github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2221] Why does firejail need to alter /etc/X11/Xwrapper.config allowed_users=console? #1491

New issue
Closed
opened 2026-05-05 08:09:30 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 08:09:30 -06:00
Owner
Copy link

Originally created by @Veek on GitHub (Oct 28, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2221

/usr/lib/xorg/Xorg.wrap: Only console users are allowed to run the X server
xauth: timeout in locking authority file /root/.Xauthority

SInce firejail uses Xvfb etc and the usual .Xauthority why does it need to alter allowed_users=console? This weakens security and is not needed for Xvfb anyhow. I'm on firejail/debian-stretch 0.9.44.8

Originally created by @Veek on GitHub (Oct 28, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2221 > /usr/lib/xorg/Xorg.wrap: Only console users are allowed to run the X server > xauth: timeout in locking authority file /root/.Xauthority SInce firejail uses Xvfb etc and the usual .Xauthority why does it need to alter allowed_users=console? This weakens security and is not needed for Xvfb anyhow. I'm on firejail/debian-stretch 0.9.44.8
gitea-mirror commented 2026-05-05 08:09:33 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Oct 28, 2018):

Relevant: #633

<!-- gh-comment-id:433722328 --> @SkewedZeppelin commented on GitHub (Oct 28, 2018): Relevant: #633
gitea-mirror commented 2026-05-05 08:09:34 -06:00
Author
Owner
Copy link

@Veek commented on GitHub (Oct 29, 2018):

How does Firejail work?
My understanding is this: Firejail+Xpra uses Xvfb/framebuffer to gather pixmap data when the application tries to draw itself on the Xvfb-framebuffer. Then Xpra sends this data over br0 (assuming you used --net) across the network, to the already running Xorg server. Since the pixmap data is by definition safe, the application can't mess/hack the Xorg server.

I am able to start Xvfb manually: Xvfb :20 -ac -screen 0 1366x768x24 -fbdir /tmp -nolisten tcp& I can then do xwud -in /tmp/Xvfb_screen0

When I run:
su - test
firejail --x11=xpra --net=eth0 --env=DISPLAY=:0.0 xclock
I want xclock on 'test' account to connect to Xorg on :0

What I get is this: firejail starts ANOTHER Xorg instance and does something with my webcam/forwarding? cv2 module? And I ONLY GET THIS after chmod 777 /root and chmod 777 /.Xauthority I have to allow firejail to WRITE TO the .Xauthority of the owner/user of the Xorg process.

(EDITING eth0 to enp9s0 solves the network device issue) Why is firejail starting Xorg???

X.Org X Server 1.19.2
Release Date: 2017-03-02
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.9.0-4-amd64 x86_64 Debian
Current Operating System: Linux localhost 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64
Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.9.0-7-amd64 root=UUID=38b58376-fa8c-4a5c-8df4-c8e2111d6328 ro quiet
Build Date: 16 October 2017  08:19:45AM
xorg-server 2:1.19.2-1+deb9u2 (https://www.debian.org/support) 
Current version of pixman: 0.34.0
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/test/.xpra/Xorg.:489.log", Time: Mon Oct 29 10:08:52 2018
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
2018-10-29 10:08:52,815 created unix domain socket: /home/test/.xpra/localhost-489
Xpra server pid 2801, xpra client pid 2816, jail 2817
Error: cannot find network device eth0

