github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2531] firefox: "browser-disable-u2f no" does not enable u2f #1637

New issue

Closed

opened 2026-05-05 08:17:23 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:17:23 -06:00

Owner

Originally created by @njfox on GitHub (Mar 6, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2531

I'm using firejail 0.9.58.2 on Arch Linux with apparmor enabled. I'm using a NitroKey FIDO U2F security key.

The U2F key is not working in FireFox, even after explicitly setting browser-disable-u2f no in /etc/firejail/firejail.config. The only way to get the key working was to completely comment out the following line in /etc/firejail/firefox-common.profile:

#?BROWSER_DISABLE_U2F: nou2f

More information in the discussion here: #2247

Originally created by @njfox on GitHub (Mar 6, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2531 I'm using firejail 0.9.58.2 on Arch Linux with apparmor enabled. I'm using a NitroKey FIDO U2F security key. The U2F key is not working in FireFox, even after explicitly setting `browser-disable-u2f no` in `/etc/firejail/firejail.config`. The only way to get the key working was to completely comment out the following line in `/etc/firejail/firefox-common.profile`: ``` #?BROWSER_DISABLE_U2F: nou2f ``` More information in the discussion here: #2247

gitea-mirror

2026-05-05 08:17:23 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:17:26 -06:00

Author

Owner

@njfox commented on GitHub (Mar 6, 2019):

Upon further testing, I've noticed that 2 things are required to make the U2F key work in FireFox under firejail:

I have to explicitly set browser-disable-u2f no in /etc/firejail/firejail.config. Is there some security benefit to disabling U2F keys by default?
It doesn't work if I insert the key while FireFox is running. It only works if the key is inserted when FireFox is launched, which is reasonably annoying. This means I have to restart my browser to complete a log-in if my key wasn't inserted when I started FireFox. Is this expected behavior or a bug?

@njfox commented on GitHub (Mar 6, 2019): Upon further testing, I've noticed that 2 things are required to make the U2F key work in FireFox under firejail: 1. I have to explicitly set `browser-disable-u2f no` in `/etc/firejail/firejail.config`. Is there some security benefit to disabling U2F keys by default? 2. It doesn't work if I insert the key while FireFox is running. It only works if the key is inserted when FireFox is launched, which is reasonably annoying. This means I have to restart my browser to complete a log-in if my key wasn't inserted when I started FireFox. Is this expected behavior or a bug?

gitea-mirror commented

2026-05-05 08:17:27 -06:00

Author

Owner

@ghost commented on GitHub (Mar 6, 2019):

I have to explicitly set browser-disable-u2f no in /etc/firejail/firejail.config.

@njfox Have you tried ignore nou2f in a firefox-common.local file or in your browser start command yet?

@ghost commented on GitHub (Mar 6, 2019): > I have to explicitly set browser-disable-u2f no in /etc/firejail/firejail.config. @njfox Have you tried `ignore nou2f` in a firefox-common.local file or in your browser start command yet?

gitea-mirror commented

2026-05-05 08:17:28 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Mar 6, 2019):

@glitsj16 afaik ignore nou2f won't work since ignore matches the whole line which in this case has a conditional prepended to it.

@njfox to confirm, you did uncomment the line in firejail.config ?

It doesn't work if I insert the key while FireFox is running.

That will never work, the sandbox has its state set at start and cannot be changed after.

Is there some security benefit to disabling U2F keys by default?

Yes. See the reasoning here https://github.com/netblue30/firejail/issues/2194#issue-369906681

@SkewedZeppelin commented on GitHub (Mar 6, 2019): @glitsj16 afaik `ignore nou2f` won't work since `ignore` matches the whole line which in this case has a conditional prepended to it. @njfox to confirm, you did uncomment the line in `firejail.config` ? > It doesn't work if I insert the key while FireFox is running. That will never work, the sandbox has its state set at start and cannot be changed after. > Is there some security benefit to disabling U2F keys by default? Yes. See the reasoning here https://github.com/netblue30/firejail/issues/2194#issue-369906681

gitea-mirror commented

2026-05-05 08:17:29 -06:00

Author

Owner

@njfox commented on GitHub (Mar 6, 2019):

@njfox to confirm, you did uncomment the line in firejail.config ?

Here is my firejail config that makes the key work:

# Disable U2F in browsers, default enabled.
browser-disable-u2f no

If the other behavior is known/expected then I think we can go ahead and close this issue.

@njfox commented on GitHub (Mar 6, 2019): > @njfox to confirm, you did uncomment the line in firejail.config ? Here is my firejail config that makes the key work: ``` # Disable U2F in browsers, default enabled. browser-disable-u2f no ``` If the other behavior is known/expected then I think we can go ahead and close this issue.

gitea-mirror commented

2026-05-05 08:17:30 -06:00

Author

Owner

@ghost commented on GitHub (Mar 6, 2019):

@SkewedZeppelin Thanks for explaining. Now you mention ignore matching the whole line I should have known that won't work. I have a few ignore ignore blah lines in local overrides and remember being happily surprised firejail is that smart 😄 .

@ghost commented on GitHub (Mar 6, 2019): @SkewedZeppelin Thanks for explaining. Now you mention ignore matching the `whole` line I should have known that won't work. I have a few `ignore ignore blah` lines in local overrides and remember being happily surprised firejail is that smart :smile: .

gitea-mirror referenced this issue

2026-05-05 09:46:13 -06:00

[GH-ISSUE #5929] keepassxc: dbus: D-Bus library appears to be incorrectly set up #3134

gitea-mirror referenced this issue

2026-05-05 10:12:31 -06:00

[PR #1637] [MERGED] profiles: keepassxc: add machine-id to private-etc #4032