[GH-ISSUE #3139] How to download a file and save it in --private mode

gitea-mirror commented

2026-05-05 08:37:55 -06:00

Owner

Originally created by @ironfish1000 on GitHub (Jan 11, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3139

Hello,
I really like this:

High security browser setup

Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.

Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:

$ firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox

When I do online banking I would like to download pdf account statements.
I believe the above will not allow me to save downloaded pdf's to my computer - they will be downloaded in the firejailed firefox, and will be deleted when firejailed firefox is closed. Please let me know if I do not understand this correctly.

Based on my understanding, I tried to add a --whitelist argument that specifies the path to my Downloads directory, but I cant seem to get this working properly.

If you could explain how I could download pdf's from firejailed firefox into my Downloads directory, that would be super appreciated.

Thanks ahead of time.

Originally created by @ironfish1000 on GitHub (Jan 11, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3139 Hello, I really like this: High security browser setup Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory. Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox: $ firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox When I do online banking I would like to download pdf account statements. I believe the above will not allow me to save downloaded pdf's to my computer - they will be downloaded in the firejailed firefox, and will be deleted when firejailed firefox is closed. Please let me know if I do not understand this correctly. Based on my understanding, I tried to add a --whitelist argument that specifies the path to my Downloads directory, but I cant seem to get this working properly. If you could explain how I could download pdf's from firejailed firefox into my Downloads directory, that would be super appreciated. Thanks ahead of time.

gitea-mirror closed this issue

2026-05-05 08:37:57 -06:00

gitea-mirror commented

2026-05-05 08:37:58 -06:00

Author

Owner

@ghost commented on GitHub (Jan 11, 2020):

I believe the above will not allow me to save downloaded pdf's to my computer - they will be downloaded in the firejailed firefox, and will be deleted when firejailed firefox is closed.

Correct, that's exactly what the --private option implies.

Based on my understanding, I tried to add a --whitelist argument that specifies the path to my Downloads directory, but I cant seem to get this working properly.

firefox-common.profile already has whitelist ${DOWNLOADS}, no need to do it twice.

For a high security browser setup like this I'd recommend adding a --name=foo option to your start command and using firejail's --get option to retrieve the PDF's you want before closing the sandbox:

$ firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox &
$ cd ${HOME}/Downoads
$ firejail --ls=banking ~/Downloads
$ firejail --get=banking ~/Downloads/whatever.you.want.pdf

This is documented in man firejail under the 'File Transfer' section. Hope this does what you want.

@ghost commented on GitHub (Jan 11, 2020): > I believe the above will not allow me to save downloaded pdf's to my computer - they will be downloaded in the firejailed firefox, and will be deleted when firejailed firefox is closed. Correct, that's exactly what the `--private` option implies. > Based on my understanding, I tried to add a --whitelist argument that specifies the path to my Downloads directory, but I cant seem to get this working properly. firefox-common.profile already has `whitelist ${DOWNLOADS}`, no need to do it twice. For a high security browser setup like this I'd recommend adding a `--name=foo` option to your start command and using firejail's `--get` option to retrieve the PDF's you want **before** closing the sandbox: $ firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox & $ cd ${HOME}/Downoads $ firejail --ls=banking ~/Downloads $ firejail --get=banking ~/Downloads/whatever.you.want.pdf This is documented in man firejail under the 'File Transfer' section. Hope this does what you want.

gitea-mirror commented

2026-05-05 08:37:59 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 11, 2020):

Dear glitsj16,
Thanks very much for your quick and helpful response!
I am new to firejail and so will need some time to learn more and try this out. I will report back :)

@ironfish1000 commented on GitHub (Jan 11, 2020): Dear glitsj16, Thanks very much for your quick and helpful response! I am new to firejail and so will need some time to learn more and try this out. I will report back :)

gitea-mirror commented

2026-05-05 08:38:01 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 11, 2020):

Dear glitsj16,

Thanks again for your help.

I tried the steps you suggested and this works :)

Could I just ask you:

In:
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox &
Is the "&" character needed?

Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter)

@ironfish1000 commented on GitHub (Jan 11, 2020): Dear glitsj16, Thanks again for your help. I tried the steps you suggested and this works :) Could I just ask you: In: firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox & Is the "&" character needed? Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter)

gitea-mirror commented

2026-05-05 08:38:03 -06:00

Author

Owner

@ghost commented on GitHub (Jan 11, 2020):

@wpfan1000 Hi, I just saw your ^ message via e-mail. By the time I logged in here you seem to have got this working 👍. I'll close this issue but feel free to re-open if you have anything else to report. Enjoy experimenting with firejail!

