github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2062] keepassxc: single-instance option does not work (private-tmp) #1390

New issue
Closed
opened 2026-05-05 08:02:28 -06:00 by gitea-mirror · 21 comments
gitea-mirror commented 2026-05-05 08:02:28 -06:00
Owner
Copy link

Originally created by @t4777sd on GitHub (Jul 24, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2062

The private-tmp feature breaks the keep in single-instance option of keepass. It writes to that directory a lock file / socket. And, since it is private, a new instance cannot read it and thus launches. It would be nice to fix the profile to not do this so features remain the same.

Until that is done is there is a way to fix this in keepassxc.local without editing the original profile?

Originally created by @t4777sd on GitHub (Jul 24, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2062 The private-tmp feature breaks the keep in single-instance option of keepass. It writes to that directory a lock file / socket. And, since it is private, a new instance cannot read it and thus launches. It would be nice to fix the profile to not do this so features remain the same. Until that is done is there is a way to fix this in keepassxc.local without editing the original profile?
gitea-mirror 2026-05-05 08:02:28 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:02:35 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jul 24, 2018):

You can use ignore private-tmp

<!-- gh-comment-id:407581324 --> @SkewedZeppelin commented on GitHub (Jul 24, 2018): You can use `ignore private-tmp`
gitea-mirror commented 2026-05-05 08:02:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

@t4777sd Does it write to specific directory within /tmp? If so, we can whitelist that specific directory instead of using private-tmp.

<!-- gh-comment-id:408667218 --> @chiraag-nataraj commented on GitHub (Jul 29, 2018): @t4777sd Does it write to specific directory within `/tmp`? If so, we can whitelist that specific directory instead of using `private-tmp`.
gitea-mirror commented 2026-05-05 08:02:39 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

Or if we used mkfile to touch those files, could we then whitelist those specific files? It would be nice to keep the isolating properties of private-tmp.

<!-- gh-comment-id:408667290 --> @chiraag-nataraj commented on GitHub (Jul 29, 2018): Or if we used `mkfile` to touch those files, could we then whitelist those specific files? It would be nice to keep the isolating properties of `private-tmp`.
gitea-mirror commented 2026-05-05 08:02:41 -06:00
Author
Owner
Copy link

@t4777sd commented on GitHub (Jul 29, 2018):

It writes to the following

/tmp/keepassxc-[user].lock
/tmp/keepassxc-[user].socket

Replace [user] by the current user so if that is dan it would be keepassxc-dan.lock

<!-- gh-comment-id:408710933 --> @t4777sd commented on GitHub (Jul 29, 2018): It writes to the following /tmp/keepassxc-[user].lock /tmp/keepassxc-[user].socket Replace [user] by the current user so if that is dan it would be keepassxc-dan.lock
gitea-mirror commented 2026-05-05 08:02:42 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

Hmm, if we implement variables ${USER} and ${UID} (which was suggested on an issue somewhere...), then we could do a

mkfile /tmp/keepassxc-${USER}.lock
mkfile /tmp/keepassxc-${USER}.socket
whitelist /tmp/keepassxc-${USER}.lock
whitelist /tmp/keepassxc-${USER}.socket

or something similar (although I'm not sure how keepassxc would react if the files existed but nothing was listening...)

<!-- gh-comment-id:408711581 --> @chiraag-nataraj commented on GitHub (Jul 29, 2018): Hmm, if we implement variables `${USER}` and `${UID}` (which was suggested on an issue somewhere...), then we could do a ``` mkfile /tmp/keepassxc-${USER}.lock mkfile /tmp/keepassxc-${USER}.socket whitelist /tmp/keepassxc-${USER}.lock whitelist /tmp/keepassxc-${USER}.socket ``` or something similar (although I'm not sure how keepassxc would react if the files existed but nothing was listening...)
gitea-mirror commented 2026-05-05 08:02:44 -06:00
Author
Owner
Copy link

@t4777sd commented on GitHub (Jul 30, 2018):

I tested it with those files pre-created and re-opened it and it caused no issues for keepass. So, I guess the only thing left is the ${USER} ability

<!-- gh-comment-id:408715765 --> @t4777sd commented on GitHub (Jul 30, 2018): I tested it with those files pre-created and re-opened it and it caused no issues for keepass. So, I guess the only thing left is the ${USER} ability
gitea-mirror commented 2026-05-05 08:02:47 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 30, 2018):

Cool. I think we should be able to do that.

<!-- gh-comment-id:408716987 --> @chiraag-nataraj commented on GitHub (Jul 30, 2018): Cool. I think we should be able to do that.
gitea-mirror commented 2026-05-05 08:02:48 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 30, 2018):

Side question: @t4777sd, did you use mkfifo for the socket? We may need to bring in an option mkfifo if keepassxc can't deal with a regular file at keepassxc-${USER}.socket (to be fair, it might be good to have anyway).

