[GH-ISSUE #2720] keepassxc: cannot open URL links in firefox

gitea-mirror commented

2026-05-05 08:22:19 -06:00

Owner

Originally created by @tinmanx on GitHub (May 22, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2720

After a Firefox update, i dont understand why but when trying to double click to open URL's in KeepassXC it errors out saying profile not accessible. Can you tell me why this happened all of a sudden? Nothing has changed in the profile, been using it as usual.

firejail version 0.9.58.2
Ubuntu 18.04 with xfce4

Originally created by @tinmanx on GitHub (May 22, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2720 After a Firefox update, i dont understand why but when trying to double click to open URL's in KeepassXC it errors out saying profile not accessible. Can you tell me why this happened all of a sudden? Nothing has changed in the profile, been using it as usual. firejail version 0.9.58.2 Ubuntu 18.04 with xfce4

gitea-mirror

2026-05-05 08:22:19 -06:00

closed this issue
added the
bug

information_old

workaround

sandbox-ipc
labels

gitea-mirror commented

2026-05-05 08:22:23 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Things to try:

Does anything get printed on the terminal if you run firejail keepassxc?
Does firejail --noprofile keepassxc help?
Does keeping firefox (firejailed) open before starting keepassxc (firejailed) help?

@chiraag-nataraj commented on GitHub (May 22, 2019): Things to try: * Does anything get printed on the terminal if you run `firejail keepassxc`? * Does `firejail --noprofile keepassxc` help? * Does keeping `firefox` (firejailed) open _before_ starting `keepassxc` (firejailed) help?

gitea-mirror commented

2026-05-05 08:22:24 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

@chiraag-nataraj

Yes, see below:

Opening...!
May 22 12:12:32 nohup: ignoring input
May 22 12:12:32 Reading profile /usr/local/etc/firejail/keepassxc.profile
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-common.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-devel.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-programs.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-xdg.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
May 22 12:12:32 Mounting appimage type 2
May 22 12:12:32 Parent pid 14245, child pid 14253
May 22 12:12:32 
May 22 12:12:32 **     Warning: dropping all Linux capabilities     **
May 22 12:12:32 Private /etc installed in 7.10 ms
May 22 12:12:32 ]0;firejail /home/user/KeePassXC-2.4.1-x86_64.AppImage Child process initialized in 198.01 ms
May 22 12:12:34 Qt: Session management error: Could not open network socket
May 22 12:12:34 QObject::startTimer: Timers cannot have negative intervals
May 22 12:12:34 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
May 22 12:13:09 
May 22 12:13:09 (exo-open:25150): dbind-WARNING **: 10:13:09.089: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
May 22 12:13:09 
May 22 12:13:09 (exo-helper-1:25153): dbind-WARNING **: 10:13:09.099: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
May 22 12:13:10 Error: Access was denied while trying to open files in your profile directory.
May 22 12:13:23 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
May 22 12:13:23 
May 22 12:13:23 Parent is shutting down, bye...
May 22 12:13:23 AppImage unmounted

It works with: firejail --noprofile --appimage KeePassXC-2.4.1-x86_64.AppImage
Firefox is not firejailed, but it is started before Keepassxc as usual.

@tinmanx commented on GitHub (May 22, 2019): @chiraag-nataraj - Yes, see below: ``` Opening...! May 22 12:12:32 nohup: ignoring input May 22 12:12:32 Reading profile /usr/local/etc/firejail/keepassxc.profile May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-common.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-devel.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-programs.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-xdg.inc May 22 12:12:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc May 22 12:12:32 Mounting appimage type 2 May 22 12:12:32 Parent pid 14245, child pid 14253 May 22 12:12:32 May 22 12:12:32 ** Warning: dropping all Linux capabilities ** May 22 12:12:32 Private /etc installed in 7.10 ms May 22 12:12:32 ]0;firejail /home/user/KeePassXC-2.4.1-x86_64.AppImage Child process initialized in 198.01 ms May 22 12:12:34 Qt: Session management error: Could not open network socket May 22 12:12:34 QObject::startTimer: Timers cannot have negative intervals May 22 12:12:34 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0) May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0) May 22 12:13:09 May 22 12:13:09 (exo-open:25150): dbind-WARNING **: 10:13:09.089: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0) May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0) May 22 12:13:09 May 22 12:13:09 (exo-helper-1:25153): dbind-WARNING **: 10:13:09.099: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused May 22 12:13:10 Error: Access was denied while trying to open files in your profile directory. May 22 12:13:23 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported May 22 12:13:23 May 22 12:13:23 Parent is shutting down, bye... May 22 12:13:23 AppImage unmounted ``` - It works with: `firejail --noprofile --appimage KeePassXC-2.4.1-x86_64.AppImage` - Firefox is not firejailed, but it is started before Keepassxc as usual.

gitea-mirror commented

2026-05-05 08:22:25 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

The only difference between the output on the terminal now and before the Firefox update, is this error:
Error: Access was denied while trying to open files in your profile directory.

