[GH-ISSUE #2776] Running firejail with --x11 as different user - how? #1743

New issue

Closed

opened 2026-05-05 08:24:41 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:24:41 -06:00

Owner

Originally created by @mirko on GitHub (Jun 15, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2776

I'm trying to run a jailfire'ed GUI (thunderbird) as different user.
In this test scenario ACLs for Xorg are disabled (xhost +) so that shouldn't be the issue.
As far as I see the client can't connect to the supposed to be opened server instance.

Any pointers/hints on how to achieve that would be highly appreciated - thanks!

mirko@mai:~$ xhost +
access control disabled, clients can connect from any host
mirko@mai:~$ sudo -u x-mail -- firejail --x11 thunderbird
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22334, child pid 22335
Child process initialized in 126.36 ms
2019-06-15 18:06:00,263 cannot access python uinput module:
2019-06-15 18:06:00,263  No module named uinput
[config] failed to pre-init udev

X.Org X Server 1.20.4
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.9.0-8-amd64 x86_64 Debian
Current Operating System: Linux mai 4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-4.19.0-4-amd64 root=/dev/mapper/nvme.mai-root ro quiet
Build Date: 05 March 2019  08:11:12PM
xorg-server 2:1.20.4-1 (https://www.debian.org/support) 
Current version of pixman: 0.36.0
	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, xauth:  /home/x-mail/.Xauthority not writable, changes will be ignored
(NI) not implemented, (??) unknown.
(++) Log file: "/run/user/5003/xpra/Xorg.:336.log", Time: Sat Jun 15 18:06:00 2019
xauth:  /home/x-mail/.Xauthority not writable, changes ignored
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
No protocol specified
No protocol specified
2019-06-15 18:06:03,466 Error: failed to connect to display :336
2019-06-15 18:06:03,467  could not connect to X server on display ':336' after 3 seconds
Error in sys.exitfunc:
Xpra server pid 22334, xpra client pid 22367, jail 22368

*** Attaching to xpra display 336 ***

Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 22367, child pid 22369
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 22368, child pid 22372
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 115.04 ms
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 128.88 ms
Warning: an existing sandbox was detected. /usr/bin/thunderbird will run without any additional sandboxing features
No protocol specified
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :336

Parent is shutting down, bye...
Gtk-Message: 18:06:06.208: Failed to load module "canberra-gtk-module"
2019-06-15 18:06:06,350 Xpra gtk2 client version 2.4.3-r21350M 64-bit
2019-06-15 18:06:06,350  running on Linux Debian 10 buster
2019-06-15 18:06:06,351  window manager is 'GNOME Shell'
2019-06-15 18:06:06,367 Warning: failed to import opencv:
2019-06-15 18:06:06,367  No module named cv2
2019-06-15 18:06:06,367  webcam forwarding is disabled
Warning: failed to query pulseaudio using 'pactl info'
 socket(): Operation not supported
 socket(): Operation not supported
 Connection failure: Connection refused
Warning: failed to query pulseaudio using 'pactl info'
 socket(): Operation not supported
 socket(): Operation not supported
 Connection failure: Connection refused
2019-06-15 18:06:06,751 GStreamer version 1.14.4 for Python 2.7.16 64-bit
2019-06-15 18:06:06,774 Warning: failed to query pulseaudio using 'pactl info'
2019-06-15 18:06:06,774  socket(): Operation not supported
2019-06-15 18:06:06,774  socket(): Operation not supported
2019-06-15 18:06:06,774  Connection failure: Connection refused
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22446, child pid 22451
2019-06-15 18:06:06,796 failed to instantiate the dbus notification handler:
2019-06-15 18:06:06,796  you may need to start a notification service for 'org.freedesktop.Notifications'
2019-06-15 18:06:06,796  disable notifications to avoid this warning
2019-06-15 18:06:06,871 Warning: cannot import gtk OpenGL module
2019-06-15 18:06:06,871  ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None)
2019-06-15 18:06:06,880 Warning: cannot import native OpenGL module
2019-06-15 18:06:06,880  ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None)
2019-06-15 18:06:06,880 Warning: no OpenGL backends found
2019-06-15 18:06:06,880 Error setting up dbus signals:
2019-06-15 18:06:06,880  org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Child process initialized in 118.48 ms
2019-06-15 18:06:07,160 Error: printing disabled:
2019-06-15 18:06:07,160  No module named cups
xpra initialization error:
 cannot find live server for display :336
xpra initialization error:
 cannot find live server for display :336

Parent is shutting down, bye...

Parent received signal 15, shutting down the child process...

Parent received signal 15, shutting down the child process...
mirko@mai:~$ 
Child received signal 15, shutting down the sandbox...

Child received signal 15, shutting down the sandbox...
(II) Server terminated successfully (0). Closing log file.

Parent is shutting down, bye...

Parent is shutting down, bye...

