github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1985] Thunderbird folder whitelisted in Chrome and Firefox #1338

New issue

Closed

opened 2026-05-05 07:53:33 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:53:33 -06:00

Owner

Originally created by @Futureknows on GitHub (Jun 8, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1985

I noticed the default file access whitelist for Firefox and Chrome includes the /.Thunderbird/ folder.
The Thunderbird folder holds emails as well as passwords to those accounts. Chrome is well known to routinely spy/upload the entire accessible file system.

Is there a particular reason the filesystem for Thunderbird is exposed to vulnerable browsers?

For the time being I blacklist them via command line argument --blacklist=/.thunderbird/

Originally created by @Futureknows on GitHub (Jun 8, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1985 I noticed the default file access whitelist for Firefox and Chrome includes the /.Thunderbird/ folder. The Thunderbird folder holds emails as well as passwords to those accounts. Chrome is well known to routinely spy/upload the entire accessible file system. Is there a particular reason the filesystem for Thunderbird is exposed to vulnerable browsers? For the time being I blacklist them via command line argument --blacklist=/.thunderbird/

gitea-mirror

2026-05-05 07:53:33 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:53:37 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jun 8, 2018):

Neither chromium-common or firefox-common allow access to Thunderbird's directories in 0.9.54.

Do you have any local files? What is the output of the following?

$ ls -lha ~/.config/firejail
$ ls -lha /etc/firejail/*.local
$ ls -lha /usr/local/etc/*.local

@SkewedZeppelin commented on GitHub (Jun 8, 2018): Neither chromium-common or firefox-common allow access to Thunderbird's directories in 0.9.54. Do you have any local files? What is the output of the following? ``` $ ls -lha ~/.config/firejail $ ls -lha /etc/firejail/*.local $ ls -lha /usr/local/etc/*.local ```

gitea-mirror commented

2026-05-05 07:53:40 -06:00

Author

Owner

@Futureknows commented on GitHub (Jun 9, 2018):

I'm running latest 9.5.5 I compiled. No local files. The firefox-common hasn't been touched. Thunderbird folder is located in root. When I blacklist thunderbird on the command line it becomes invisible. After digging a little I noticed even qbittorrent exposes /.thunderbird/ using the Firetools file manager. Something is globally whitelisting /.thunderbird/.

I did a full recursive text content search of /etc/firejail/ and don't see any instances of "/.thunderbird" except in the thunderbird profiles.

[user@localhost ~]$ ls -lha ~/.config/firejail ls: cannot access '/home/user/.config/firejail': No such file or directory

[user@localhost ~]$ ls -lha /etc/firejail/*.local -rw-r--r--. 1 root root 2 May 26 01:29 /etc/firejail/firefox.local

[user@localhost ~]$ ls -lha /usr/local/etc/*.local ls: cannot access '/usr/local/etc/*.local': No such file or directory

@Futureknows commented on GitHub (Jun 9, 2018): I'm running latest 9.5.5 I compiled. No local files. The firefox-common hasn't been touched. Thunderbird folder is located in root. When I blacklist thunderbird on the command line it becomes invisible. After digging a little I noticed even qbittorrent exposes /.thunderbird/ using the Firetools file manager. Something is globally whitelisting /.thunderbird/. I did a full recursive text content search of /etc/firejail/ and don't see any instances of "/.thunderbird" except in the thunderbird profiles. `[user@localhost ~]$ ls -lha ~/.config/firejail ls: cannot access '/home/user/.config/firejail': No such file or directory ` `[user@localhost ~]$ ls -lha /etc/firejail/*.local -rw-r--r--. 1 root root 2 May 26 01:29 /etc/firejail/firefox.local` `[user@localhost ~]$ ls -lha /usr/local/etc/*.local ls: cannot access '/usr/local/etc/*.local': No such file or directory `

gitea-mirror commented

2026-05-05 07:53:41 -06:00

Author

Owner

@smitsohu commented on GitHub (Jun 9, 2018):

For the time being I blacklist them via command line argument --blacklist=/.thunderbird/

Thunderbird folder is located in root.

The profiles only limit access to default installation paths. If you install it somewhere else, you will need to adjust the profiles yourself.

Do the following: Add blacklist /.thunderbird to /etc/firejail/disable-programs.local and noblacklist /.thunderbird to /etc/firejail/thunderbird.local.

Alternatively consider moving the thunderbird folder to the default location, which is /home/user/.thunderbird

@smitsohu commented on GitHub (Jun 9, 2018): > For the time being I blacklist them via command line argument --blacklist=/.thunderbird/ > Thunderbird folder is located in root. The profiles only limit access to default installation paths. If you install it somewhere else, you will need to adjust the profiles yourself. Do the following: Add `blacklist /.thunderbird` to /etc/firejail/disable-programs.local and `noblacklist /.thunderbird` to /etc/firejail/thunderbird.local. Alternatively consider moving the thunderbird folder to the default location, which is /home/user/.thunderbird

gitea-mirror commented

2026-05-05 07:53:43 -06:00

Author

Owner

@Futureknows commented on GitHub (Jun 9, 2018):

Thanks. I noticed on a Mint machine I have an exposed Timeshift in root (whole system backup visible to browsers). I don't recall modifying the default installation path on either install, pretty certain they were default locations from the repos, perhaps I installed them as root user. I'll see about moving them.

So the default file access is restrictive rather than permissive? If I hadn't happened to browse the exposed filesystems these would have gone unnoticed.

@Futureknows commented on GitHub (Jun 9, 2018): Thanks. I noticed on a Mint machine I have an exposed Timeshift in root (whole system backup visible to browsers). I don't recall modifying the default installation path on either install, pretty certain they were default locations from the repos, perhaps I installed them as root user. I'll see about moving them. So the default file access is restrictive rather than permissive? If I hadn't happened to browse the exposed filesystems these would have gone unnoticed.

gitea-mirror commented

2026-05-05 07:53:44 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jun 9, 2018):

Whitelisting works per top directory. /.thunderbird is very extraordinary path. If it was blocked then you would complain why your thunderbird isn't working 😄 . There are unlimited ways users can configure their systems and firejail tries to be compatible with most configs but some of them are quite unimaginable.

@Vincent43 commented on GitHub (Jun 9, 2018): Whitelisting works per top directory. `/.thunderbird` is very extraordinary path. If it was blocked then you would complain why your thunderbird isn't working :smile: . There are unlimited ways users can configure their systems and firejail tries to be compatible with most configs but some of them are quite unimaginable.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1338

No description provided.

Rows
Columns