*** Attaching to xpra display 489 ***

2018-10-29 10:08:53,716 Warning: failed to load the mdns avahi publisher:
2018-10-29 10:08:53,717  No module named avahi
2018-10-29 10:08:53,717  either fix your installation or use the 'mdns=no' option
2018-10-29 10:08:54,212 Xpra gtk2 client version 0.17.6-r14322
2018-10-29 10:08:54,213  running on Linux debian 9.5
2018-10-29 10:08:54,215 Warning: failed to import opencv:
2018-10-29 10:08:54,215  No module named cv2
2018-10-29 10:08:54,216  webcam forwarding is disabled
Warning: failed to import GStreamer:
 GStreamer 1.0: Namespace Gst not available
 GStreamer 0.10: No module named pygst
2018-10-29 10:08:54,383 Error: failed to query sound subsystem:
2018-10-29 10:08:54,383  query did not return any data
2018-10-29 10:08:54,562 Warning: webcam forwarding is disabled
2018-10-29 10:08:54,563  the virtual video directory '/sys/devices/virtual/video4linux' was not found
2018-10-29 10:08:54,564  make sure that the 'v4l2loopback' kernel module is installed and loaded
2018-10-29 10:08:54,564 found 0 virtual video devices
2018-10-29 10:08:54,586 pulseaudio server started with pid 2836
xpra initialization error:
 cannot find any live servers to connect to
Warning: failed to import GStreamer:
 GStreamer 1.0: Namespace Gst not available
 GStreamer 0.10: No module named pygst
2018-10-29 10:08:54,793 Error: failed to query sound subsystem:
2018-10-29 10:08:54,793  query did not return any data
2018-10-29 10:08:54,796 D-Bus notification forwarding is available
2018-10-29 10:08:54,812 xpra X11 version 0.17.6-r14322
2018-10-29 10:08:54,812  running with pid 2801 on Linux debian 9.5
2018-10-29 10:08:54,813  on display :489
2018-10-29 10:08:55,097 PyOpenGL warning: missing accelerate module
2018-10-29 10:08:55,193 xpra is ready.
2018-10-29 10:08:55,792 New unix-domain connection received on /home/test/.xpra/localhost-489
2018-10-29 10:08:55,795 New unix-domain connection received on /home/test/.xpra/localhost-489
2018-10-29 10:08:55,800  detected keyboard: rules=evdev, model=pc105, layout=us
2018-10-29 10:08:55,803 Connection lost
2018-10-29 10:08:55,805  desktop size is 1366x768 with 1 screen:
2018-10-29 10:08:55,806   :0.0 (361x203 mm - DPI: 96x96)
2018-10-29 10:08:55,806     monitor 1 (353x198 mm - DPI: 98x98)
2018-10-29 10:08:55,907 Handshake complete; enabling connection
2018-10-29 10:08:55,924 Python/Gtk2 Linux debian 9.5 client version 0.17.6-r14322
2018-10-29 10:08:55,924  connected from 'localhost' as 'test'
2018-10-29 10:08:55,926  mmap is enabled using 256MB area in /tmp/xpra.PJrSgZ.mmap
2018-10-29 10:08:55,928  client root window size is 1366x768 with 1 display:
2018-10-29 10:08:55,928   :0.0 (361x203 mm - DPI: 96x96)
2018-10-29 10:08:55,929     monitor 1 (353x198 mm - DPI: 98x98)
2018-10-29 10:08:56,227 server virtual display now set to 1366x768
2018-10-29 10:08:56,230 setting key repeat rate from client: 500ms delay / 50ms interval
2018-10-29 10:08:56,233 setting keymap: rules=evdev, model=pc105, layout=us
2018-10-29 10:08:56,295 enabled fast mmap transfers using 256MB shared memory area
2018-10-29 10:08:56,296 Xpra X11 server version 0.17.6-r14322
2018-10-29 10:08:56,297  running on Linux debian 9.5
2018-10-29 10:08:56,297 enabled remote logging
2018-10-29 10:08:56,300 Attached to :489 (press Control-C to detach)

2018-10-29 10:08:56,303 Attached to :489 (press Control-C to detach)
2018-10-29 10:08:56,316 DPI set to 16 x 18 (wanted 96 x 96)
2018-10-29 10:08:56,317  you may experience scaling problems, such as huge or small fonts, etc
2018-10-29 10:08:56,319  to fix this issue, try the dpi switch, or use a patched Xorg dummy driver
2018-10-29 10:08:56,350 python netifaces package is missing