<!-- gh-comment-id:408883793 --> @chiraag-nataraj commented on GitHub (Jul 30, 2018): Side question: @t4777sd, did you use mkfifo for the socket? We may need to bring in an option `mkfifo` if `keepassxc` can't deal with a regular file at `keepassxc-${USER}.socket` (to be fair, it might be good to have anyway).
gitea-mirror commented 2026-05-05 08:02:48 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 30, 2018):

@netblue30 I was looking at the code, and this variable already exists internally as I understand it (cfg.username). But I'm not sure exactly where the variable substitution should take place. I assume it would be somewhere in fs_whitelist.c...?

<!-- gh-comment-id:408972166 --> @chiraag-nataraj commented on GitHub (Jul 30, 2018): @netblue30 I was looking at the code, and this variable already exists internally as I understand it (`cfg.username`). But I'm not sure exactly where the variable substitution should take place. I assume it would be somewhere in `fs_whitelist.c`...?
gitea-mirror commented 2026-05-05 08:02:50 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 30, 2018):

Or...in util.c?

<!-- gh-comment-id:409045208 --> @chiraag-nataraj commented on GitHub (Jul 30, 2018): Or...in `util.c`?
gitea-mirror commented 2026-05-05 08:02:52 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Aug 18, 2018):

Does KeePassXC honor TMPDIR? If yes, you may simply add env TMPDIR=/home/user/.cache to its profile. That would be much simpler than adding new code.

<!-- gh-comment-id:414073726 --> @Vincent43 commented on GitHub (Aug 18, 2018): Does KeePassXC honor `TMPDIR`? If yes, you may simply add `env TMPDIR=/home/user/.cache` to its profile. That would be much simpler than adding new code.
gitea-mirror commented 2026-05-05 08:02:53 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 19, 2018):

Yes, it does (just tested). I suppose that solves this issue then (maybe we should add it to the profile?).

<!-- gh-comment-id:414134017 --> @chiraag-nataraj commented on GitHub (Aug 19, 2018): Yes, it does (just tested). I suppose that solves this issue then (maybe we should add it to the profile?).
gitea-mirror commented 2026-05-05 08:02:55 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 19, 2018):

@t4777sd Can you verify that the new profile fixes this issue?

<!-- gh-comment-id:414134324 --> @chiraag-nataraj commented on GitHub (Aug 19, 2018): @t4777sd Can you verify that the new profile fixes this issue?
gitea-mirror commented 2026-05-05 08:02:56 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 22, 2018):

@chiraag-nataraj I had some weird issues with f9aeac080a
does 5ee6ed83bb work for you?

<!-- gh-comment-id:415025893 --> @SkewedZeppelin commented on GitHub (Aug 22, 2018): @chiraag-nataraj I had some weird issues with f9aeac080a830fc1aaf07f0beff781a1ed7e42ad does 5ee6ed83bb2f631f2c04696357c0863af59e4e7b work for you?
gitea-mirror commented 2026-05-05 08:02:57 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

@SkewedZeppelin Lemme try (I don't actually use keepassxc lol, but I'll try it for this 😂)

<!-- gh-comment-id:415083947 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): @SkewedZeppelin Lemme try (I don't actually _use_ `keepassxc` lol, but I'll try it for this :joy:)
gitea-mirror commented 2026-05-05 08:02:58 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

HAHAHAHAHAHA...hahahahahaha...ha. Oh god, this is too good. I think the fix for #942 breaks your fix. The sandbox name is changed to keepassxc-1 and it doesn't join the existing one.

<!-- gh-comment-id:415084929 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): HAHAHAHAHAHA...hahahahahaha...ha. Oh god, this is too good. I think the fix for #942 breaks your fix. The sandbox name is changed to `keepassxc-1` and it doesn't join the existing one.
gitea-mirror commented 2026-05-05 08:03:00 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

But also, join-or-start should attach to the existing one if it's specified, shouldn't it?

<!-- gh-comment-id:415086460 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): But also, `join-or-start` should attach to the existing one if it's specified, shouldn't it?
gitea-mirror commented 2026-05-05 08:03:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

Or maybe it's because I have hidepid enabled...lemme see.

<!-- gh-comment-id:415087184 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): Or maybe it's because I have `hidepid` enabled...lemme see.
gitea-mirror commented 2026-05-05 08:03:02 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Aug 22, 2018):

@chiraag-nataraj yes, sorry I forgot that. We have join-or-start on several profiles so it's weird this one doesn't work.

<!-- gh-comment-id:415087637 --> @Vincent43 commented on GitHub (Aug 22, 2018): @chiraag-nataraj yes, sorry I forgot that. We have `join-or-start` on several profiles so it's weird this one doesn't work.
gitea-mirror commented 2026-05-05 08:03:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

No, it's because of hidepid, since join-or-start joins by looking for the pid.

<!-- gh-comment-id:415088004 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): No, it's because of `hidepid`, since `join-or-start` joins by looking for the pid.
gitea-mirror commented 2026-05-05 08:03:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

So yes, @SkewedZeppelin, this is fixed now :) @t4777sd I'm going to close this now, but feel free to re-open if the profile in master doesn't work for you.

<!-- gh-comment-id:415088581 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): So yes, @SkewedZeppelin, this is fixed now :) @t4777sd I'm going to close this now, but feel free to re-open if the profile in master doesn't work for you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1390
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?