github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1652] Odd behaviour with --x11=xorg under GNOME 3 / gdm #1114

New issue

Open

opened 2026-05-05 07:29:00 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:29:00 -06:00

Owner

Originally created by @sakaki- on GitHub (Nov 17, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1652

Hi, as I mentioned in #1600 I am putting together an addition to my EFI Install Guide regarding the use of an X11-sandboxed (Xephyr) sandbox for use with firefox.

I now have a configuration that works even with WiFi interfaces, using the bridge configuration suggested your answer to #1600, so thanks for that.

However, having read about the --x11=xorg option in the firejail manpage, I thought I'd give that a try too, since it would be much simpler to setup for most users. I recompiled my X server using the xcsecurity USE flag (I use Gentoo), restarted, and then tried to see if e.g. xinput would be blocked from scanning keyboard input when untrusted, as it should be. However, starting bash under the firefox profile with --x11=xorg did not give the expected results:

sakaki@koneko ~ $ firejail --noblacklist=/usr/bin/xinput --x11=xorg --profile=/etc/firejail/firefox.profile bash
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Warning: noroot option is not available
Parent pid 14162, child pid 14163
Blacklist violations are logged to syslog
Using authority file /tmp/.tmpXauth-lEOGMj
authorization id is 1452
Writing authority file /tmp/.tmpXauth-lEOGMj
Child process initialized in 192.68 ms
sakaki@koneko ~ $ xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ HID 04b4:0033                           	id=8	[slave  pointer  (2)]
⎣ Virtual core keyboard                   	id=3	[master keyboard (2)]
    ↳ Virtual core XTEST keyboard             	id=5	[slave  keyboard (3)]
    ↳ Power Button                            	id=6	[slave  keyboard (3)]
    ↳ Power Button                            	id=7	[slave  keyboard (3)]
    ↳ Logitech USB Keyboard                   	id=9	[slave  keyboard (3)]
    ↳ Logitech USB Keyboard                   	id=10	[slave  keyboard (3)]

Other commands, such as xinput test 9 worked too. So (still in the sandbox, I tried):

sakaki@koneko ~ $ xauth -v list
Using authority file /run/user/1000/gdm/Xauthority
<snip>

Note that /run/user/1000/gdm/Xauthority is not the ~/.Xauthority path that firejail bind mounts its untrusted xauthority into: a1530b3f53/src/firejail/x11.c (L1195-L1217)

I am running a GNOME 3 desktop, with gdm as the login manager. The above /run/user/1000/gdm/Xauthority is still present (not blacklisted) in the sandbox environment, and selected by default as the XAUTHORITY:

sakaki@koneko ~ $ # still in the sandbox
sakaki@koneko ~ $ env | grep XAUTHORITY
XAUTHORITY=/run/user/1000/gdm/Xauthority
sakaki@koneko ~ $ ls -l .Xauthority # NB this untrusted auth file is present, but not used
-rw------- 1 sakaki sakaki 50 Nov 17 18:49 .Xauthority
sakaki@koneko ~ $ ls -l /run/user/1000/gdm/Xauthority
-rwx------ 1 sakaki sakaki 98 Nov 17 17:30 /run/user/1000/gdm/Xauthority

Trying to force the issue seemed to work (above sandbox was closed first):

sakaki@koneko ~ $ firejail --noblacklist=/usr/bin/xinput --x11=xorg --env=XAUTHORITY="${HOME}/.Xauthority" --blacklist="${XAUTHORITY}" --profile=/etc/firejail/firefox.profile bash
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Warning: noroot option is not available
Parent pid 14227, child pid 14228
Blacklist violations are logged to syslog
Using authority file /tmp/.tmpXauth-AgCr9y
authorization id is 1455
Writing authority file /tmp/.tmpXauth-AgCr9y
Child process initialized in 153.40 ms
sakaki@koneko ~ $ xinput list
X Input extension not available.

But appeared to be easily overridden in the sandbox (even though /run/user/1000/gdm/Xauthority was inaccessible now), by simply blanking the environment variable:

sakaki@koneko ~ $ # still in the sandbox
sakaki@koneko ~ $ XAUTHORITY="" xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ HID 04b4:0033                           	id=8	[slave  pointer  (2)]
⎣ Virtual core keyboard                   	id=3	[master keyboard (2)]
    ↳ Virtual core XTEST keyboard             	id=5	[slave  keyboard (3)]
    ↳ Power Button                            	id=6	[slave  keyboard (3)]
    ↳ Power Button                            	id=7	[slave  keyboard (3)]
    ↳ Logitech USB Keyboard                   	id=9	[slave  keyboard (3)]
    ↳ Logitech USB Keyboard                   	id=10	[slave  keyboard (3)]

Anyway, as I said I have a working xephyr setup that I'm writing up now, but thought this might be useful info to pass on, as there have been a few other reports of --x11=xorg not behaving quite as expected (e.g. https://github.com/netblue30/firejail/issues/57#issuecomment-266254926).