got signal SIGTERM, exiting
test@localhost:~$ 
2018-10-29 10:09:02,359 got signal SIGTERM, exiting
2018-10-29 10:09:02,360 Disconnecting client /home/test/.xpra/localhost-489:
2018-10-29 10:09:02,360  server shutdown
2018-10-29 10:09:02,361 Error: printing disabled:
2018-10-29 10:09:02,361  No module named cups
2018-10-29 10:09:02,362 xpra client disconnected.
2018-10-29 10:09:02,364 stopping pulseaudio with pid 2836
2018-10-29 10:09:02,387 removing socket /home/test/.xpra/localhost-489
2018-10-29 10:09:02,388 killing xvfb with pid 2803
(II) Server terminated successfully (0). Closing log file.
<!-- gh-comment-id:433787343 --> @Veek commented on GitHub (Oct 29, 2018): **How does Firejail work?** My understanding is this: Firejail+Xpra uses Xvfb/framebuffer to gather pixmap data when the application tries to draw itself on the Xvfb-framebuffer. Then Xpra sends this data over br0 (assuming you used --net) across the network, to the already running Xorg server. Since the pixmap data is by definition safe, the application can't mess/hack the Xorg server. I am able to start Xvfb manually: _Xvfb :20 -ac -screen 0 1366x768x24 -fbdir /tmp -nolisten tcp&_ I can then do _xwud -in /tmp/Xvfb_screen0_ When I run: _su - test_ _firejail --x11=xpra --net=eth0 --env=DISPLAY=:0.0 xclock_ I want xclock on 'test' account to connect to Xorg on :0 **What I get is this: firejail starts ANOTHER Xorg instance and does something with my webcam/forwarding? cv2 module? And I ONLY GET THIS after chmod 777 /root and chmod 777 /.Xauthority** I have to allow firejail to WRITE TO the .Xauthority of the owner/user of the Xorg process. (EDITING eth0 to enp9s0 solves the network device issue) Why is firejail starting Xorg??? ``` X.Org X Server 1.19.2 Release Date: 2017-03-02 X Protocol Version 11, Revision 0 Build Operating System: Linux 4.9.0-4-amd64 x86_64 Debian Current Operating System: Linux localhost 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.9.0-7-amd64 root=UUID=38b58376-fa8c-4a5c-8df4-c8e2111d6328 ro quiet Build Date: 16 October 2017 08:19:45AM xorg-server 2:1.19.2-1+deb9u2 (https://www.debian.org/support) Current version of pixman: 0.34.0 Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (++) Log file: "/home/test/.xpra/Xorg.:489.log", Time: Mon Oct 29 10:08:52 2018 (++) Using config file: "/etc/xpra/xorg.conf" (==) Using system config directory "/usr/share/X11/xorg.conf.d" 2018-10-29 10:08:52,815 created unix domain socket: /home/test/.xpra/localhost-489 Xpra server pid 2801, xpra client pid 2816, jail 2817 Error: cannot find network device eth0 *** Attaching to xpra display 489 *** 2018-10-29 10:08:53,716 Warning: failed to load the mdns avahi publisher: 2018-10-29 10:08:53,717 No module named avahi 2018-10-29 10:08:53,717 either fix your installation or use the 'mdns=no' option 2018-10-29 10:08:54,212 Xpra gtk2 client version 0.17.6-r14322 2018-10-29 10:08:54,213 running on Linux debian 9.5 2018-10-29 10:08:54,215 Warning: failed to import opencv: 2018-10-29 10:08:54,215 No module named cv2 2018-10-29 10:08:54,216 webcam forwarding is disabled Warning: failed to import GStreamer: GStreamer 1.0: Namespace Gst not available GStreamer 0.10: No module named pygst 2018-10-29 10:08:54,383 Error: failed to query sound subsystem: 2018-10-29 10:08:54,383 query did not return any data 2018-10-29 10:08:54,562 Warning: webcam forwarding is disabled 2018-10-29 10:08:54,563 the virtual video directory '/sys/devices/virtual/video4linux' was not found 2018-10-29 10:08:54,564 make sure that the 'v4l2loopback' kernel module is installed and loaded 2018-10-29 10:08:54,564 found 0 virtual video devices 2018-10-29 10:08:54,586 pulseaudio server started with pid 2836 xpra initialization error: cannot find any live servers to connect to Warning: failed to import GStreamer: GStreamer 1.0: Namespace Gst not available GStreamer 0.10: No module named pygst 2018-10-29 10:08:54,793 Error: failed to query sound subsystem: 2018-10-29 10:08:54,793 query did not return any data 2018-10-29 10:08:54,796 D-Bus notification forwarding is available 2018-10-29 10:08:54,812 xpra X11 version 0.17.6-r14322 2018-10-29 10:08:54,812 running with pid 2801 on Linux debian 9.5 2018-10-29 10:08:54,813 on display :489 2018-10-29 10:08:55,097 PyOpenGL warning: missing accelerate module 2018-10-29 10:08:55,193 xpra is ready. 