@ghost commented on GitHub (Jan 11, 2020): @wpfan1000 Hi, I just saw your ^ message via e-mail. By the time I logged in here you seem to have got this working :+1:. I'll close this issue but feel free to re-open if you have anything else to report. Enjoy experimenting with firejail!

gitea-mirror commented

2026-05-05 08:38:04 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 11, 2020):

Yes, sorry glitsj16
Initially I forgot to:
cd ${HOME}/Downloads
I did realize you may see my original message and this may be confusing to you - sorry
Also I re-edited my post again - so you will get another email with once again different content for my post - I will not do that from now on......

@ironfish1000 commented on GitHub (Jan 11, 2020): Yes, sorry glitsj16 Initially I forgot to: cd ${HOME}/Downloads I did realize you may see my original message and this may be confusing to you - sorry Also I re-edited my post again - so you will get another email with once again different content for my post - I will not do that from now on......

gitea-mirror commented

2026-05-05 08:38:05 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 11, 2020):

Just so it is in its own post I will repeated what I added to my previous post:

Could I just ask you:

In:
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox &
Is the "&" character needed?

Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter)

Thanks again....

@ironfish1000 commented on GitHub (Jan 11, 2020): Just so it is in its own post I will repeated what I added to my previous post: Could I just ask you: In: firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox & Is the "&" character needed? Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter) Thanks again....

gitea-mirror commented

2026-05-05 08:38:06 -06:00

Author

Owner

@ghost commented on GitHub (Jan 11, 2020):

Hi again @wpfan1000 No worries, I was just slow to respond earlier. I indeed thought you might have missed cd'ing into the ${HOME}/Downloads directory. As you found out the --get= option transfers the requested file out of the sandbox into your current working dir.

In:
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox &
Is the "&" character needed?

No the '&' here refers to the general way of backgrounding a command so you could enter the following ones in the same terminal. Firejail functionality of the --get= option is not affected by doing that and you can run it from any other command line window as long as the related sandbox is still active.

Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter)

Ah, I think I see where you might get confused here. Whitelist does work like that, but as the --private option mounts a new /home/user directory, there isn't anything to effectively whitelist from the non-sandboxed filesystem. There are basically two kinds of 'private' sandboxes: one where everything is discarded after shutting down (--private, --private-home=file,directory) and another where specific folders are stored on the filesystem after closing (--private=directory).

$ firejail --private=/home/wpfan1000/my-banking-sandbox --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox

The above would make all files in /home/wpfan1000/my-banking-sandbox available inside the firefox sandbox. If you save your banking PDF's to that folder for instance, they will be there after you close firefox. Hope this clears up any confusion you have in this regard.

@ghost commented on GitHub (Jan 11, 2020): Hi again @wpfan1000 No worries, I was just slow to respond earlier. I indeed thought you might have missed cd'ing into the ${HOME}/Downloads directory. As you found out the --get= option transfers the requested file out of the sandbox into your current working dir. > In: > firejail --private --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox & > Is the "&" character needed? No the '&' here refers to the general way of backgrounding a command so you could enter the following ones in the same terminal. Firejail functionality of the --get= option is not affected by doing that and you can run it from any other command line window as long as the related sandbox is still active. > Is there a way to share or make available a folder in the non-sandboxed file system eg Downloads so that it could be seen by eg Firefox running in --private mode? (I thought this was what --whitelist is for but maybe I dont understand this parameter) Ah, I think I see where you might get confused here. Whitelist does work like that, but as the --private option mounts a new /home/user directory, there isn't anything to effectively whitelist from the non-sandboxed filesystem. There are basically two kinds of 'private' sandboxes: one where everything is _discarded_ after shutting down (--private, --private-home=file,directory) and another where specific folders are _stored_ on the filesystem after closing (--private=directory). `$ firejail --private=/home/wpfan1000/my-banking-sandbox --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox` The above would make all files in /home/wpfan1000/my-banking-sandbox available inside the firefox sandbox. If you save your banking PDF's to that folder for instance, they will be there after you close firefox. Hope this clears up any confusion you have in this regard.

gitea-mirror commented

2026-05-05 08:38:07 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 13, 2020):

Hi, sorry for my late reply and thank you for once again your quick and very helpful support.