Everything else is normal

@tinmanx commented on GitHub (May 22, 2019): The only difference between the output on the terminal now and before the Firefox update, is this error: `Error: Access was denied while trying to open files in your profile directory.` Everything else is normal

gitea-mirror commented

2026-05-05 08:22:26 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

When keepassxc is running, can you do a firejail --ls=<pid of keepassxc sandbox> ~/? Does .mozilla appear there?

Also, looks like you compiled from Git, since it's reading stuff in /usr/local/etc/firejail?

@chiraag-nataraj commented on GitHub (May 22, 2019): When keepassxc is running, can you do a `firejail --ls=<pid of keepassxc sandbox> ~/`? Does `.mozilla` appear there? Also, looks like you compiled from Git, since it's reading stuff in `/usr/local/etc/firejail`?

gitea-mirror commented

2026-05-05 08:22:27 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Also, is this the default firejail profile? Have you modified it?

@chiraag-nataraj commented on GitHub (May 22, 2019): Also, is this the default `firejail` profile? Have you modified it?

gitea-mirror commented

2026-05-05 08:22:28 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

@chiraag-nataraj yes .mozilla does appear in the list ! This is very weird..

And yes i compiled from Git. Like i said, this has been working fine for many months and suddenly this happened after Firefox update. Firefox updated from: firefox (67.0+build1-0ubuntu0.18.04.1) bionic to firefox (67.0+build2-0ubuntu0.18.04.1) bionic
yes this is the default keepassxc.profile and no i didnt modify it.

@tinmanx commented on GitHub (May 22, 2019): @chiraag-nataraj yes `.mozilla` does appear in the list ! This is very weird.. And yes i compiled from Git. Like i said, this has been working fine for many months and suddenly this happened after Firefox update. Firefox updated from: `firefox (67.0+build1-0ubuntu0.18.04.1) bionic` to `firefox (67.0+build2-0ubuntu0.18.04.1) bionic` yes this is the default keepassxc.profile and no i didnt modify it.

gitea-mirror commented

2026-05-05 08:22:29 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

What if you pass --ignore=private-bin, so firejail --ignore=private-bin --appimage KeePassXC-<whatever>?

@chiraag-nataraj commented on GitHub (May 22, 2019): What if you pass `--ignore=private-bin`, so `firejail --ignore=private-bin --appimage KeePassXC-<whatever>`?

gitea-mirror commented

2026-05-05 08:22:29 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

no that doesnt work either.
I figured out what the problem is... however i do not have a solution for this.

Please ignore the version numbers of firefox that i mentioned, this is what really happened after digging further.

When everything was working, i was on Firefox v66.0.5 (i reverted to this now and the URL openings work as expected)
According to http://security.ubuntu.com/ubuntu/pool/main/f/firefox/ the next version in the list is Firefox 67.0Build2

After updating to Firefox 67.0Build2 today, the URL openings break, ie. gives the above error as explained.

Something has changed between Firefox v66.0.5 and v67.0 with KeepassXC 2.4.1

The only solution is to stay on a previous version of Firefox

Please try reproduce because i just did this now.

@tinmanx commented on GitHub (May 22, 2019): no that doesnt work either. I figured out what the problem is... however i do not have a solution for this. Please ignore the version numbers of firefox that i mentioned, this is what really happened after digging further. When everything was working, i was on Firefox v66.0.5 (i reverted to this now and the URL openings work as expected) According to http://security.ubuntu.com/ubuntu/pool/main/f/firefox/ the next version in the list is Firefox 67.0Build2 After updating to Firefox 67.0Build2 today, the URL openings break, ie. gives the above error as explained. Something has changed between Firefox v66.0.5 and v67.0 with KeepassXC 2.4.1 The only solution is to stay on a previous version of Firefox Please try reproduce because i just did this now.

gitea-mirror commented

2026-05-05 08:22:30 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Can you try with the non-appimage version? I want to see if it's an appimage-specific problem or if it's an issue with the profile more generally.

Also, I'm currently on firefox 66.0.5 (I'm on Debian sid...).

@chiraag-nataraj commented on GitHub (May 22, 2019): Can you try with the non-appimage version? I want to see if it's an appimage-specific problem or if it's an issue with the profile more generally. Also, I'm currently on firefox 66.0.5 (I'm on Debian `sid`...).

gitea-mirror commented

2026-05-05 08:22:30 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

There is only appimages for keepassxc and building it from source which i am not able to do. The rest is windows and mac binaries.
Can you try with building from source on your side? It seems to me that the execution for opening firefox links has somehow changed

@tinmanx commented on GitHub (May 22, 2019): There is only appimages for keepassxc and building it from source which i am not able to do. The rest is windows and mac binaries. Can you try with building from source on your side? It seems to me that the execution for opening firefox links has somehow changed

gitea-mirror commented

2026-05-05 08:22:31 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

No? https://packages.ubuntu.com/bionic/keepassxc It's in the bionic repos.

@chiraag-nataraj commented on GitHub (May 22, 2019): No? https://packages.ubuntu.com/bionic/keepassxc It's in the bionic repos.

gitea-mirror commented

2026-05-05 08:22:31 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

apologies, will check now.

