github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2891] firefox access to gpg-agent-browser.socket #1805

New issue

Closed

opened 2026-05-05 08:28:38 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:28:38 -06:00

Owner

Originally created by @valoq on GitHub (Aug 6, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2891

If I am not mistaken, the default firefox profile allows access to /etc
There is a browser specific socket file for the gpg-agent in the following path
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket

The gpg-agent-browser.socket allows web browsers to access the gpg-agent daemon.

Worst case, if the user unlocked their gpg key, the browser can use the connection to the agent to sign or decrypt files with the users key without a password prompt (for a few minutes, depending on the config of gpg-agent)

Not sure how to test/use this access via browser.
Can someone please verify if this indeed the case?

Originally created by @valoq on GitHub (Aug 6, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2891 If I am not mistaken, the default firefox profile allows access to /etc There is a browser specific socket file for the gpg-agent in the following path /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket The gpg-agent-browser.socket allows web browsers to access the gpg-agent daemon. Worst case, if the user unlocked their gpg key, the browser can use the connection to the agent to sign or decrypt files with the users key without a password prompt (for a few minutes, depending on the config of gpg-agent) Not sure how to test/use this access via browser. Can someone please verify if this indeed the case?

gitea-mirror

2026-05-05 08:28:38 -06:00

closed this issue
added the
invalid
label

gitea-mirror commented

2026-05-05 08:28:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 6, 2019):

If I am not mistaken, the default firefox profile allows access to /etc

Right, but you can use private-etc in firefox and firefox-common.

There is a browser specific socket file for the gpg-agent in the following path
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket

I doesn't have this file, this systemd socket-unit and it not in the repos (using Fedora), but I found this: https://wiki.archlinux.org/index.php/GnuPG

The gpg-agent-browser.socket allows web browsers to access the gpg-agent daemon.

Probably we should add blacklist /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket into disable-common.inc.

@rusty-snake commented on GitHub (Aug 6, 2019): > If I am not mistaken, the default firefox profile allows access to /etc Right, but you can use `private-etc` in firefox and firefox-common. > There is a browser specific socket file for the gpg-agent in the following path /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket I doesn't have this file, this systemd socket-unit and it not in the repos (using Fedora), but I found this: https://wiki.archlinux.org/index.php/GnuPG > The `gpg-agent-browser.socket` allows web browsers to access the gpg-agent daemon. Probably we should add `blacklist /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket` into `disable-common.inc`.

gitea-mirror commented

2026-05-05 08:28:42 -06:00

Author

Owner

@Vincent43 commented on GitHub (Aug 7, 2019):

/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket is symlink to socket config file, not a socket itself. The socket is in /run/user/$UID/gnupg/S.gpg-agent.browser.

@Vincent43 commented on GitHub (Aug 7, 2019): `/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket` is symlink to socket config file, not a socket itself. The socket is in `/run/user/$UID/gnupg/S.gpg-agent.browser`.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1805

No description provided.

Rows
Columns