Making a folder available inside the sandbox is exactly what I am looking for - thanks for bringing that to me attention :)

When I run:
firejail –private=/home/user/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox

I get:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 7069, child pid 7070
Warning: cleaning all supplementary groups
Child process initialized in 60.52 ms
/bin/bash: –private=/home/user/Downloads: No such file or directory

Parent is shutting down, bye...

I have double checked the path and it should be ok. What am I doing wrong?

@ironfish1000 commented on GitHub (Jan 13, 2020): Hi, sorry for my late reply and thank you for once again your quick and very helpful support. Making a folder available inside the sandbox is exactly what I am looking for - thanks for bringing that to me attention :) When I run: firejail –private=/home/user/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox I get: Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 7069, child pid 7070 Warning: cleaning all supplementary groups Child process initialized in 60.52 ms /bin/bash: –private=/home/user/Downloads: No such file or directory Parent is shutting down, bye... I have double checked the path and it should be ok. What am I doing wrong?

gitea-mirror commented

2026-05-05 08:38:08 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 13, 2020):

Hi,
I tried:
firejail --private=~/Downloads firefox
And that does run Firefox
BUT it has not disabled the addons in Firefox, which I would like to have and I am under the impression that --private does this

I should be more clear about what I am trying to achieve:

I am coming from Windows7, refusing to switch to Windows10, so I switched to Linux :)
In Windows for banking what I used to do is switch to another non-admin user account and use Firefox only in that account for banking.

That way if Firefox in my non-banking account has malicious addons, these addons would not be running in FF in my banking account.

I tried doing the same in Linux but I find it difficult to share files between user accounts.

So when I saw:
"
High security browser setup

Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.
"

I thought this was exactly what I was looking for because it basically duplicates what I used to do in Windows.

So is there a way to have -- private disable all addons and have a directory like Downloads available inside the sandbox?

Thanks again for all your help.

@ironfish1000 commented on GitHub (Jan 13, 2020): Hi, I tried: firejail --private=~/Downloads firefox And that does run Firefox BUT it has not disabled the addons in Firefox, which I would like to have and I am under the impression that --private does this I should be more clear about what I am trying to achieve: I am coming from Windows7, refusing to switch to Windows10, so I switched to Linux :) In Windows for banking what I used to do is switch to another non-admin user account and use Firefox only in that account for banking. That way if Firefox in my non-banking account has malicious addons, these addons would not be running in FF in my banking account. I tried doing the same in Linux but I find it difficult to share files between user accounts. So when I saw: " High security browser setup Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory. " I thought this was exactly what I was looking for because it basically duplicates what I used to do in Windows. So is there a way to have -- private disable all addons and have a directory like Downloads available inside the sandbox? Thanks again for all your help.

gitea-mirror commented

2026-05-05 08:38:09 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 13, 2020):

Hello,
I got it working.
Likely it was again some fault of mine, sorry about that.
This time I did not try to delete my previous posts to try to avoid the embarrasment of saying it was not working when it was likely my fault LOL ;)

I used:
firejail --private=~/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox

This time the addons were not enabled, etc which is great.

I found that the pdfs I downloaded in the sandbox appeared under:

/home/[user]/Downloads/Downloads

So I see that the path that is specified using --private is a path under which firejail will create folders as needed which is great.

This solution suits me perfectly.

Thank you very much for your professional-quality support and sorry for my misunderstandings and mistakes.

@ironfish1000 commented on GitHub (Jan 13, 2020): Hello, I got it working. Likely it was again some fault of mine, sorry about that. This time I did not try to delete my previous posts to try to avoid the embarrasment of saying it was not working when it was likely my fault LOL ;) I used: firejail --private=~/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox This time the addons were not enabled, etc which is great. I found that the pdfs I downloaded in the sandbox appeared under: /home/[user]/Downloads/Downloads So I see that the path that is specified using --private is a path under which firejail will create folders as needed which is great. This solution suits me perfectly. Thank you very much for your professional-quality support and sorry for my misunderstandings and mistakes.

gitea-mirror commented

2026-05-05 08:38:10 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 13, 2020):

PS
I do get one error when firejail starts:

[2020-01-13T15:50:24Z ERROR audio_thread_priority::rt_linux] setrlimit64: 1

Looks like it has something to do with sound which I do not need so I dont think it is an issue - but would it affect the security of the sandbox?

