github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1955] firejailed thunderbird fails to open links in firejailed chromium #1309

New issue
Closed
opened 2026-05-05 07:50:48 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 07:50:48 -06:00
Owner
Copy link

Originally created by @Tritonio on GitHub (May 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1955

Possibly related with issue #555. I'm on Linux Mint 18.3 Sylvia 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I ran the following commands as requested on #555:

user@Host ~ $ firemon --list
4230:user:firejail chromium-browser 
4297:user:firejail remmina 
4305:user:firejail mumble 
12808:user:firejail thunderbird 
24638:user:firejail spotify 
user@Host ~ $ firejail --join=12808
Switching to pid 12809, the first child process inside the sandbox
Child process initialized in 23.38 ms
user@Host ~ $ chromium-browser www.google.com
/usr/bin/chromium-browser: line 85: /dev/fd/62: No such file or directory
Trace/breakpoint trap (core dumped)
user@Host ~ $

I am assuming that I need to allow access to /dev/fd? Not sure why it would be needed in order to open the link though in an existing browser. I cannot cd into the /dev/fd dir btw.

Cheers!

Originally created by @Tritonio on GitHub (May 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1955 Possibly related with issue #555. I'm on Linux Mint 18.3 Sylvia 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I ran the following commands as requested on #555: ``` user@Host ~ $ firemon --list 4230:user:firejail chromium-browser 4297:user:firejail remmina 4305:user:firejail mumble 12808:user:firejail thunderbird 24638:user:firejail spotify user@Host ~ $ firejail --join=12808 Switching to pid 12809, the first child process inside the sandbox Child process initialized in 23.38 ms user@Host ~ $ chromium-browser www.google.com /usr/bin/chromium-browser: line 85: /dev/fd/62: No such file or directory Trace/breakpoint trap (core dumped) user@Host ~ $ ``` I am assuming that I need to allow access to /dev/fd? Not sure why it would be needed in order to open the link though in an existing browser. I cannot cd into the /dev/fd dir btw. Cheers!
gitea-mirror 2026-05-05 07:50:48 -06:00
gitea-mirror commented 2026-05-05 07:50:53 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (May 23, 2018):

See https://github.com/netblue30/firejail/issues/1770#issuecomment-364498100
tl;dr you basically just need to copy and paste links for Chromium based browsers, or use a Firefox based browser and keep a Firefox window open externally

<!-- gh-comment-id:391515537 --> @SkewedZeppelin commented on GitHub (May 23, 2018): See https://github.com/netblue30/firejail/issues/1770#issuecomment-364498100 tl;dr you basically just need to copy and paste links for Chromium based browsers, or use a Firefox based browser and keep a Firefox window open externally
gitea-mirror commented 2026-05-05 07:50:53 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (May 25, 2018):

@SkewedZeppelin : I doubt that this fully explains the problem. Yes - I was also affected by this issue when I set Google Chrome as default browser in Fedora for test purposes (normally I'm using Firefox). However, my wife uses Kubuntu with Chrome as default browser - and links clicked in firejailed Thunderbird open in firejailed Chrome without any problem. So there are obviously other aspects to consider. I haven't found the time yet to find out why both systems behave differently.

<!-- gh-comment-id:392020145 --> @curiosity-seeker commented on GitHub (May 25, 2018): @SkewedZeppelin : I doubt that this fully explains the problem. Yes - I was also affected by this issue when I set Google Chrome as default browser in Fedora for test purposes (normally I'm using Firefox). However, my wife uses Kubuntu with Chrome as default browser - and links clicked in firejailed Thunderbird open in firejailed Chrome without any problem. So there are obviously other aspects to consider. I haven't found the time yet to find out why both systems behave differently.
gitea-mirror commented 2026-05-05 07:50:55 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 26, 2018):

@curiosity-seeker If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content:

ignore nodbus
# following line is not necessary on some distributions
ignore apparmor

Probably won't help @Tritonio though, as this trick doesn't work with desktop environments other than KDE.

<!-- gh-comment-id:392272898 --> @smitsohu commented on GitHub (May 26, 2018): @curiosity-seeker If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content: ``` ignore nodbus # following line is not necessary on some distributions ignore apparmor ``` Probably won't help @Tritonio though, as this trick doesn't work with desktop environments other than KDE.
gitea-mirror commented 2026-05-05 07:50:56 -06:00
Author
Owner
Copy link

@Tritonio commented on GitHub (May 27, 2018):

I tried the instructions here (http://kb.mozillazine.org/Changing_the_web_browser_invoked_by_Thunderbird) to set xdg-open (which exists and works on my system) to open the http(s) links but it still fails to open them...

<!-- gh-comment-id:392330427 --> @Tritonio commented on GitHub (May 27, 2018): I tried the instructions here (http://kb.mozillazine.org/Changing_the_web_browser_invoked_by_Thunderbird) to set xdg-open (which exists and works on my system) to open the http(s) links but it still fails to open them...
gitea-mirror commented 2026-05-05 07:50:58 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (May 28, 2018):

If you're on KDE, you can tell Thunderbird to open links with xdg-open.

@smitsohu : Thanks for reminding me - that's exactly what I'm doing. I had just forgotten to test Chrome as default browser again since I changed to xdg-open. I've done that now - and you are right: it works!

