github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2722] Starting syncthing throws message "Firefox profile cannot be loaded..." #1712

New issue

Closed

opened 2026-05-05 08:22:19 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:22:19 -06:00

Owner

Originally created by @joede on GitHub (May 23, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2722

I'm running Firejail 0.9.52 + profiles of Ubuntu 18.04. These are the official packages (neither a backport nore a self-compiled binary). To run Syncthing within a jail, I decided to move the official Syncthing binary (not the one of Ubuntu) into a subdirectory ~/.syncthing. The configuration files will be stored at ~/.config/syncthing.

This is the self created profile I'm using:

## Firejail profile for Syncthing Service
##
## 21.5.2019 (jd) first try

## Disable access 
# Disable access to common system management tools (sudo, mount, etc.) 
include /etc/firejail/disable-common.inc
# Disable access to common program configs in ${HOME}
include /etc/firejail/disable-programs.inc
# Disable access to common password manager files
include /etc/firejail/disable-passwdmgr.inc
# Disable access to development tools
include /etc/firejail/disable-devel.inc

## Security filters
# Blacklist all Linux capabilities
caps.drop all
# Ensures that child processes cannot acquire new privileges
nonewprivs
# No root account. Only one user, the current one
noroot
# Run the program directly, without a user shell
shell none
# Enable default seccomp filter and blacklist the syscalls
seccomp
# Allow network access by ignoring network filter
ignore net
# Allow execution of Syncthing binary (after updates)
ignore noexec ${HOME}/.syncthing
# even if the whitelist creates an empty, temporary ~, we want it RO
read-only ${HOME}
read-only ${HOME}/.config
# write access is only allowed inside the basedir ~/.syncthing and the configuration dir
read-write ${HOME}/.syncthing
mkdir ${HOME}/.config/syncthing
read-write ${HOME}/.config/syncthing

## Filesystem
private-etc hosts,resolv.conf,ssl,ca-certificates
private-dev
# put all the stuff below ~/.syncthing
whitelist ${HOME}/.syncthing
# but the configuration goes here
whitelist ${HOME}/.config/syncthing

# Blacklist
blacklist /boot
blacklist /mnt
blacklist /media
blacklist /root
blacklist /srv

## Networking
# Default network filter for new created network namespace
netfilter

After starting with cd .syncthing && firejail ./syncthing, a GNOME message appears with the message "Your Firefox profile cannot be loaded. It may be missing or inaccessible."! Since I start syncthing, I don't know why there should be a Firefox profil accessed.

Clicking OK closes the box. Meanwhile, Syncthing is running in it's jail as expected!

Note, that the message box appears with every start of Syncthing!

Originally created by @joede on GitHub (May 23, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2722 I'm running Firejail 0.9.52 + profiles of Ubuntu 18.04. These are the official packages (neither a backport nore a self-compiled binary). To run Syncthing within a jail, I decided to move the official Syncthing binary (not the one of Ubuntu) into a subdirectory `~/.syncthing`. The configuration files will be stored at `~/.config/syncthing`. This is the self created profile I'm using: ~~~~ ## Firejail profile for Syncthing Service ## ## 21.5.2019 (jd) first try ## Disable access # Disable access to common system management tools (sudo, mount, etc.) include /etc/firejail/disable-common.inc # Disable access to common program configs in ${HOME} include /etc/firejail/disable-programs.inc # Disable access to common password manager files include /etc/firejail/disable-passwdmgr.inc # Disable access to development tools include /etc/firejail/disable-devel.inc ## Security filters # Blacklist all Linux capabilities caps.drop all # Ensures that child processes cannot acquire new privileges nonewprivs # No root account. Only one user, the current one noroot # Run the program directly, without a user shell shell none # Enable default seccomp filter and blacklist the syscalls seccomp # Allow network access by ignoring network filter ignore net # Allow execution of Syncthing binary (after updates) ignore noexec ${HOME}/.syncthing # even if the whitelist creates an empty, temporary ~, we want it RO read-only ${HOME} read-only ${HOME}/.config # write access is only allowed inside the basedir ~/.syncthing and the configuration dir read-write ${HOME}/.syncthing mkdir ${HOME}/.config/syncthing read-write ${HOME}/.config/syncthing ## Filesystem private-etc hosts,resolv.conf,ssl,ca-certificates private-dev # put all the stuff below ~/.syncthing whitelist ${HOME}/.syncthing # but the configuration goes here whitelist ${HOME}/.config/syncthing # Blacklist blacklist /boot blacklist /mnt blacklist /media blacklist /root blacklist /srv ## Networking # Default network filter for new created network namespace netfilter ~~~~ After starting with `cd .syncthing && firejail ./syncthing`, a GNOME message appears with the message "Your Firefox profile cannot be loaded. It may be missing or inaccessible."! Since I start syncthing, I don't know why there should be a Firefox profil accessed. Clicking OK closes the box. Meanwhile, Syncthing is running in it's jail as expected! Note, that the message box appears with every start of Syncthing!