@ironfish1000 commented on GitHub (Jan 13, 2020): PS I do get one error when firejail starts: [2020-01-13T15:50:24Z ERROR audio_thread_priority::rt_linux] setrlimit64: 1 Looks like it has something to do with sound which I do not need so I dont think it is an issue - but would it affect the security of the sandbox?

gitea-mirror commented

2026-05-05 08:38:11 -06:00

Author

Owner

@ghost commented on GitHub (Jan 13, 2020):

I do get one error when firejail starts:
[2020-01-13T15:50:24Z ERROR audio_thread_priority::rt_linux] setrlimit64: 1
Looks like it has something to do with sound which I do not need so I dont think it is an issue - but would it affect the security of the sandbox?

I'm seeing the exact same error message with firefox for quite a while. It does not affect the firejail sandbox security. If you don't need sound you can safely add --machine-id to further improve the security of the sandbox. Have a look at /etc/firejail/firefox-common.profile. The comments inside that file might give you additional hardening options. Instead of adding these on the command line, you can create a seperate profile for banking with firefox. Here's an example:

# Firejail profile for firefox-banking
# Description: High security Firefox setup for banking

## enable extra hardenings relevant in a banking profile

# DNS (not supported on systemd-resolved setups)
dns 1.1.1.1
dns 9.9.9.9
# ignore dns wil ignore any following, but not previously parsed dns option
ignore dns

# noexec ${HOME} breaks DRM binaries - not using DRM in banking profile
noexec ${HOME}

# dir used for system-wide installed webext-addons - not using these in banking profile
nowhitelist /usr/share/webext

# machine-id breaks audio - not using audio in banking profile
machine-id

# no need for netlink protocol in banking profile
protocol unix,inet,inet6

# use a private directory
private ${HOME}/Downloads

# harden private-etc - works fine on most distributions besides CentOS
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg

# Redirect
include firefox.profile

## sandbox name
name banking

If you create that file in ~/.config/firejail/firefox-banking.profile you can simplify the startup command for your firefox banking:

$ firejail --profile=firefox-banking firefox

Thank you very much for your professional-quality support and sorry for my misunderstandings and mistakes.

Very welcome. We all have to keep learning, these are just opportunities to do so. Enjoy!

@ghost commented on GitHub (Jan 13, 2020): > I do get one error when firejail starts: > [2020-01-13T15:50:24Z ERROR audio_thread_priority::rt_linux] setrlimit64: 1 > Looks like it has something to do with sound which I do not need so I dont think it is an issue - but would it affect the security of the sandbox? I'm seeing the exact same error message with firefox for quite a while. It does not affect the firejail sandbox security. If you don't need sound you can safely add `--machine-id` to further improve the security of the sandbox. Have a look at /etc/firejail/firefox-common.profile. The comments inside that file might give you additional hardening options. Instead of adding these on the command line, you can create a seperate profile for banking with firefox. Here's an example: ``` # Firejail profile for firefox-banking # Description: High security Firefox setup for banking ## enable extra hardenings relevant in a banking profile # DNS (not supported on systemd-resolved setups) dns 1.1.1.1 dns 9.9.9.9 # ignore dns wil ignore any following, but not previously parsed dns option ignore dns # noexec ${HOME} breaks DRM binaries - not using DRM in banking profile noexec ${HOME} # dir used for system-wide installed webext-addons - not using these in banking profile nowhitelist /usr/share/webext # machine-id breaks audio - not using audio in banking profile machine-id # no need for netlink protocol in banking profile protocol unix,inet,inet6 # use a private directory private ${HOME}/Downloads # harden private-etc - works fine on most distributions besides CentOS private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg # Redirect include firefox.profile ## sandbox name name banking ``` If you create that file in ~/.config/firejail/firefox-banking.profile you can simplify the startup command for your firefox banking: `$ firejail --profile=firefox-banking firefox` > Thank you very much for your professional-quality support and sorry for my misunderstandings and mistakes. Very welcome. We all have to keep learning, these are just opportunities to do so. Enjoy!

gitea-mirror commented

2026-05-05 08:38:12 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

I have a similiar problem and am frustrated whitelist doesn't work for this.

I have chrome private to ~/jailed/chrome but I want it to be able to save to /media/hddname/chrome_downloads/

whitelist doesn't work.

Moving the private to the hdd is not an option because I have scripts that save opened images and videos through ps and the pathing gets altered if they are opened from inside the jailed chrome.

I would prefer to avoid doing string manipulations with bash lest something else goes wrong too.