@tinmanx commented on GitHub (May 22, 2019): apologies, will check now.

gitea-mirror commented

2026-05-05 08:22:32 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

When testing on a new PC, im getting a different error now when opening URL:
Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

@tinmanx commented on GitHub (May 22, 2019): When testing on a new PC, im getting a different error now when opening URL: `Unable to detect a web browser to launch 'www.google.com'` I tried on firefox v66.04 and firefox v67.0 I used keepassxc from bionic repo as you said.

gitea-mirror commented

2026-05-05 08:22:32 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Can you try with --ignore=private-bin? I suspect it's looking for browsers, but none are whitelisted in the default profile.

@chiraag-nataraj commented on GitHub (May 22, 2019): Can you try with `--ignore=private-bin`? I suspect it's looking for browsers, but none are whitelisted in the default profile.

gitea-mirror commented

2026-05-05 08:22:32 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

Ok i tried with:
$ firejail --ignore=private-bin keepassxc
and it tries to open, with the same error popup as it does on the appimage.

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 5642, child pid 5643
Private /etc installed in 4.12 ms
Child process initialized in 73.98 ms

(keepassxc:7): dbind-WARNING **: 14:16:15.037: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Qt: Session management error: Could not open network socket

(exo-open:32017): dbind-WARNING **: 14:16:47.063: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused

(exo-helper-1:32020): dbind-WARNING **: 14:16:47.079: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Error: Access was denied while trying to open files in your profile directory.

@tinmanx commented on GitHub (May 22, 2019): Ok i tried with: `$ firejail --ignore=private-bin keepassxc` and it tries to open, with the same error popup as it does on the appimage. ``` Reading profile /usr/local/etc/firejail/keepassxc.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-xdg.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Parent pid 5642, child pid 5643 Private /etc installed in 4.12 ms Child process initialized in 73.98 ms (keepassxc:7): dbind-WARNING **: 14:16:15.037: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused Qt: Session management error: Could not open network socket (exo-open:32017): dbind-WARNING **: 14:16:47.063: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused (exo-helper-1:32020): dbind-WARNING **: 14:16:47.079: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused Error: Access was denied while trying to open files in your profile directory. ```

gitea-mirror commented

2026-05-05 08:22:33 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Hmm...I wonder if exo-helper or exo-open is throwing the error rather than firefox...

@chiraag-nataraj commented on GitHub (May 22, 2019): Hmm...I wonder if `exo-helper` or `exo-open` is throwing the error rather than `firefox`...

gitea-mirror commented

2026-05-05 08:22:33 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Or do you get the firefox popup saying "Your profile is missing" or something similar?

@chiraag-nataraj commented on GitHub (May 22, 2019): Or do you get the firefox popup saying "Your profile is missing" or something similar?

gitea-mirror commented

2026-05-05 08:22:34 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

The popup i get is this:

in addition to the terminal error:
Error: Access was denied while trying to open files in your profile directory.

@tinmanx commented on GitHub (May 22, 2019): The popup i get is this: ![2019-05-22](https://user-images.githubusercontent.com/46136520/58182667-54c71e00-7cae-11e9-8732-a40ce25cf6dc.png) in addition to the terminal error: `Error: Access was denied while trying to open files in your profile directory.`

gitea-mirror commented

2026-05-05 08:22:34 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

this is the same for appimage and the repo version

@tinmanx commented on GitHub (May 22, 2019): this is the same for appimage and the repo version

gitea-mirror commented

2026-05-05 08:22:34 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Okay yeah, that is a Firefox error. It doesn't make sense, though, since ~/.mozilla should exist. Can you make sure ~/.mozilla/firefox/ exists within the sandbox?

@chiraag-nataraj commented on GitHub (May 22, 2019): Okay yeah, that is a Firefox error. It doesn't make sense, though, since `~/.mozilla` should exist. Can you make sure `~/.mozilla/firefox/` exists within the sandbox?

gitea-mirror commented

2026-05-05 08:22:35 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

yes it exists
drwx------ 1000 1004 4096 .mozilla
Yeah it does not make sense. This is also a new fresh VM, so, i dont know what the issue could be.

Did you try this on debian?

@tinmanx commented on GitHub (May 22, 2019): yes it exists `drwx------ 1000 1004 4096 .mozilla` Yeah it does not make sense. This is also a new fresh VM, so, i dont know what the issue could be. Did you try this on debian?

gitea-mirror commented

2026-05-05 08:22:35 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Yes, and it actually worked. My firefox is tightly sandboxed though...

@chiraag-nataraj commented on GitHub (May 22, 2019): Yes, and it actually worked. My firefox is tightly sandboxed though...

gitea-mirror commented

2026-05-05 08:22:36 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

@tinmanx commented on GitHub (May 22, 2019): With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

gitea-mirror commented

2026-05-05 08:22:36 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

When testing on a new PC, im getting a different error now when opening URL:
Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

So are you saying that once you did --ignore=private-bin, the error disappeared for 66.0.4?

