github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1951] Firejail breaks enigmail in Thunderbird #1308

New issue

Closed

opened 2026-05-05 07:50:22 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 07:50:22 -06:00

Owner

Originally created by @frank-github on GitHub (May 20, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1951

debian 9
firejail version 0.9.54-1 (stretch-backports)
thunderbird 52.7
enigmail 1.9.9

nodbug in firefox-common.profile prevent using of enigmail in thunderbird
created an own copy of thunderbird and firefox-common in ~/.config/firejail, comment out nodbug option, enigmail and thunderbird works together fine again

Originally created by @frank-github on GitHub (May 20, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1951 debian 9 firejail version 0.9.54-1 (stretch-backports) thunderbird 52.7 enigmail 1.9.9 nodbug in firefox-common.profile prevent using of enigmail in thunderbird created an own copy of thunderbird and firefox-common in ~/.config/firejail, comment out nodbug option, enigmail and thunderbird works together fine again

gitea-mirror closed this issue

2026-05-05 07:50:24 -06:00

gitea-mirror commented

2026-05-05 07:50:26 -06:00

Author

Owner

@fuelflo commented on GitHub (May 28, 2018):

+1 same issue.

With nodbus commented out it works. When nodbus is enabled (as per standard in firefox-common.profile) I'll get following errors upon starting thunderbird:

`(thunderbird:7): GConf-WARNING **: 21:37:53.036: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

(thunderbird:7): LIBDBUSMENU-GLIB-WARNING **: 21:37:53.052: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”
`

Which leads to enigmail not beeing able to find the secret GPG key to decrypt messages.

Error - no matching secret key found to decrypt message gpg: decryption failed: No secret key

Sending encrypted mails, using public keys however seems to work.

Ubuntu 18.04
Kernel 4.17.0-041700rc7-generic
firejail version 0.9.54
Thunderbird 57.0
Enigmail 2.0.5
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

@fuelflo commented on GitHub (May 28, 2018): +1 same issue. With **nodbus** commented out it works. When nodbus is enabled (as per standard in firefox-common.profile) I'll get following errors upon starting thunderbird: `(thunderbird:7): GConf-WARNING **: 21:37:53.036: Client failed to connect to the D-BUS daemon: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix") (thunderbird:7): LIBDBUSMENU-GLIB-WARNING **: 21:37:53.052: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus” ` Which leads to enigmail not beeing able to find the secret GPG key to decrypt messages. > Error - no matching secret key found to decrypt message gpg: decryption failed: No secret key Sending encrypted mails, using public keys however seems to work. Ubuntu 18.04 Kernel 4.17.0-041700rc7-generic firejail version 0.9.54 Thunderbird 57.0 Enigmail 2.0.5 gpg (GnuPG) 2.2.4 libgcrypt 1.8.1

gitea-mirror commented

2026-05-05 07:50:27 -06:00

Author

Owner

@HidingCherry commented on GitHub (Jul 30, 2018):

Adding ignore nodbus to the thunderbird.profile works for me.
Thanks for your tip :)

Don't forget that the *.profile files will be overwritten with the next update.
It is safer to use thunderbird.local instead.

@HidingCherry commented on GitHub (Jul 30, 2018): Adding **ignore nodbus** to the thunderbird.profile works for me. Thanks for your tip :) Don't forget that the *.profile files will be overwritten with the next update. It is safer to use thunderbird.local instead.

gitea-mirror commented

2026-05-05 07:50:29 -06:00

Author

Owner

@matu3ba commented on GitHub (Aug 30, 2018):

Ubuntu 18.04.1 LTS
firejail version 0.9.56~rc1
Thunderbird 52.9.1
Enigmail Version 2.0.8 (20180804-1515)
This issue still occurs on default master.
@Loader009
Adding default ignore nodbus might not be the best idea as discussed in #796
This is very inconvenient.

@matu3ba commented on GitHub (Aug 30, 2018): Ubuntu 18.04.1 LTS firejail version 0.9.56~rc1 Thunderbird 52.9.1 Enigmail Version 2.0.8 (20180804-1515) This issue still occurs on default master. @Loader009 Adding default `ignore nodbus` might not be the best idea as discussed in #796 This is very inconvenient.

gitea-mirror commented

2026-05-05 07:50:30 -06:00

Author

Owner

@ghost commented on GitHub (Sep 3, 2018):

Confirming that ignore nodbus seems to work as a workaround.

@matu3ba
I tried to read the thread under #796 but it was not really clear to me how to implement a better workaround.

Also there was a mention recently

Since we have nodbus now to block dbus access, I'll close this.

So the problem of using nodbus is resolved? 🤔

--
Environment
debian testing, thunderbird v60.0,

@ghost commented on GitHub (Sep 3, 2018): Confirming that `ignore nodbus` seems to work as a workaround. @matu3ba I tried to read the thread under #796 but it was not really clear to me how to implement a better workaround. Also there was a mention recently > Since we have nodbus now to block dbus access, I'll close this. So the problem of using `nodbus` is resolved? :thinking: -- Environment debian testing, thunderbird v60.0,

gitea-mirror commented

2026-05-05 07:50:31 -06:00

Author

Owner

@HidingCherry commented on GitHub (Sep 3, 2018):

Using ignore nodbus is a security risk, which you should be aware of before using it.
As far as I understood, the app can escape the sandbox if dbus is accessable.

@HidingCherry commented on GitHub (Sep 3, 2018): Using `ignore nodbus` is a security risk, which you should be aware of before using it. As far as I understood, the app can escape the sandbox if _dbus_ is accessable.

gitea-mirror commented

2026-05-05 07:50:32 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Oct 3, 2018):

dbus is much less of a security risk now that systemd devs coerced them into using regular sockets again 😂. But yes, it's true that with dbus, a program can escape the sandbox, since it can send messages to other programs which are running outside the sandbox. You can also try changing the pinentry program (it seems that pinentry-gnome3 might throw a hissy-fit when DBUS_SESSION_BUS_ADDRESS is not set, while pinentry-gtk2 shouldn't care?). Anyway, I don't think disabling nodbus by default is a great idea, but we can certainly document it in the profile.

@chiraag-nataraj commented on GitHub (Oct 3, 2018): `dbus` is much _less_ of a security risk now that `systemd` devs coerced them into using regular sockets again :joy:. But yes, it's true that with `dbus`, a program can escape the sandbox, since it can send messages to other programs which are running outside the sandbox. You can also try changing the pinentry program (it seems that `pinentry-gnome3` might throw a hissy-fit when `DBUS_SESSION_BUS_ADDRESS` is not set, while `pinentry-gtk2` shouldn't care?). Anyway, I don't think disabling `nodbus` by default is a great idea, but we can certainly document it in the profile.

gitea-mirror commented

2026-05-05 07:50:33 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Dec 9, 2018):

Let me document it and close this, since the solution has apparently been found for the issue.

@chiraag-nataraj commented on GitHub (Dec 9, 2018): Let me document it and close this, since the solution has apparently been found for the issue.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1308

No description provided.

Rows
Columns