@ghost commented on GitHub (Jan 14, 2020): I have a similiar problem and am frustrated whitelist doesn't work for this. I have chrome private to ~/jailed/chrome but I want it to be able to save to /media/hddname/chrome_downloads/ whitelist doesn't work. Moving the private to the hdd is not an option because I have scripts that save opened images and videos through ps and the pathing gets altered if they are opened from inside the jailed chrome. I would prefer to avoid doing string manipulations with bash lest something else goes wrong too.

gitea-mirror commented

2026-05-05 08:38:13 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

@alextrekov3307 The google-chrome profile includes chromium-common.profile, which has 'disable-mnt'. That effectively blacklists /media, /mnt, /run/media and /run/mount. Have you tried adding ignore disable-mnt in a .local file yet (or --ignore=disable-mnt on command line)? If you only want access to /media, you can still blacklist /mnt, /run/media and /run/mount individually.

@ghost commented on GitHub (Jan 14, 2020): @alextrekov3307 The google-chrome profile includes chromium-common.profile, which has 'disable-mnt'. That effectively blacklists /media, /mnt, /run/media and /run/mount. Have you tried adding `ignore disable-mnt` in a .local file yet (or `--ignore=disable-mnt` on command line)? If you only want access to /media, you can still blacklist /mnt, /run/media and /run/mount individually.

gitea-mirror commented

2026-05-05 08:38:13 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

@glitsj16 That is an option, but I have many more mounted drives in /media/ so I would have to blacklist each one I assume?

@ghost commented on GitHub (Jan 14, 2020): @glitsj16 That is an option, but I have many more mounted drives in /media/ so I would have to blacklist each one I assume?

gitea-mirror commented

2026-05-05 08:38:14 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

That is an option, but I have many more mounted drives in /media/ so I would have to blacklist each one I assume?

@alextrekov3307 The blacklist option supports globbing (see man firejail - file globbing section). If you can determine a pattern to exclude all your non-needed devices in chrome, something like the below should work:

ignore disable-mnt
blacklist /media/hdd[1234]
whitelist /media/hdd5
blacklist /mnt
blacklist run/media
blacklist /run/mnt

Or if that is too hard/impossible you could just bind mount the needed device on a custom path outside of those that disable-mnt blacklists. Would be easier I suppose.

@ghost commented on GitHub (Jan 14, 2020): > That is an option, but I have many more mounted drives in /media/ so I would have to blacklist each one I assume? @alextrekov3307 The blacklist option supports `globbing` (see man firejail - file globbing section). If you can determine a pattern to exclude all your non-needed devices in chrome, something like the below should work: ``` ignore disable-mnt blacklist /media/hdd[1234] whitelist /media/hdd5 blacklist /mnt blacklist run/media blacklist /run/mnt ``` Or if that is too hard/impossible you could just **bind mount** the needed device on a custom path outside of those that disable-mnt blacklists. Would be easier I suppose.

gitea-mirror commented

2026-05-05 08:38:14 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

@glitsj16
So binding /media/hdd5,/media/hdd5 would not work out?

@ghost commented on GitHub (Jan 14, 2020): @glitsj16 So binding /media/hdd5,/media/hdd5 would not work out?

gitea-mirror commented

2026-05-05 08:38:15 -06:00

Author

Owner

@ghost commented on GitHub (Jan 14, 2020):

@alextrekov3307

So binding /media/hdd5,/media/hdd5 would not work out?

That option is only available when running as root. I wasn't clear enough. I would use bind mount in /etc/fstab (outside any sandbox) and keep it simple. There is no stored information that the filesystem has been attached by the 'bind' call, so it should be safe. Adding this to /etc/fstab:

/mnt/hdd-to-access-with-firejailed-chrome /fj-chrome-hdd none bind

would make /fj-chrome-hdd accessable in a chrome sandbox by adding whitelist /fj-chrome-hdd.

@ghost commented on GitHub (Jan 14, 2020): @alextrekov3307 > So binding /media/hdd5,/media/hdd5 would not work out? That option is only available when running as root. I wasn't clear enough. I would use bind mount in `/etc/fstab` (outside any sandbox) and keep it simple. There is no stored information that the filesystem has been attached by the 'bind' call, so it should be safe. Adding this to /etc/fstab: `/mnt/hdd-to-access-with-firejailed-chrome /fj-chrome-hdd none bind` would make /fj-chrome-hdd accessable in a chrome sandbox by adding whitelist /fj-chrome-hdd.

gitea-mirror commented

2026-05-05 08:38:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 15, 2020):

@glitsj16 @alextrekov3307 what about firejail --ignore=disable-mnt --whitelist=/media/what_you_want --blacklist=/mnt --blacklist=/run/mount --blacklist=/run/media chromium?