I am running version 0.9.50 of firejail from the standard Gentoo repos.

Originally created by @sakaki- on GitHub (Nov 17, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1652 Hi, as I mentioned in #1600 I am putting together an addition to my [EFI Install Guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide) regarding the use of an X11-sandboxed (Xephyr) sandbox for use with firefox. I now have a configuration that works even with WiFi interfaces, using the bridge configuration suggested your answer to #1600, so thanks for that. However, having read about the `--x11=xorg` option in the `firejail` manpage, I thought I'd give that a try too, since it would be much simpler to setup for most users. I recompiled my X server using the `xcsecurity` USE flag (I use Gentoo), restarted, and then tried to see if e.g. `xinput` would be blocked from scanning keyboard input when untrusted, as it should be. However, starting `bash` under the `firefox` profile with `--x11=xorg` did **not** give the expected results: ```console sakaki@koneko ~ $ firejail --noblacklist=/usr/bin/xinput --x11=xorg --profile=/etc/firejail/firefox.profile bash Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Warning: noroot option is not available Parent pid 14162, child pid 14163 Blacklist violations are logged to syslog Using authority file /tmp/.tmpXauth-lEOGMj authorization id is 1452 Writing authority file /tmp/.tmpXauth-lEOGMj Child process initialized in 192.68 ms sakaki@koneko ~ $ xinput list ⎡ Virtual core pointer id=2 [master pointer (3)] ⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)] ⎜ ↳ HID 04b4:0033 id=8 [slave pointer (2)] ⎣ Virtual core keyboard id=3 [master keyboard (2)] ↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)] ↳ Power Button id=6 [slave keyboard (3)] ↳ Power Button id=7 [slave keyboard (3)] ↳ Logitech USB Keyboard id=9 [slave keyboard (3)] ↳ Logitech USB Keyboard id=10 [slave keyboard (3)] ``` Other commands, such as `xinput test 9` worked too. So (still in the sandbox, I tried): ```console sakaki@koneko ~ $ xauth -v list Using authority file /run/user/1000/gdm/Xauthority <snip> ``` Note that `/run/user/1000/gdm/Xauthority` is _not_ the `~/.Xauthority` path that `firejail` bind mounts its untrusted xauthority into: https://github.com/netblue30/firejail/blob/a1530b3f530f8c527b7dbaf912d528d351454cb5/src/firejail/x11.c#L1195-L1217 I am running a GNOME 3 desktop, with `gdm` as the login manager. The above `/run/user/1000/gdm/Xauthority` is still present (not blacklisted) in the sandbox environment, and selected by default as the `XAUTHORITY`: ```console sakaki@koneko ~ $ # still in the sandbox sakaki@koneko ~ $ env | grep XAUTHORITY XAUTHORITY=/run/user/1000/gdm/Xauthority sakaki@koneko ~ $ ls -l .Xauthority # NB this untrusted auth file is present, but not used -rw------- 1 sakaki sakaki 50 Nov 17 18:49 .Xauthority sakaki@koneko ~ $ ls -l /run/user/1000/gdm/Xauthority -rwx------ 1 sakaki sakaki 98 Nov 17 17:30 /run/user/1000/gdm/Xauthority ``` Trying to force the issue _seemed_ to work (above sandbox was closed first): ```console sakaki@koneko ~ $ firejail --noblacklist=/usr/bin/xinput --x11=xorg --env=XAUTHORITY="${HOME}/.Xauthority" --blacklist="${XAUTHORITY}" --profile=/etc/firejail/firefox.profile bash Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Warning: noroot option is not available Parent pid 14227, child pid 14228 Blacklist violations are logged to syslog Using authority file /tmp/.tmpXauth-AgCr9y authorization id is 1455 Writing authority file /tmp/.tmpXauth-AgCr9y Child process initialized in 153.40 ms sakaki@koneko ~ $ xinput list X Input extension not available. ``` But appeared to be easily overridden in the sandbox (even though `/run/user/1000/gdm/Xauthority` was inaccessible now), by simply blanking the environment variable: ```console sakaki@koneko ~ $ # still in the sandbox sakaki@koneko ~ $ XAUTHORITY="" xinput list ⎡ Virtual core pointer id=2 [master pointer (3)] ⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)] ⎜ ↳ HID 04b4:0033 id=8 [slave pointer (2)] ⎣ Virtual core keyboard id=3 [master keyboard (2)] ↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)] ↳ Power Button id=6 [slave keyboard (3)] ↳ Power Button id=7 [slave keyboard (3)] ↳ Logitech USB Keyboard id=9 [slave keyboard (3)] ↳ Logitech USB Keyboard id=10 [slave keyboard (3)] ``` Anyway, as I said I have a working `xephyr` setup that I'm writing up now, but thought this might be useful info to pass on, as there have been a few other reports of `--x11=xorg` not behaving quite as expected (e.g. https://github.com/netblue30/firejail/issues/57#issuecomment-266254926). I am running version 0.9.50 of `firejail` from the standard Gentoo repos.