@chiraag-nataraj commented on GitHub (May 22, 2019): > When testing on a new PC, im getting a different error now when opening URL: > `Unable to detect a web browser to launch 'www.google.com'` > > I tried on firefox v66.04 and firefox v67.0 > > I used keepassxc from bionic repo as you said. So are you saying that once you did `--ignore=private-bin`, the error disappeared for 66.0.4?

gitea-mirror commented

2026-05-05 08:22:36 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

@chiraag-nataraj commented on GitHub (May 22, 2019): > With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue. Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

gitea-mirror commented

2026-05-05 08:22:37 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

@chiraag-nataraj commented on GitHub (May 22, 2019): > > With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue. > > Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue. I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

gitea-mirror commented

2026-05-05 08:22:37 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 22, 2019):

iirc 67 changes how profiles are handled and --no-remote is default now?

@SkewedZeppelin commented on GitHub (May 22, 2019): iirc 67 changes how profiles are handled and `--no-remote` is default now?

gitea-mirror commented

2026-05-05 08:22:38 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Hmm, I thought it was just that they automatically set up a new profile for release, nightly, dev, beta, etc? I don't think they do --no-remote by default, since I was able to open a link just fine (once I put --private-bin=firefox to add firefox to the sandbox).

@chiraag-nataraj commented on GitHub (May 22, 2019): Hmm, I thought it was just that they automatically set up a new profile for release, nightly, dev, beta, etc? I don't think they do `--no-remote` by default, since I was able to open a link just fine (once I put `--private-bin=firefox` to add `firefox` to the sandbox).

gitea-mirror commented

2026-05-05 08:22:38 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

@tinmanx, can you download firefox from mozilla's website, close all open firefox windows, and do the following?

cd to the directory where you extracted firefox (from the tar.bz2 file).
ff=$(mktemp -d)
./firefox --profile "$ff"
Now, in a separate terminal: firejail --private-bin=firefox keepassxc
Click on the link.

This should: (a) make sure you're running with a clean profile and (b) ensure you're opening it in the mozilla version rather than the bionic version.

[edit] Hopefully Xfce won't mess with this...

@chiraag-nataraj commented on GitHub (May 22, 2019): @tinmanx, can you download firefox from mozilla's website, *close all open firefox windows*, and do the following? 1. `cd` to the directory where you extracted `firefox` (from the `tar.bz2` file). 2. `ff=$(mktemp -d)` 3. `./firefox --profile "$ff"` 4. Now, in a separate terminal: `firejail --private-bin=firefox keepassxc` 5. Click on the link. This should: (a) make sure you're running with a clean profile and (b) ensure you're opening it in the mozilla version rather than the bionic version. [edit] Hopefully Xfce won't mess with this...

gitea-mirror commented

2026-05-05 08:22:38 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

@chiraag-nataraj i take it this is the portable version of firefox and you putting a profile into memory to test?
I tried this as you said, but i get the below error:
Launch failed (/usr/local/bin/firefox https://www.google.com/)

@tinmanx commented on GitHub (May 22, 2019): @chiraag-nataraj i take it this is the portable version of firefox and you putting a profile into memory to test? I tried this as you said, but i get the below error: `Launch failed (/usr/local/bin/firefox https://www.google.com/)`

gitea-mirror commented

2026-05-05 08:22:39 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

Just note that, by default usually in my own situation Firefox is not jailed at all.

@tinmanx commented on GitHub (May 22, 2019): Just note that, by default usually in my own situation Firefox is not jailed at all.

gitea-mirror commented

2026-05-05 08:22:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 22, 2019):

@tinmanx -no-remote is an firefox arg. firefox --help:

--no-remote Do not accept or send remote commands; implies --new-instance.
--new-instance Open new instance, not a new window in running instance.

remote commands means something like "open a new window" or "open URL XY in a new tab".

@rusty-snake commented on GitHub (May 22, 2019): @tinmanx `-no-remote` is an firefox arg. `firefox --help`: > --no-remote Do not accept or send remote commands; implies --new-instance. --new-instance Open new instance, not a new window in running instance. remote commands means something like "open a new window" or "open URL XY in a new tab".

gitea-mirror commented

2026-05-05 08:22:40 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Just note that, by default usually in my own situation Firefox is not jailed at all.

Yes. For this test, I didn't jail firefox (even though I normally do).

@chiraag-nataraj commented on GitHub (May 22, 2019): > Just note that, by default usually in my own situation Firefox is not jailed at all. Yes. For this test, I didn't jail firefox (even though I normally do).

gitea-mirror commented

2026-05-05 08:22:40 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

What do you mean from git master?
im using the following:
firejail 0.9.58.2
keepassxc 2.4.1

Did you use Firefox 67.0 tar.bz2 or did you install from your debian repo?

Guys this is very strange, im telling you something was changed in Firefox 67.0. We need to find out what it is. Firefox v66.0.5 works perfectly as it always did, even in previous versions.

@tinmanx commented on GitHub (May 22, 2019): > > > With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue. > > > > > > Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue. > > I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master). What do you mean from git master? im using the following: firejail 0.9.58.2 keepassxc 2.4.1 Did you use Firefox 67.0 tar.bz2 or did you install from your debian repo? Guys this is very strange, im telling you something was changed in Firefox 67.0. We need to find out what it is. Firefox v66.0.5 works perfectly as it always did, even in previous versions.

gitea-mirror commented

2026-05-05 08:22:40 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

I used firejail from git master (so 0.9.60~rc2), not 0.9.58.2, keepassxc 2.3.4(latest version in Debian), andfirefoxdownloaded from Mozilla (so67.0`).