@rusty-snake commented on GitHub (Jan 15, 2020): @glitsj16 @alextrekov3307 what about `firejail --ignore=disable-mnt --whitelist=/media/what_you_want --blacklist=/mnt --blacklist=/run/mount --blacklist=/run/media chromium`?

gitea-mirror commented

2026-05-05 08:38:15 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 18, 2020):

Hi, original poster here :)

Some of the discussion here is above my head but I am glad that the discussion is taking place and hope it helps people :)

@ glitsj16 - Thank you for taking the time to describe a profile for Firefox, I will try that out.

I have been using:

firejail --private=~/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox

Today I noticed that private firejailed firefox using the above command had remembered cookies from my last session.

With my very limited understanding of how exactly firejail works, and coming from Windows7, where I was using Sandboxie, I was under the impression that using firejailed firefox in private mode would set up a fresh copy of firefox each time, running on a virtual copy of the OS, with default settings, and no special configuration settings etc because I thought those all would be lost when firejail firefox closed.

In other words, firefox would start fresh each time.

But that seems to be not the case, because then it would not remember cookies if that was the case.

If it remembers cookies between sessions, then that must be saved to disk somewhere? If it is saved, where is it saved? In the default installation of firefox?

In that case, is firefox not really being sandboxed?

Now, based on my lack of understanding, I am a little concerned that I am not using firejailed firefox safely to do banking.

Could you tell me a bit more about how things are working? especially why firefox is remembering cookies?

And I have a real noob question - I do realize that firejail's main purpose is to protect the OS from malicious programs by firejailing/sandboxing those programs. (Correct me if I am wrong please)

In my case, I would like to use firejail to protect firefox from malicious addons that are installed in firefox, and possible other malicious code in the OS.

Kind of opposite to what I see as firejail's main purpose......

Therefore is it ok to use private firejailed firefox to do banking?

Thanks ahead of time...

@ironfish1000 commented on GitHub (Jan 18, 2020): Hi, original poster here :) Some of the discussion here is above my head but I am glad that the discussion is taking place and hope it helps people :) @ glitsj16 - Thank you for taking the time to describe a profile for Firefox, I will try that out. I have been using: firejail --private=~/Downloads --dns=1.1.1.1 --dns=9.9.9.9 --name=banking firefox Today I noticed that private firejailed firefox using the above command had remembered cookies from my last session. With my very limited understanding of how exactly firejail works, and coming from Windows7, where I was using Sandboxie, I was under the impression that using firejailed firefox in private mode would set up a fresh copy of firefox each time, running on a virtual copy of the OS, with default settings, and no special configuration settings etc because I thought those all would be lost when firejail firefox closed. In other words, firefox would start fresh each time. But that seems to be not the case, because then it would not remember cookies if that was the case. If it remembers cookies between sessions, then that must be saved to disk somewhere? If it is saved, where is it saved? In the default installation of firefox? In that case, is firefox not really being sandboxed? Now, based on my lack of understanding, I am a little concerned that I am not using firejailed firefox safely to do banking. Could you tell me a bit more about how things are working? especially why firefox is remembering cookies? And I have a real noob question - I do realize that firejail's main purpose is to protect the OS from malicious programs by firejailing/sandboxing those programs. (Correct me if I am wrong please) In my case, I would like to use firejail to protect firefox from malicious addons that are installed in firefox, and possible other malicious code in the OS. Kind of opposite to what I see as firejail's main purpose...... Therefore is it ok to use private firejailed firefox to do banking? Thanks ahead of time...

gitea-mirror commented

2026-05-05 08:38:16 -06:00

Author

Owner

@ghost commented on GitHub (Jan 18, 2020):

@wpfan1000 --private=~/Downloads creates a persistent state in that directory. As far as Firefox is concerned Downloads just became its /home/user and it doesn't even know that it's Downloads. It will save everything it wants to including cookies there.

I do not know about others but one of the main reasons I use firejail is that I do not want a compromised application giving an attacker (or more likely, attack script) access to personal files or the ability to insert persistent malware affecting the rest of the system.

So if I visit a site containing a javascript 0day that enslaves my browser process I do not want having my personal data ex-filtrated or machine fully compromised. Similarly with media players etc.

