[GH-ISSUE #1979] [SOLVED] firejail runs sandbox for app that I didn't set to run in firejail

gitea-mirror commented

2026-05-05 07:52:58 -06:00

Owner

Originally created by @omega3 on GitHub (Jun 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1979

Is it a bug or a feature?

Kubuntu 14.04

firejail version 0.9.54

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - bind support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

which firejail
/usr/bin/firejail

I was suprised to discover that firejail runs applications in sandbox that I didn't set it to run, like kate and keepass2. I wasn't able to run keepass2 until I deleted profile in /etc/firejail/

But deleting profiles to run app is not the best practice. What should be done instead?

firejail --list
19700:user2::/usr/bin/firejail /usr/bin/keepass2 
19855:user2:kate:/usr/bin/firejail /usr/bin/kate -b 
20270:user2::/usr/bin/firejail /usr/bin/opera 
21299:user2::/usr/bin/firejail /usr/bin/kate -b

user2 is my second user account not belonging to sudo group.

Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem?

Originally created by @omega3 on GitHub (Jun 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1979 Is it a bug or a feature? Kubuntu 14.04 ```firejail --version firejail version 0.9.54 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled which firejail /usr/bin/firejail ``` I was suprised to discover that firejail runs applications in sandbox that I didn't set it to run, like kate and keepass2. I wasn't able to run keepass2 until I deleted profile in /etc/firejail/ But deleting profiles to run app is not the best practice. What should be done instead? ``` firejail --list 19700:user2::/usr/bin/firejail /usr/bin/keepass2 19855:user2:kate:/usr/bin/firejail /usr/bin/kate -b 20270:user2::/usr/bin/firejail /usr/bin/opera 21299:user2::/usr/bin/firejail /usr/bin/kate -b ``` user2 is my second user account not belonging to sudo group. Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem?

gitea-mirror

2026-05-05 07:52:58 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:53:03 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Did you use firecfg to set up symlinks in /usr/local/bin? What is the output of which keepass2?

@chiraag-nataraj commented on GitHub (Jun 5, 2018): Did you use `firecfg` to set up symlinks in `/usr/local/bin`? What is the output of `which keepass2`?

gitea-mirror commented

2026-05-05 07:53:05 -06:00

Author

Owner

@omega3 commented on GitHub (Jun 5, 2018):

Did you use firecfg to set up symlinks in /usr/local/bin?

No. Before updating to the new firejail version I didn't use firejail for keepass2.
Can you tell me how to do it? Is it described somewhere?

which keepass2
/usr/local/bin/keepass2

I also have to point out that I use keepass2 on my second user accout but I did

sudo firecfg

Then I added all my users to /etc/firejail/firejail.users
So it looks like:

user1
user2

I also have problems with accessing local profiles that I reported here:
https://github.com/netblue30/firejail/issues/1975

@omega3 commented on GitHub (Jun 5, 2018): > Did you use firecfg to set up symlinks in /usr/local/bin? No. Before updating to the new firejail version I didn't use firejail for keepass2. Can you tell me how to do it? Is it described somewhere? ``` which keepass2 /usr/local/bin/keepass2 ``` I also have to point out that I use keepass2 on my second user accout but I did ``` sudo firecfg ``` Then I added all my users to /etc/firejail/firejail.users So it looks like: ``` user1 user2 ``` I also have problems with accessing local profiles that I reported here: https://github.com/netblue30/firejail/issues/1975

gitea-mirror commented

2026-05-05 07:53:07 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Okay, so can you do a ls -lh /usr/local/bin/keepass2? I suspect it's linked to /usr/bin/firejail. You can run sudo firecfg --clean to remove the symlinks created (I think at some point, it was run - maybe not by you, but by the package installer or something?). Regardless, running sudo firecfg --clean should fix the issue.

@chiraag-nataraj commented on GitHub (Jun 5, 2018): Okay, so can you do a `ls -lh /usr/local/bin/keepass2`? I suspect it's linked to `/usr/bin/firejail`. You can run `sudo firecfg --clean` to remove the symlinks created (I think at some point, it _was_ run - maybe not by you, but by the package installer or something?). Regardless, running `sudo firecfg --clean` should fix the issue.

gitea-mirror commented

2026-05-05 07:53:09 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Okay, so note that sudo firecfg will enable it globally, not per user (since the links are set up in /usr/local/bin, which takes priority over /usr/bin by default in your $PATH). If you don't want this, you should either create per-user links (e.g. in ~/bin) or just run it manually with firejail. Or, you could modify the $PATH to not look first in /usr/local/bin, but that may end up breaking other things.

@chiraag-nataraj commented on GitHub (Jun 5, 2018): Okay, so note that `sudo firecfg` will enable it _globally_, not per user (since the links are set up in `/usr/local/bin`, which takes priority over `/usr/bin` by default in your `$PATH`). If you don't want this, you should either create per-user links (e.g. in `~/bin`) or just run it manually with `firejail`. Or, you could modify the `$PATH` to not look first in `/usr/local/bin`, but that may end up breaking other things.

gitea-mirror commented

2026-05-05 07:53:11 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

@netblue30, should we add a non-sudo mode for firecfg where the symbolic links are created per-user?

@chiraag-nataraj commented on GitHub (Jun 5, 2018): @netblue30, should we add a non-sudo mode for `firecfg` where the symbolic links are created per-user?

gitea-mirror commented

2026-05-05 07:53:13 -06:00

Author

Owner

@omega3 commented on GitHub (Jun 5, 2018):

ls -lh /usr/local/bin/keepass2
lrwxrwxrwx 1 root root 17 cze  5 09:10 /usr/local/bin/keepass2 -> /usr/bin/firejail

should we add a non-sudo mode for firecfg where the symbolic links are created per-user?