gitea-mirror added the

enhancement

label 2026-05-05 07:29:00 -06:00

gitea-mirror commented

2026-05-05 07:29:03 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Nov 17, 2017):

An easier solution* is to simply run GNOME under Wayland. Wayland adds a decent amount of separation, however a lot of the community always says its useless since the apps aren't sandboxed. But Wayland + Firejail makes for an awesome combination.

Be warned though that even under Wayland that legacy X apps will still be able to see the input of other X apps (since they all share a single Xwayland process). Eg. if you're playing a proprietary game its anticheat might key-log what you type into Chromium, but at least it can't capture your screen (I think).

You can see what apps are currently using X by running xlsclients

@SkewedZeppelin commented on GitHub (Nov 17, 2017): An easier solution* is to simply run GNOME under Wayland. Wayland adds a decent amount of separation, however a lot of the community always says its useless since the apps aren't sandboxed. But Wayland + Firejail makes for an **awesome** combination. Be warned though that even under Wayland that legacy X apps will still be able to see the input of other X apps (since they all share a single Xwayland process). Eg. if you're playing a proprietary game its anticheat might key-log what you type into Chromium, but at least it can't capture your screen (I think). You can see what apps are currently using X by running `xlsclients`

gitea-mirror commented

2026-05-05 07:29:04 -06:00

Author

Owner

@sakaki- commented on GitHub (Nov 17, 2017):

@SpotComms, thanks for the tip. My guide is currently oriented towards to those using GNOME on X11, but I will probably migrate it to cover Wayland at some point in the future.

That being said, the xephyr approach works well enough; the point of filing this issue is really to point out that for GNOME 3 / gdm at least, the user's xauthority file is not in the ~/.Xauthority location that firejail expects (and bind-mounts a freshly created, untrusted .Xauthority over when --x11=xorg is specified), nor is the actual gdm xauthority path (/run/user/<uid>/gdm/Xauthority) blacklisted, so people may get a false sense of security. Perhaps a warning could be printed if using --x11=xorg and the environment $XAUTHORITY is not pointing to the expected path.

@sakaki- commented on GitHub (Nov 17, 2017): @SpotComms, thanks for the tip. My guide is currently oriented towards to those using GNOME on X11, but I will probably migrate it to cover Wayland at some point in the future. That being said, the `xephyr` approach works well enough; the point of filing this issue is really to point out that for GNOME 3 / `gdm` at least, the user's xauthority file is **not** in the `~/.Xauthority` location that `firejail` expects (and bind-mounts a freshly created, untrusted .Xauthority over when `--x11=xorg` is specified), nor is the actual `gdm` xauthority path (`/run/user/<uid>/gdm/Xauthority`) blacklisted, so people may get a false sense of security. Perhaps a warning could be printed if using `--x11=xorg` and the environment `$XAUTHORITY` is not pointing to the expected path.

gitea-mirror commented

2026-05-05 07:29:07 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 8, 2019):

Hm, turns out the experimental fix b35c000fee is broken as well.

I was under the impression I had it working 😕

~~I'll probably have to revert it.~~ Even though some issues remain, the fix IMHO is a step in the right direction, so not reverting

@smitsohu commented on GitHub (Oct 8, 2019): Hm, turns out the experimental fix b35c000fee9a4c1418a44e5a5a641bcf48f08345 is broken as well. I was under the impression I had it working :confused: ~~I'll probably have to revert it.~~ Even though some issues remain, the fix IMHO is a step in the right direction, so not reverting

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1114

No description provided.

Rows
Columns