For your case, firejail is useless. If your system is compromised everything is. You may want to look into QubesOS, just make sure you have a lot of RAM (16+ pref 32+).

BTW firefox addons live in /home/user so --private=dir is sufficient to isolate that instance of firefox from addons from any other instance.

@ghost commented on GitHub (Jan 18, 2020): @wpfan1000 --private=~/Downloads creates a persistent state in that directory. As far as Firefox is concerned Downloads just became its /home/user and it doesn't even know that it's Downloads. It will save everything it wants to including cookies there. I do not know about others but one of the main reasons I use firejail is that I do not want a compromised application giving an attacker (or more likely, attack script) access to personal files or the ability to insert persistent malware affecting the rest of the system. So if I visit a site containing a javascript 0day that enslaves my browser process I do not want having my personal data ex-filtrated or machine fully compromised. Similarly with media players etc. For your case, firejail is useless. If your system is compromised everything is. You may want to look into QubesOS, just make sure you have a lot of RAM (16+ pref 32+). BTW firefox addons live in /home/user so --private=dir is sufficient to isolate that instance of firefox from addons from any other instance.

gitea-mirror commented

2026-05-05 08:38:16 -06:00

Author

Owner

@ghost commented on GitHub (Jan 19, 2020):

@wpfan1000 As @alextrekov3307 correctly informed you above on some of your questions, I'll limit my response to the main topic, securing firefox for banking. For brevity's sake you can safely consider using one of both options described below.

OPTION A: private firejail [throw-away edition]

$ firejail --dns=1.1.1.1 --dns=9.9.9.9 --name=banking --private firefox --allow-downgrade --no-remote --safe-mode

resets FF to factory defaults on each run.
FF options used (view all via 'firefox --help'):
- --allow-downgrading: avoids issues when changing FF channel (e.g.stable to beta, nightly, ...);
- --no-remote: implies opening a new FF instance (instead of a new window in a - potentially insecure - running instance);
- --safe-mode: disable extensions and themes for this session.
Preparation work: none.
FF security level: whatever Mozilla decides to be defaults.
Where are my PDF's?

$ cd /path/on/real/filesystem/where/i/want/to/keep/my/banking/data
$ firejail --get=banking ~/Downloads/foo.pdf

If you're happy with Firefox defaults, fine. Than the buck stops here and you can go about your business. If not, you might consider option B.

OPTION B: private firejail [persistent edition]

$ firejail --dns=1.1.1.1 --dns=9.9.9.9 --name=banking --private=~/my-banking firefox --allow-downgrade --no-remote

resets FF to custom defaults on each run.
FF options used (view all via 'firefox --help'):
- --allow-downgrading: cfr. above;
- --no-remote: cfr. above;
- do not use --safe-mode here: your dedicated FF profile likely uses addons that offer extra protection - you don't want those getting disabled.
Preparation: create a dedicated FF profile.
FF security level: whatever you decide to be defaults (a.k.a. informed consent).
Where are my PDF's?
With this option your files will permanently stay in ~/my-banking/Downloads (or whatever path you've set as custom default in your new FF profile) until (re)moved. You can hide these files from other sandboxes by adding 'blacklist ${HOME}/my-banking' to your globals.local file.

This will need some additional preparation that can be daunting, time-consuming, etcetera. But at least you know it only needs to be done once (until you're happy with the settings) and you'll learn lots about the inner-workings of FF if you're so inclined. Its --ProfileManager flag can be used to start off this job. Point the profile to ~/my-banking (obviously the choice is yours, just remember to adjust it in the start command above). Now is the time to customize FF settings to your liking, including installing addons you deem fit for the goal. There are many guides on how to harden web browsers. Let me just mention ghacks-user.js, which has a well-maintained wiki section and active community.

HTH

William S. Burrouhgs
Paranoia sometimes means having better facts

Example filesystem layout:

~/my-banking
├── .mozilla/firefox/
│ ├── dedicated <-- FF saves a bunch of files here
│ ├── installs.ini
│ └── profiles.ini
└── Downloads

Example files:

$ cat ~/my-banking/.mozilla/firefox/installs.ini
[85DBFE385BFDD8A5]
Default=dedicated

$ cat ~/my-banking/.mozilla/firefox/profiles.ini
[Install85DBFE385BFDD8A5]
Default=dedicated