gitea-mirror

2026-05-05 08:22:19 -06:00

closed this issue
added the
information_old

workaround
labels

gitea-mirror commented

2026-05-05 08:22:23 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 23, 2019):

You probably have Syncthing set to open the browser to itself.
The option is Settings > Advanced > Start Browser
untick, restart, retest

also:

using whitelist would prevent it from accessing any directories to sync
using syncthing with systemd should already be using ProtectSystem, PrivateTmp, MemoryDenyWriteExecute, and NoNewPrivleges.

@SkewedZeppelin commented on GitHub (May 23, 2019): You probably have Syncthing set to open the browser to itself. The option is Settings > Advanced > Start Browser untick, restart, retest also: - using whitelist would prevent it from accessing any directories to sync - using syncthing with systemd should already be using ProtectSystem, PrivateTmp, MemoryDenyWriteExecute, and NoNewPrivleges.

gitea-mirror commented

2026-05-05 08:22:23 -06:00

Author

Owner

@joede commented on GitHub (May 23, 2019):

My fault... I wasn't aware of the "start browser" option. After switching off, the message disappears! Thanks for that.

For the tips:

I moved all the folders to sync below ~/.syncthing to avoid adding each new folder to the profile.

My new step would be to use a systemd user service to autostart Synching. I'm not sure I understand your note about systemd defaults. Is my profile ok to be used for a user ervice? I'm really new to both, For email and Syncthing. So I'm glad for every hint.

@joede commented on GitHub (May 23, 2019): My fault... I wasn't aware of the "start browser" option. After switching off, the message disappears! Thanks for that. For the tips: I moved all the folders to sync below `~/.syncthing` to avoid adding each new folder to the profile. My new step would be to use a *systemd user service* to autostart Synching. I'm not sure I understand your note about systemd defaults. Is my profile ok to be used for a *user ervice*? I'm really new to both, For email and Syncthing. So I'm glad for every hint.

gitea-mirror commented

2026-05-05 08:22:25 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 23, 2019):

My new step would be to use a systemd user service to autostart Synching. I'm not sure I understand your note about systemd defaults. Is my profile ok to be used for a user ervice? I'm really new to both, For email and Syncthing. So I'm glad for every hint.

I do this for several services and it should work fine. I think what @SkewedZeppelin was getting at is that you might have additional protections based on how you write the service file for it. In my case, I let firejail handle all the sandboxing and have a very minimum unit file, something like:

[Unit]
Description=A thing

[Service]
ExecStart=/usr/bin/env firejail program args

Or, if I have a wrapper script (something I often setup anyway), I'll use that instead for the ExecStart line, and that works fairly well as well.

@chiraag-nataraj commented on GitHub (May 23, 2019): > My new step would be to use a systemd user service to autostart Synching. I'm not sure I understand your note about systemd defaults. Is my profile ok to be used for a user ervice? I'm really new to both, For email and Syncthing. So I'm glad for every hint. I do this for several services and it should work fine. I think what @SkewedZeppelin was getting at is that you might have additional protections based on how you write the service file for it. In my case, I let `firejail` handle all the sandboxing and have a _very_ minimum unit file, something like: ``` [Unit] Description=A thing [Service] ExecStart=/usr/bin/env firejail program args ``` Or, if I have a wrapper script (something I often setup anyway), I'll use that instead for the `ExecStart` line, and that works fairly well as well.

gitea-mirror commented

2026-05-05 08:22:26 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 28, 2019):

@joede, I'm going to go ahead and close this since it seems the original question was answered. Feel free to continue seeking help for the systemd user service part of this, though...I'd be happy to give you more details about my setup (I actually setup a similar thing for dropbox).

@chiraag-nataraj commented on GitHub (May 28, 2019): @joede, I'm going to go ahead and close this since it seems the original question was answered. Feel free to continue seeking help for the `systemd` user service part of this, though...I'd be happy to give you more details about my setup (I actually setup a similar thing for `dropbox`).

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1712

No description provided.

Rows
Columns