I didn't attempt to install firefox at all — just ran it from the directory I extracted to (happened to be in my Downloads folder).

@chiraag-nataraj commented on GitHub (May 22, 2019): I used `firejail` from git master (so `0.9.60~rc2`), not `0.9.58.2`, `keepassxc `2.3.4` (latest version in Debian), and `firefox` downloaded from Mozilla (so `67.0`). I didn't attempt to install `firefox` at all — just ran it from the directory I extracted to (happened to be in my Downloads folder).

gitea-mirror commented

2026-05-05 08:22:42 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

@chiraag-nataraj commented on GitHub (May 22, 2019): If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to `about:profiles`.

gitea-mirror commented

2026-05-05 08:22:42 -06:00

Author

Owner

@openffchrome commented on GitHub (May 22, 2019):

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

@openffchrome commented on GitHub (May 22, 2019): i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile **instead of using my firefox instance which is already launched in background**! it really ruin my pc use :/

gitea-mirror commented

2026-05-05 08:22:43 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

No it doesnt, i tried that now.

I also found this: https://www.reddit.com/r/firefox/comments/brh3s7/firefox_67_forces_a_new_profile_is_there_any_way/ not sure if this might be of any help to you that you can maybe figure out if its using an incorrect profile.

[Edit]
check this:
https://www.reddit.com/r/firefox/comments/broebr/just_updated_to_firefox_67_and_have_a_new_profile/
and this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1553526

@tinmanx commented on GitHub (May 22, 2019): > If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to `about:profiles`. No it doesnt, i tried that now. I also found this: https://www.reddit.com/r/firefox/comments/brh3s7/firefox_67_forces_a_new_profile_is_there_any_way/ not sure if this might be of any help to you that you can maybe figure out if its using an incorrect profile. [Edit] check this: https://www.reddit.com/r/firefox/comments/broebr/just_updated_to_firefox_67_and_have_a_new_profile/ and this: https://bugzilla.mozilla.org/show_bug.cgi?id=1553526

gitea-mirror commented

2026-05-05 08:22:43 -06:00

Author

Owner

@tinmanx commented on GitHub (May 22, 2019):

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

@tinmanx commented on GitHub (May 22, 2019): > i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile **instead of using my firefox instance which is already launched in background**! it really ruin my pc use :/ I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

gitea-mirror commented

2026-05-05 08:22:43 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 23, 2019):

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

Something's very weird because that is not the behavior I experienced. When I had firefox 67.0 running (although it wasn't officially installed), keepassxc opened links in the running instance.

@chiraag-nataraj commented on GitHub (May 23, 2019): > I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get) Something's _very_ weird because _that is not the behavior I experienced_. When I had `firefox` 67.0 running (although it wasn't officially installed), `keepassxc` opened links in the running instance.

gitea-mirror commented

2026-05-05 08:22:44 -06:00

Author

Owner

@tinmanx commented on GitHub (May 24, 2019):

@chiraag-nataraj i dont know what to tell you. I also tried this on a fresh Ubuntu 18.04 no xfce4 or anything like that. just plain Ubuntu 18.04 Desktop. Same issue after installed firefox from repo.

Can you try installing firefox from Debian repo, delete ~/.mozilla and open firefox for it to create new profile. Then run keepassxc with firejail so you can tell me

@tinmanx commented on GitHub (May 24, 2019): @chiraag-nataraj i dont know what to tell you. I **also** tried this on a fresh Ubuntu 18.04 no xfce4 or anything like that. just plain Ubuntu 18.04 Desktop. Same issue after installed firefox from repo. Can you try installing firefox from Debian repo, delete ~/.mozilla and open firefox for it to create new profile. Then run keepassxc with firejail so you can tell me

gitea-mirror commented

2026-05-05 08:22:44 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 24, 2019):

Interesting, once I installed it system-wide, I had the same issue. Can you try this profile for keepassxc and report back? (NB: It assumes your database is stored in ~/.config/keepassxc for simplicity...you can add other whitelist paths if you want).
~/.config/firejail/keepassxc.profile:

ignore memory-deny-write-execute

include ${HOME}/.config/firejail/common.inc

whitelist ${HOME}/.config/keepassxc

private-bin keepassxc,firefox
private-etc alternatives,fonts
protocol netlink,unix
join-or-start keepassxc

~/.config/firejail/common.inc:

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

@chiraag-nataraj commented on GitHub (May 24, 2019): Interesting, once I installed it system-wide, I had the same issue. Can you try this profile for `keepassxc` and report back? (NB: It assumes your database is stored in `~/.config/keepassxc` for simplicity...you can add other whitelist paths if you want). `~/.config/firejail/keepassxc.profile`: ``` ignore memory-deny-write-execute include ${HOME}/.config/firejail/common.inc whitelist ${HOME}/.config/keepassxc private-bin keepassxc,firefox private-etc alternatives,fonts protocol netlink,unix join-or-start keepassxc ``` `~/.config/firejail/common.inc`: ``` blacklist /usr/local/bin blacklist /usr/local/sbin blacklist /boot private-tmp read-only /tmp/.X11-unix private-dev disable-mnt private-opt emp private-srv emp shell none seccomp seccomp.block-secondary noroot caps.drop all apparmor nonewprivs ipc-namespace machine-id nodbus nou2f nogroups net none netfilter memory-deny-write-execute noexec ${HOME} noexec /tmp noexec ${RUNUSER} ```

gitea-mirror commented

2026-05-05 08:22:45 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 28, 2019):

@tinmanx, any luck with the keepassxc profile I posted above?