2018-10-29 10:08:55,792 New unix-domain connection received on /home/test/.xpra/localhost-489 2018-10-29 10:08:55,795 New unix-domain connection received on /home/test/.xpra/localhost-489 2018-10-29 10:08:55,800 detected keyboard: rules=evdev, model=pc105, layout=us 2018-10-29 10:08:55,803 Connection lost 2018-10-29 10:08:55,805 desktop size is 1366x768 with 1 screen: 2018-10-29 10:08:55,806 :0.0 (361x203 mm - DPI: 96x96) 2018-10-29 10:08:55,806 monitor 1 (353x198 mm - DPI: 98x98) 2018-10-29 10:08:55,907 Handshake complete; enabling connection 2018-10-29 10:08:55,924 Python/Gtk2 Linux debian 9.5 client version 0.17.6-r14322 2018-10-29 10:08:55,924 connected from 'localhost' as 'test' 2018-10-29 10:08:55,926 mmap is enabled using 256MB area in /tmp/xpra.PJrSgZ.mmap 2018-10-29 10:08:55,928 client root window size is 1366x768 with 1 display: 2018-10-29 10:08:55,928 :0.0 (361x203 mm - DPI: 96x96) 2018-10-29 10:08:55,929 monitor 1 (353x198 mm - DPI: 98x98) 2018-10-29 10:08:56,227 server virtual display now set to 1366x768 2018-10-29 10:08:56,230 setting key repeat rate from client: 500ms delay / 50ms interval 2018-10-29 10:08:56,233 setting keymap: rules=evdev, model=pc105, layout=us 2018-10-29 10:08:56,295 enabled fast mmap transfers using 256MB shared memory area 2018-10-29 10:08:56,296 Xpra X11 server version 0.17.6-r14322 2018-10-29 10:08:56,297 running on Linux debian 9.5 2018-10-29 10:08:56,297 enabled remote logging 2018-10-29 10:08:56,300 Attached to :489 (press Control-C to detach) 2018-10-29 10:08:56,303 Attached to :489 (press Control-C to detach) 2018-10-29 10:08:56,316 DPI set to 16 x 18 (wanted 96 x 96) 2018-10-29 10:08:56,317 you may experience scaling problems, such as huge or small fonts, etc 2018-10-29 10:08:56,319 to fix this issue, try the dpi switch, or use a patched Xorg dummy driver 2018-10-29 10:08:56,350 python netifaces package is missing got signal SIGTERM, exiting test@localhost:~$ 2018-10-29 10:09:02,359 got signal SIGTERM, exiting 2018-10-29 10:09:02,360 Disconnecting client /home/test/.xpra/localhost-489: 2018-10-29 10:09:02,360 server shutdown 2018-10-29 10:09:02,361 Error: printing disabled: 2018-10-29 10:09:02,361 No module named cups 2018-10-29 10:09:02,362 xpra client disconnected. 2018-10-29 10:09:02,364 stopping pulseaudio with pid 2836 2018-10-29 10:09:02,387 removing socket /home/test/.xpra/localhost-489 2018-10-29 10:09:02,388 killing xvfb with pid 2803 (II) Server terminated successfully (0). Closing log file. ```
gitea-mirror commented 2026-05-05 08:09:35 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Dec 9, 2018):

It's starting Xorg because --x11=xpra starts a new xpra instance. Essentially, it's starting Xorg because you asked it to.

<!-- gh-comment-id:445506283 --> @chiraag-nataraj commented on GitHub (Dec 9, 2018): It's starting Xorg because `--x11=xpra` starts a new xpra instance. Essentially, it's starting Xorg because you asked it to.
gitea-mirror commented 2026-05-05 08:09:36 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

I'm going to close this, but @Veek, please feel free to re-open if you have more questions.

<!-- gh-comment-id:494025447 --> @chiraag-nataraj commented on GitHub (May 20, 2019): I'm going to close this, but @Veek, please feel free to re-open if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1491
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?