<!-- gh-comment-id:392507858 --> @curiosity-seeker commented on GitHub (May 28, 2018): > If you're on KDE, you can tell Thunderbird to open links with xdg-open. @smitsohu : Thanks for reminding me - that's exactly what I'm [doing](https://github.com/netblue30/firejail/issues/1594#issuecomment-335023546). I had just forgotten to test Chrome as default browser again since I changed to xdg-open. I've done that now - and you are right: it works!
gitea-mirror commented 2026-05-05 07:50:59 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 29, 2018):

@Tritonio regarding xdg-open, that's usually just a shell script, the magic is taken care of by the KDE backend.

<!-- gh-comment-id:392936024 --> @smitsohu commented on GitHub (May 29, 2018): @Tritonio regarding xdg-open, that's usually just a shell script, the magic is taken care of by the KDE backend.
gitea-mirror commented 2026-05-05 07:51:00 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 26, 2018):

Looks like this is resolved, so I'll close it.
[edit] Never mind. It looks like the OP never resolved their issue.

<!-- gh-comment-id:408057827 --> @chiraag-nataraj commented on GitHub (Jul 26, 2018): Looks like this is resolved, so I'll close it. [edit] Never mind. It looks like the OP never resolved their issue.
gitea-mirror commented 2026-05-05 07:51:01 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 26, 2018):

@Tritonio I think this seems to be an issue with the way chromium (and related browsers) operate. I'm not entirely sure how chromium checks for a running instance (I know how firefox checks - it looks for a .lock file in the profile directory). If we can figure out how chromium checks for running instances, we can solve this (as well as related) issues. Regardless, though, I would recommend just copy-pasting links - it's a bit of a change in workflow, but it does end up being more secure. The whole point of sandboxing is isolation, and programs trying to call other programs necessitates breaking that isolation. In some cases, it may be acceptable, but I would argue it shouldn't be the default. Yes, it will "break" programs, but those programs are doing unsafe things and crossing security boundaries. Until we have a safe, cross-platform way to call out to other programs, I think the default should be having people copy and pasting links.

<!-- gh-comment-id:408059420 --> @chiraag-nataraj commented on GitHub (Jul 26, 2018): @Tritonio I think this seems to be an issue with the way chromium (and related browsers) operate. I'm not entirely sure how chromium checks for a running instance (I know how firefox checks - it looks for a `.lock` file in the profile directory). If we can figure out how chromium checks for running instances, we can solve this (as well as related) issues. Regardless, though, I would recommend just copy-pasting links - it's a bit of a change in workflow, but it does end up being more secure. The whole point of sandboxing is isolation, and programs trying to call other programs necessitates breaking that isolation. In some cases, it _may_ be acceptable, but I would argue it shouldn't be the default. Yes, it will "break" programs, but those programs are doing unsafe things and crossing security boundaries. Until we have a _safe_, cross-platform way to call out to other programs, I think the default should be having people copy and pasting links.
gitea-mirror commented 2026-05-05 07:51:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 26, 2018):

Even with e.g. xdg-open, since xdg-open will be run within the profile you're using for thunderbird, I suspect you'd have to whitelist more files and directories (possibly ~/.local/share?) - in other words, you'd have to poke more holes in your profile. Again, I understand that this is acceptable for some people, but I don't think this should be done by default. If enough people want or need this feature, we could introduce a new profile option and command-line argument.

<!-- gh-comment-id:408060770 --> @chiraag-nataraj commented on GitHub (Jul 26, 2018): Even with e.g. `xdg-open`, since `xdg-open` will be run _within_ the profile you're using for thunderbird, I suspect you'd have to whitelist more files and directories (possibly `~/.local/share`?) - in other words, you'd have to poke more holes in your profile. Again, I understand that this is acceptable for some people, but I don't think this should be done by default. If enough people want or need this feature, we could introduce a new profile option and command-line argument.
gitea-mirror commented 2026-05-05 07:51:03 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Aug 4, 2018):

If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content:
ignore nodbus

FYI, I've been using my own Thunderbird profile for a long time which does not contain nodbus. But recently opening links in Firefox form Thunderbird broke after a KDE update on Fedora 28. After adding

ignore nodbus

to the Firefox profile it works again. I'm mentioning this as the default thunderbird.profile includes firefox.profile. With an individual profile nodbus has to be ignored in both profiles.

<!-- gh-comment-id:410452553 --> @curiosity-seeker commented on GitHub (Aug 4, 2018): > If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content: `ignore nodbus` FYI, I've been using my own Thunderbird profile for a long time which does not contain `nodbus`. But recently opening links in Firefox form Thunderbird broke after a KDE update on Fedora 28. After adding `ignore nodbus` to the Firefox profile it works again. I'm mentioning this as the default thunderbird.profile includes firefox.profile. With an individual profile nodbus has to be ignored in _both_ profiles.
gitea-mirror commented 2026-05-05 07:51:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 29, 2019):

This has been inactive for a while and we know what the culprit is. Marking it workaround and closing for now. @Tritonio, please feel free to re-open if you have more questions.

<!-- gh-comment-id:497099111 --> @chiraag-nataraj commented on GitHub (May 29, 2019): This has been inactive for a while and we know what the culprit is. Marking it workaround and closing for now. @Tritonio, please feel free to re-open if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1309
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?