@chiraag-nataraj commented on GitHub (May 28, 2019): @tinmanx, any luck with the `keepassxc` profile I posted above?

gitea-mirror commented

2026-05-05 08:22:45 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 31, 2019):

@tinmanx, I'm not sure how to proceed from here. If the profile I sent you works, then we can figure out which directive is causing the issue in the stock profile and we can fix it. But I can't do that unless someone else tests the profile...

@chiraag-nataraj commented on GitHub (May 31, 2019): @tinmanx, I'm not sure how to proceed from here. If the profile I sent you works, then we can figure out which directive is causing the issue in the stock profile and we can fix it. But I can't do that unless someone else tests the profile...

gitea-mirror commented

2026-05-05 08:22:45 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 1, 2019):

@chiraag-nataraj sorry for the late response - i havent been able to log on for a while.

I did the tests right now. Please see findings below:

I tried to run it with: firejail keepassxc but when clicking the link, it gave an error in terminal:
Launch failed (/usr/sbin/firefox https://www.site.com/)
and it didnt open.

So i tried with: firejail --ignore=private-bin keepassxc and the following happened:
I already had firefox open..so when clicking the link it prompted with this screenshot

so i chose it and it opened a brand new instance of firefox, so it didnt open a new tab in the existing firefox profile.

On another note:
I still dont know why I have to run firejail --ignore=private-bin keepassxc and if i run firejail keepassxc it wont launch the site.

@tinmanx commented on GitHub (Jun 1, 2019): @chiraag-nataraj sorry for the late response - i havent been able to log on for a while. I did the tests right now. Please see findings below: I tried to run it with: `firejail keepassxc` but when clicking the link, it gave an error in terminal: `Launch failed (/usr/sbin/firefox https://www.site.com/)` and it didnt open. So i tried with: `firejail --ignore=private-bin keepassxc` and the following happened: I already had firefox open..so when clicking the link it prompted with this screenshot ![2019-06-01](https://user-images.githubusercontent.com/46136520/58748293-9c9c3100-8476-11e9-9d9e-a824bd468f71.png) so i chose it and it opened a brand new instance of firefox, so it didnt open a new tab in the existing firefox profile. On another note: I still dont know why I have to run `firejail --ignore=private-bin keepassxc` and if i run `firejail keepassxc` it wont launch the site.

gitea-mirror commented

2026-05-05 08:22:46 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 1, 2019):

Is it possible you could also do these tests on your side?

@tinmanx commented on GitHub (Jun 1, 2019): Is it possible you could also do these tests on your side?

gitea-mirror commented

2026-05-05 08:22:46 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 1, 2019):

The profile I posted worked fine when firefox was already open. I suspect you have to tweak the profile a bit. I really don't know what it might take, since I've been on a highly-customized Debian sid/experimental setup for quite some time now (AwesomeWM and manual mimetype configuration if required).

From the looks of it, it's probably something to do with xdg-open not having access to its config files (and xdg-open not being whitelisted in private-bin).

Honestly, the safest (and most secure) option is to manually copy the URLs and paste them. I've been doing this for a long time now since it allows for much stricter sandboxes.

If someone else is out there running Ubuntu and wants to help @tinmanx troubleshoot, please have at it! I'm at my wit's end at this point, since the profile above worked for me.

@tinmanx, one more thing you can try is commenting whitelist ${HOME}/.config/keepassxc in the profile and seeing if it works then. If so, that points to additional directories you need to whitelist in your home directory.

@chiraag-nataraj commented on GitHub (Jun 1, 2019): The profile I posted worked fine when firefox was already open. I suspect you have to tweak the profile a bit. I really don't know what it might take, since I've been on a highly-customized Debian sid/experimental setup for quite some time now (AwesomeWM and manual mimetype configuration if required). From the looks of it, it's probably something to do with `xdg-open` not having access to its config files (and `xdg-open` not being whitelisted in `private-bin`). Honestly, the safest (and most _secure_) option is to manually copy the URLs and paste them. I've been doing this for a long time now since it allows for _much_ stricter sandboxes. If someone else is out there running Ubuntu and wants to help @tinmanx troubleshoot, please have at it! I'm at my wit's end at this point, since the profile above worked for me. @tinmanx, one more thing you can try is commenting `whitelist ${HOME}/.config/keepassxc` in the profile and seeing if it works then. If so, that points to additional directories you need to whitelist in your home directory.

gitea-mirror commented

2026-05-05 08:22:47 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 1, 2019):

@chiraag-nataraj
running firejail --ignore=private-bin keepassxc now while having commented out whitelist ${HOME}/.config/keepassxc it worked and opened up the link in the same firefox instance.

