented on GitHub (Oct 4, 2017): @smitsohu : No, we don't disagree here ;-)
gitea-mirror commented 2026-05-05 07:22:21 -06:00
Author
Owner
Copy link

@derba commented on GitHub (Oct 10, 2017):

journalctl printout:

Oct 10 17:05:47 localhost.localdomain audit[11912]: SECCOMP auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=11912 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f67d7dfa559 code=0x0

$ firejail --debug-syscalls | grep 250
250 - keyctl

<!-- gh-comment-id:335506586 --> @derba commented on GitHub (Oct 10, 2017): journalctl printout: Oct 10 17:05:47 localhost.localdomain audit[11912]: SECCOMP auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=11912 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f67d7dfa559 code=0x0 $ firejail --debug-syscalls | grep 250 250 - keyctl
gitea-mirror commented 2026-05-05 07:22:23 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 10, 2017):

Cool. Now it is easy. Just replace in firefox.profile seccomp with the following long line:

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

which blacklists all syscalls from the default filter but not keyctl, and you're ready to go.

<!-- gh-comment-id:335622098 --> @smitsohu commented on GitHub (Oct 10, 2017): Cool. Now it is easy. Just replace in firefox.profile `seccomp` with the following long line: `seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice` which blacklists all syscalls from the default filter but not keyctl, and you're ready to go.
gitea-mirror commented 2026-05-05 07:22:24 -06:00
Author
Owner
Copy link

@derba commented on GitHub (Oct 17, 2017):

@SpotComms I see that it would be a burden to be on official package maintainer. After all, Firejail missing makes Fedora as well as CentOS and RHEL inferior to Debian-based distros. So it is the job of RH to fix their distro to fit corporation desktop space.

Well, in that aspect Windows does not fit for commercial use either. BTW, I had a chance to speak to a renowned Windows security expert and I mentioned Firejail. He admitted that using Windows is a huge risk compared to Linux + Firejail. (Not to mention the hordes of outdated sw and horrible update services running as admin on Windows, compared to Linux package management.)

But what about RPM Fusion? Is their policy horrible, too?

<!-- gh-comment-id:337157851 --> @derba commented on GitHub (Oct 17, 2017): @SpotComms I see that it would be a burden to be on official package maintainer. After all, Firejail missing makes Fedora as well as CentOS and RHEL inferior to Debian-based distros. So it is the job of RH to fix their distro to fit corporation desktop space. Well, in that aspect Windows does not fit for commercial use either. BTW, I had a chance to speak to a renowned Windows security expert and I mentioned Firejail. He admitted that using Windows is a huge risk compared to Linux + Firejail. (Not to mention the hordes of outdated sw and horrible update services running as admin on Windows, compared to Linux package management.) But what about RPM Fusion? Is their policy horrible, too?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1053
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?