Originally created by @mirko on GitHub (Jun 15, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2776 I'm trying to run a jailfire'ed GUI (thunderbird) as different user. In this test scenario ACLs for Xorg are disabled (`xhost +`) so that shouldn't be the issue. As far as I see the client can't connect to the supposed to be opened server instance. Any pointers/hints on how to achieve that would be highly appreciated - thanks! ``` mirko@mai:~$ xhost + access control disabled, clients can connect from any host mirko@mai:~$ sudo -u x-mail -- firejail --x11 thunderbird Reading profile /etc/firejail/xpra.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 22334, child pid 22335 Child process initialized in 126.36 ms 2019-06-15 18:06:00,263 cannot access python uinput module: 2019-06-15 18:06:00,263 No module named uinput [config] failed to pre-init udev X.Org X Server 1.20.4 X Protocol Version 11, Revision 0 Build Operating System: Linux 4.9.0-8-amd64 x86_64 Debian Current Operating System: Linux mai 4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64 Kernel command line: BOOT_IMAGE=/vmlinuz-4.19.0-4-amd64 root=/dev/mapper/nvme.mai-root ro quiet Build Date: 05 March 2019 08:11:12PM xorg-server 2:1.20.4-1 (https://www.debian.org/support) Current version of pixman: 0.36.0 Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, xauth: /home/x-mail/.Xauthority not writable, changes will be ignored (NI) not implemented, (??) unknown. (++) Log file: "/run/user/5003/xpra/Xorg.:336.log", Time: Sat Jun 15 18:06:00 2019 xauth: /home/x-mail/.Xauthority not writable, changes ignored (++) Using config file: "/etc/xpra/xorg.conf" (==) Using system config directory "/usr/share/X11/xorg.conf.d" No protocol specified No protocol specified 2019-06-15 18:06:03,466 Error: failed to connect to display :336 2019-06-15 18:06:03,467 could not connect to X server on display ':336' after 3 seconds Error in sys.exitfunc: Xpra server pid 22334, xpra client pid 22367, jail 22368 *** Attaching to xpra display 336 *** Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/xpra.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 22367, child pid 22369 Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 22368, child pid 22372 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 115.04 ms Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 128.88 ms Warning: an existing sandbox was detected. /usr/bin/thunderbird will run without any additional sandboxing features No protocol specified Unable to init server: Could not connect: Connection refused Error: cannot open display: :336 Parent is shutting down, bye... Gtk-Message: 18:06:06.208: Failed to load module "canberra-gtk-module" 2019-06-15 18:06:06,350 Xpra gtk2 client version 2.4.3-r21350M 64-bit 2019-06-15 18:06:06,350 running on Linux Debian 10 buster 2019-06-15 18:06:06,351 window manager is 'GNOME Shell' 2019-06-15 18:06:06,367 Warning: failed to import opencv: 2019-06-15 18:06:06,367 No module named cv2 2019-06-15 18:06:06,367 webcam forwarding is disabled Warning: failed to query pulseaudio using 'pactl info' socket(): Operation not supported socket(): Operation not supported Connection failure: Connection refused Warning: failed to query pulseaudio using 'pactl info' socket(): Operation not supported socket(): Operation not supported Connection failure: Connection refused 2019-06-15 18:06:06,751 GStreamer version 1.14.4 for Python 2.7.16 64-bit 2019-06-15 18:06:06,774 Warning: failed to query pulseaudio using 'pactl info' 2019-06-15 18:06:06,774 socket(): Operation not supported 2019-06-15 18:06:06,774 socket(): Operation not supported 2019-06-15 18:06:06,774 Connection failure: Connection refused Reading profile /etc/firejail/xpra.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 22446, child pid 22451 2019-06-15 18:06:06,796 failed to instantiate the dbus notification handler: 2019-06-15 18:06:06,796 you may need to start a notification service for 'org.freedesktop.Notifications' 2019-06-15 18:06:06,796 disable notifications to avoid this warning 2019-06-15 18:06:06,871 Warning: cannot import gtk OpenGL module 2019-06-15 18:06:06,871 ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None) 2019-06-15 18:06:06,880 Warning: cannot import native OpenGL module 2019-06-15 18:06:06,880 ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None) 2019-06-15 18:06:06,880 Warning: no OpenGL backends found 2019-06-15 18:06:06,880 Error setting up dbus signals: 2019-06-15 18:06:06,880 org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory Child process initialized in 118.48 ms 2019-06-15 18:06:07,160 Error: printing disabled: 2019-06-15 18:06:07,160 No module named cups xpra initialization error: cannot find live server for display :336 xpra initialization error: cannot find live server for display :336 Parent is shutting down, bye... Parent received signal 15, shutting down the child process... Parent received signal 15, shutting down the child process... mirko@mai:~$ Child received signal 15, shutting down the sandbox... Child received signal 15, shutting down the sandbox... (II) Server terminated successfully (0). Closing log file. Parent is shutting down, bye... Parent is shutting down, bye... ```

gitea-mirror

2026-05-05 08:24:41 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:24:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2019):

Why are you trying to firejail thunderbird and using a different user? firejail is for sandboxing and can do that, I don't think it's necessary. If you want a stricter sandbox, you should tighten the firejail profile.

@rusty-snake commented on GitHub (Jun 15, 2019): Why are you trying to firejail thunderbird and using a different user? firejail is for sandboxing and can do that, I don't think it's necessary. If you want a stricter sandbox, you should tighten the firejail profile.

gitea-mirror commented

2026-05-05 08:24:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 26, 2019):

@mirko I'm going to close this for now because of inactivity. Please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jun 26, 2019): @mirko I'm going to close this for now because of inactivity. Please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 09:07:51 -06:00

[GH-ISSUE #3892] Option to launch firejailed program as a different user #2444

gitea-mirror referenced this issue

2026-05-05 09:12:41 -06:00

[GH-ISSUE #4103] Can't combine private-home and whitelist for Firefox #2533

gitea-mirror referenced this issue

2026-05-05 09:51:29 -06:00

[GH-ISSUE #6371] Please add --home=dir option #3251