So knowing this.. what can you do to actually fix this?
Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

@tinmanx commented on GitHub (Jun 1, 2019): @chiraag-nataraj running `firejail --ignore=private-bin keepassxc` now while having commented out `whitelist ${HOME}/.config/keepassxc` it worked and opened up the link in the same firefox instance. So knowing this.. what can you do to actually fix this? Is this profile of keepassxc.profile and commenting out `whitelist ${HOME}/.config/keepassxc` secure?

gitea-mirror commented

2026-05-05 08:22:47 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 1, 2019):

Okay, this means you need to figure out which other directories need to be whitelisted for xdg-open to work. I can't help you there since I don't use that mechanism for opening programs (as I mentioned earlier).

Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

Not as secure as whitelisting just the specific directories it needs to function. Again, if you care about security, keep the profile as-is and just copy-paste the URL.

@chiraag-nataraj commented on GitHub (Jun 1, 2019): Okay, this means you need to figure out which other directories need to be whitelisted for `xdg-open` to work. I can't help you there since I don't use that mechanism for opening programs (as I mentioned earlier). > Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure? Not _as_ secure as whitelisting _just_ the specific directories it needs to function. Again, if you care about security, keep the profile as-is and just copy-paste the URL.

gitea-mirror commented

2026-05-05 08:22:48 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 1, 2019):

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

if you care about security, keep the profile as-is and just copy-paste the URL.

if this is the case, how was it working before the firefox upgrade? was it less secure previously??

@tinmanx commented on GitHub (Jun 1, 2019): @chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories? > if you care about security, keep the profile as-is and just copy-paste the URL. if this is the case, how was it working before the firefox upgrade? was it less secure previously??

gitea-mirror commented

2026-05-05 08:22:48 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 1, 2019):

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

Yes. If there are no blacklists or whitelists (and my profiles tend to take a whitelist approach), then all directories in ~ (your home directory) are able to be accessed.

If this is the case, how was it working before the firefox upgrade? was it less secure previously??

I never had a setup where clicking on a link worked without relaxing many settings on the sandbox. Looking at the keepassxc profile provided in this repository (not the one I posted above), it seems it allows keepassxc access to your .mozilla directory, which means it theoretically could access anything stored in your firefox profile. I suppose we decided it's an acceptable compromise to not break everyone's setup.

Personally, I find that whenever I need to allow a program to access configuration files that aren't its own, I should change my workflow. So in this case, if I took a look at the profile and realized that clicking on links only works because keepassxc has access to my firefox data, I would create a stricter profile in ~/.config/firejail without that and copy and paste the links.

I mean, in this case, you might deem it an acceptable risk as long as keepassxc doesn't have internet access (so net none or protocol unix or similar is enabled in the sandbox). Otherwise, it's not even a question in my mind.

@chiraag-nataraj commented on GitHub (Jun 1, 2019): > @chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories? Yes. If there are no blacklists or whitelists (and my profiles tend to take a whitelist approach), then all directories in `~` (your home directory) are able to be accessed. > If this is the case, how was it working before the firefox upgrade? was it less secure previously?? I never had a setup where clicking on a link worked without relaxing many settings on the sandbox. Looking at the `keepassxc` profile provided in this repository (**not** the one I posted above), it seems it allows `keepassxc` access to your `.mozilla` directory, which means it theoretically could access anything stored in your `firefox` profile. I suppose we decided it's an acceptable compromise to not break everyone's setup. Personally, I find that whenever I need to allow a program to access configuration files that aren't its own, I should change my workflow. So in this case, if I took a look at the profile and realized that clicking on links only works because `keepassxc` has access to my `firefox` data, I would create a stricter profile in `~/.config/firejail` without that and copy and paste the links. I mean, in this case, you might deem it an acceptable risk _as long as `keepassxc` doesn't have internet access_ (so `net none` or `protocol unix` or similar is enabled in the sandbox). Otherwise, it's not even a question in my mind.

gitea-mirror commented

2026-05-05 08:22:48 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 11, 2019):

@chiraag-nataraj i appreciate your input and you make great points, however this is not really a solution to the actual problem. Knowing that net none provides network block is enough for most users. This again shouldn't be an excuse to render the link-launcher useless and tedious.

Also, saying that xdg-open is somehow the cause of it being blocked wouldn't make sense, because this has to do with a Firefox update. i mean ive downgraded and upgraded the Firefox versions like 10 times and i get the same results.

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

@tinmanx commented on GitHub (Jun 11, 2019): @chiraag-nataraj i appreciate your input and you make great points, however this is not really a solution to the actual problem. Knowing that `net none` provides network block is enough for most users. This again shouldn't be an excuse to render the link-launcher useless and tedious. Also, saying that xdg-open is somehow the cause of it being blocked wouldn't make sense, because this has to do with a Firefox update. i mean ive downgraded and upgraded the Firefox versions like 10 times and i get the same results. A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

gitea-mirror commented

2026-05-05 08:22:49 -06:00

Author

Owner

@tinmanx commented on GitHub (Jun 18, 2019):

@chiraag-nataraj i just found out i am having the same issue and not being able to click links on a jailed cherrytree.profile too. Never used to be like this.
Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

@tinmanx commented on GitHub (Jun 18, 2019): @chiraag-nataraj i just found out i am having the same issue and not being able to click links on a jailed cherrytree.profile too. Never used to be like this. Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

gitea-mirror commented

2026-05-05 08:22:49 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 18, 2019):

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

I don't think opening a bug report on Firefox's bugzilla will be useful at all — they will just redirect you back here an close as NOTABUG.