That would be good, I think because I don't use keepass2 on my first (sudo) account. The second user for whom I use keepass2 doesn't belong to sudo group. I want to use local profiles for this account.

Can you write just step by step what I should do, bacause I am not that fluent in all this technical issues.

@omega3 commented on GitHub (Jun 5, 2018): ``` ls -lh /usr/local/bin/keepass2 lrwxrwxrwx 1 root root 17 cze 5 09:10 /usr/local/bin/keepass2 -> /usr/bin/firejail ``` > should we add a non-sudo mode for firecfg where the symbolic links are created per-user? That would be good, I think because I don't use keepass2 on my first (sudo) account. The second user for whom I use keepass2 doesn't belong to sudo group. I want to use local profiles for this account. Can you write just step by step what I should do, bacause I am not that fluent in all this technical issues.

gitea-mirror commented

2026-05-05 07:53:15 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Okay. To prevent keepass2 from running through firejail, do sudo rm /usr/local/bin/keepass2. This will prevent keepass2 from being started through firejail, which should fix your issue. Note that this means that if you do want to run keepass2 through firejail, you will have to explicitly run it as firejail keepass2.

As I said above, if you want to prevent firejail from running everything it can automatically (keepass2, kate, etc), run sudo firecfg --clean.

@chiraag-nataraj commented on GitHub (Jun 5, 2018): Okay. To prevent `keepass2` from running through `firejail`, do `sudo rm /usr/local/bin/keepass2`. This will prevent `keepass2` from being started through `firejail`, which should fix your issue. Note that this means that if you _do_ want to run `keepass2` through `firejail`, you will have to explicitly run it as `firejail keepass2`. As I said above, if you want to prevent `firejail` from running everything it can automatically (`keepass2`, `kate`, etc), run `sudo firecfg --clean`.

gitea-mirror commented

2026-05-05 07:53:16 -06:00

Author

Owner

@omega3 commented on GitHub (Jun 5, 2018):

Ok. What about this:

Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem? Can firejail protect programs run in firejail to be accessed from outside?

@omega3 commented on GitHub (Jun 5, 2018): Ok. What about this: Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem? Can firejail protect programs run in firejail to be accessed from outside?

gitea-mirror commented

2026-05-05 07:53:17 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem?

Sort of. You have graphical isolation through xpra, but that only helps when all of your apps are sandboxed in this way. That is, if you have a sandboxed app (e.g. keepass2) and a non-sandboxed app (say, your window manager or desktop environment), your window manager (and anything you launch from there, such as a terminal) will be able to access the keepass2 window. However, if you also launch firefox with xpra (in a different instance), it won't be able to see the keepass2 window.

Here's a concrete example that may help.

You log in through your login window as usual. Let's call this X11 screen :0.
You now launch xpra with a virtual screen of :100 and start keepass2 within that. So now, keepass2 cannot see any windows besides its own (and any other programs you launch within :100).
You now launch another xpra with a virtual screen of :200 and start firefox within that. So now, firefox and keepass2 cannot see each other (since they are on different [virtual] screens).
However, if you launch a terminal on :0, it can see both firefox and keepass2. The only way to prevent this is to launch literally every program in its own virtual screen.

(I used xpra in my example here, but xephyr also works)

@chiraag-nataraj commented on GitHub (Jun 5, 2018): > Keepass should be not only restricted to access outside locations but should be protected to be accessed by keyloggers from outside because of lack of GUI isolation. Is that correct? Can firejail help for this problem? Sort of. You have graphical isolation through `xpra`, but that only helps when all of your apps are sandboxed in this way. That is, if you have a sandboxed app (e.g. `keepass2`) and a non-sandboxed app (say, your window manager or desktop environment), your window manager (and anything you launch from there, such as a terminal) will be able to access the `keepass2` window. However, if you also launch `firefox` with `xpra` (in a different instance), it won't be able to see the `keepass2` window. Here's a concrete example that may help. 1. You log in through your login window as usual. Let's call this X11 screen `:0`. 2. You now launch `xpra` with a virtual screen of `:100` and start `keepass2` within that. So now, `keepass2` cannot see any windows besides its own (and any other programs you launch within `:100`). 3. You now launch _another_ `xpra` with a virtual screen of `:200` and start `firefox` within that. So now, `firefox` and `keepass2` cannot see each other (since they are on different [virtual] screens). 4. _**However**_, if you launch a terminal on `:0`, _it can see both `firefox` and `keepass2`_. The only way to prevent this is to launch literally every program in its own virtual screen. (I used `xpra` in my example here, but `xephyr` also works)

gitea-mirror commented

2026-05-05 07:53:18 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 7, 2018):

@omega3 Did I answer your question? Any more questions?

@chiraag-nataraj commented on GitHub (Jun 7, 2018): @omega3 Did I answer your question? Any more questions?

gitea-mirror commented

2026-05-05 07:53:20 -06:00

Author

Owner

@omega3 commented on GitHub (Jun 7, 2018):

Did I answer your question?

Yes. Thank you.

@omega3 commented on GitHub (Jun 7, 2018): > Did I answer your question? Yes. Thank you.

Rows
Columns

[GH-ISSUE #1979] [SOLVED] firejail runs sandbox for app that I didn't set to run in firejail #1331