[Profile0]
Name=dedicated
IsRelative=1
Path=dedicated
Default=1

[General]
StartWithLastProfile=1
Version=2

@ghost commented on GitHub (Jan 19, 2020): @wpfan1000 As @alextrekov3307 correctly informed you above on some of your questions, I'll limit my response to the main topic, securing firefox for banking. For brevity's sake you can safely consider using one of both options described below. **OPTION A**: **private firejail** `[throw-away edition]` ``` $ firejail --dns=1.1.1.1 --dns=9.9.9.9 --name=banking --private firefox --allow-downgrade --no-remote --safe-mode ``` - resets FF to `factory defaults` on each run. - FF options used (view all via 'firefox --help'): - --allow-downgrading: avoids issues when changing FF channel (e.g.stable to beta, nightly, ...); - --no-remote: implies opening a new FF instance (instead of a new window in a - potentially insecure - running instance); - --safe-mode: disable extensions and themes for this session. - Preparation work: none. - FF security level: whatever Mozilla decides to be defaults. - Where are my PDF's? ``` $ cd /path/on/real/filesystem/where/i/want/to/keep/my/banking/data $ firejail --get=banking ~/Downloads/foo.pdf ``` If you're happy with Firefox defaults, fine. Than the buck stops here and you can go about your business. If not, you might consider option B. **OPTION B**: **private firejail** `[persistent edition]` ``` $ firejail --dns=1.1.1.1 --dns=9.9.9.9 --name=banking --private=~/my-banking firefox --allow-downgrade --no-remote ``` - resets FF to `custom defaults` on each run. - FF options used (view all via 'firefox --help'): - --allow-downgrading: cfr. above; - --no-remote: cfr. above; - **do not** use --safe-mode here: your dedicated FF profile likely uses addons that offer extra protection - you don't want those getting disabled. - Preparation: create a dedicated FF profile. - FF security level: whatever you decide to be defaults (a.k.a. informed consent). - Where are my PDF's? With this option your files will permanently stay in ~/my-banking/Downloads (or whatever path you've set as custom default in your new FF profile) until (re)moved. You can hide these files from other sandboxes by adding 'blacklist ${HOME}/my-banking' to your _globals.local_ file. This will need some additional preparation that can be daunting, time-consuming, etcetera. But at least you know it only needs to be done once (until you're happy with the settings) and you'll learn lots about the inner-workings of FF if you're so inclined. Its --ProfileManager flag can be used to start off this job. Point the profile to ~/my-banking (obviously the choice is yours, just remember to adjust it in the start command above). Now is the time to customize FF settings to your liking, including installing addons you deem fit for the goal. There are many guides on how to harden web browsers. Let me just mention [ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js), which has a well-maintained wiki section and active community. HTH - - - William S. Burrouhgs _Paranoia sometimes means having better facts_ - - - **Example filesystem layout**: ~/my-banking ├── .mozilla/firefox/ │ ├── dedicated <-- FF saves a bunch of files here │ ├── installs.ini │ └── profiles.ini └── Downloads **Example files**: $ cat ~/my-banking/.mozilla/firefox/installs.ini [85DBFE385BFDD8A5] Default=dedicated $ cat ~/my-banking/.mozilla/firefox/profiles.ini [Install85DBFE385BFDD8A5] Default=dedicated [Profile0] Name=dedicated IsRelative=1 Path=dedicated Default=1 [General] StartWithLastProfile=1 Version=2

gitea-mirror commented

2026-05-05 08:38:17 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 19, 2020):

@alextrekov3307 - Thank you very much for addressing my question. You raise some good points and I will learn more about firejail to further understand your points.

@ironfish1000 commented on GitHub (Jan 19, 2020): @alextrekov3307 - Thank you very much for addressing my question. You raise some good points and I will learn more about firejail to further understand your points.

gitea-mirror commented

2026-05-05 08:38:17 -06:00

Author

Owner

@ironfish1000 commented on GitHub (Jan 19, 2020):

@glitsj16 - Thank you again for your extensive and timely help. I will need to learn and implement your suggestions - I look forward to doing that :)

@ironfish1000 commented on GitHub (Jan 19, 2020): @glitsj16 - Thank you again for your extensive and timely help. I will need to learn and implement your suggestions - I look forward to doing that :)

gitea-mirror commented

2026-05-05 08:38:17 -06:00

Author

Owner

@ghost commented on GitHub (Jan 20, 2020):

Closing this as the OP's issue is solved.

@ghost commented on GitHub (Jan 20, 2020): Closing this as the OP's issue is solved.

Rows
Columns

[GH-ISSUE #3139] How to download a file and save it in --private mode #1970