As I've already mentioned, this functionality requires you to at the minimum whitelist your firefox folder (~/.mozilla) in all programs where you would like to click on links and have them open. This has not changed and is still the case. To me, that represents a lot more trust than I am willing to give random programs (especially internet-connected ones).

Given your input above, I think the thing that's broken is that firefox (or whatever is calling it) now requires additional directories to be whitelisted (in addition to ~/.mozilla) before it will work. This might have happened with a firefox update, but I don't think firefox broke it.

You will have to play around with whitelisting directories in your home directory (build off of the profile I sent you) and don't worry too much about the private-bin for now (you can comment it if you want, we can deal with that later) — just focus on getting the home directory whitelist to work.

You might be able to use the --debug and --trace arguments for firejail or run it from the terminal to hopefully get more output, which might give you a better idea of what's going on.

@chiraag-nataraj commented on GitHub (Jun 18, 2019): > A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail? I really don't know. Every new `firefox` release adds so many things (and *changes* so many things) that I'm not entirely even sure what could have done this. > Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again. I don't think opening a bug report on Firefox's bugzilla will be useful at all — they will just redirect you back here an close as NOTABUG. As I've already mentioned, this functionality requires you to **at the minimum** whitelist your firefox folder (`~/.mozilla`) in *all* programs where you would like to click on links and have them open. This has not changed and is still the case. To me, that represents a lot more trust than I am willing to give random programs (especially internet-connected ones). Given your input above, I think the thing that's broken is that `firefox` (or whatever is calling it) now requires additional directories to be whitelisted (**in addition to `~/.mozilla`**) before it will work. This might have happened with a `firefox` update, but I don't _think_ `firefox` broke it. You will have to play around with whitelisting directories in your home directory (build off of the profile I sent you) and don't worry too much about the `private-bin` for now (you can comment it if you want, we can deal with that later) — just focus on getting the home directory whitelist to work. You might be able to use the `--debug` and `--trace` arguments for **firejail** or run it from the terminal to hopefully get more output, which might give you a better idea of what's going on.

gitea-mirror commented

2026-05-05 08:22:49 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 18, 2019):

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

As @SkewedZeppelin already said "67 changes how profiles are handled"

Profiles per installation to avoid conflicts

New Firefox installations will use a dedicated profile automatically starting with the release of Firefox 67. Firefox used existing profiles previously by default which led to two issues:

Profiles were shared between different Firefox installations, e.g. Nightly and Stable, which could lead to conflicts.
You could not run multiple Firefox installations side by side by default.

Firefox supports options to run multiple profiles side-by-side and the new release does not take these away. It makes things easier for users of the browser who install different versions of Firefox on a single device.

(Source: https://www.ghacks.net/2019/05/21/firefox-67-0-release-information/)

@rusty-snake commented on GitHub (Jun 18, 2019): >I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this. As @SkewedZeppelin already said "67 changes how profiles are handled" > Profiles per installation to avoid conflicts > >New Firefox installations will use a dedicated profile automatically starting with the release of Firefox 67. Firefox used existing profiles previously by default which led to two issues: > > Profiles were shared between different Firefox installations, e.g. Nightly and Stable, which could lead to conflicts. > You could not run multiple Firefox installations side by side by default. > >Firefox supports options to run multiple profiles side-by-side and the new release does not take these away. It makes things easier for users of the browser who install different versions of Firefox on a single device. (Source: https://www.ghacks.net/2019/05/21/firefox-67-0-release-information/)

gitea-mirror commented

2026-05-05 08:22:50 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 18, 2019):

@rusty-snake Yes, but I'm not quite sure if that's the issue here. In particular, it doesn't explain why the firejail profile that worked for me seems to not work for OP or why this broke in the first place.

The profile handling you're describing is more related to versioning firefox profiles such that each one is associated with a specific firefox channel (release, beta, nightly). It pretty much has nothing to do with this issue (afaik).

@chiraag-nataraj commented on GitHub (Jun 18, 2019): @rusty-snake Yes, but I'm not quite sure if that's the issue here. In particular, it doesn't explain why the firejail profile that worked for me seems to not work for OP or why this broke in the first place. The profile handling you're describing is more related to versioning firefox profiles such that each one is associated with a specific firefox channel (release, beta, nightly). It pretty much has nothing to do with this issue (afaik).

gitea-mirror commented

2026-05-05 08:22:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 22, 2019):

@tinmanx @chiraag-nataraj I go ahead and close this for now.

@rusty-snake commented on GitHub (Aug 22, 2019): @tinmanx @chiraag-nataraj I go ahead and close this for now.

gitea-mirror referenced this issue

2026-05-05 10:13:34 -06:00

[PR #1852] [MERGED] Fix private-lib again #4091

Rows
Columns

[GH-ISSUE #2720] keepassxc: cannot open URL links in firefox #1711