[GH-ISSUE #3308] Question on private-bin & Hyperlinking #2077

New issue

Closed

opened 2026-05-05 08:44:45 -06:00 by gitea-mirror · 17 comments

gitea-mirror commented 2026-05-05 08:44:45 -06:00

Owner

Copy link

Originally created by @svc88 on GitHub (Mar 30, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3308

Im experimenting with QuiteRSS and if i use the default profile as is, i am unable to open links in Firefox.
If i
A: comment out private-bin quiterss from quiterss.profile
or
B: run quiterss with --ignore=private-bin
Then I am able to open the links in Firefox.

What is the significance ignoring private-bin and hyperlinks working after that?
What does private-bin actually do?
Why is this happening?
I know you will tell me that to be safe, its better to copy and paste the link, but some apps such as QuiteRSS convenience is needed when clicking on 100 links per day. If i run any app with --ignore=private-bin, what security implications are there?
Why did hyperlinking in firejail break after Firefox 67.0 version as per this https://github.com/netblue30/firejail/issues/2720

Any apps i run with firejail, hyperlinking is broken.

Im sorry i dont know much about private-bin and where the file is because i cannot find it. Is it generated on container creation? There is not much information on this in the wiki.

firejail version: 0.9.62
Xubuntu 18.04

PS: Firefox is NOT firejailed when doing this. New Firefox installation & profile.

Originally created by @svc88 on GitHub (Mar 30, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3308 Im experimenting with QuiteRSS and if i use the default profile as is, i am unable to open links in Firefox. If i A: comment out `private-bin quiterss` from quiterss.profile or B: run quiterss with `--ignore=private-bin` Then I am able to open the links in Firefox. What is the significance ignoring private-bin and hyperlinks working after that? What does private-bin actually do? Why is this happening? I know you will tell me that to be safe, its better to copy and paste the link, but some apps such as QuiteRSS convenience is needed when clicking on 100 links per day. If i run any app with `--ignore=private-bin`, what security implications are there? Why did hyperlinking in firejail break after Firefox 67.0 version as per this https://github.com/netblue30/firejail/issues/2720 Any apps i run with firejail, hyperlinking is broken. Im sorry i dont know much about private-bin and where the file is because i cannot find it. Is it generated on container creation? There is not much information on this in the wiki. firejail version: 0.9.62 Xubuntu 18.04 PS: Firefox is NOT firejailed when doing this. New Firefox installation & profile.

gitea-mirror 2026-05-05 08:44:45 -06:00

• closed this issue
• added the
  information_old
  label

gitea-mirror commented 2026-05-05 08:44:48 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

If you set for example private-bin foo,bar,baz this in you profile, then firejail will look if foo, bar and baz exists. Then it creates a tmpfs over /bin, /usr/bin, /sbin, ... and bind-mount all program it has found (vaguely).

Why is that good? It restricts the available program, for example if an attacker can know a vulnerability in quiterss which allows him to execute various shell command but there is no bash, no ls, no curl he can't exploit it.

There is not much information on this in the wiki.

also look at the manpage

If it works with ignore private-bin, it is maybe enough to add firefox (or whatever) to private-bin firejail --private-bin=firefox quiterss.

<!-- gh-comment-id:605927348 --> @rusty-snake commented on GitHub (Mar 30, 2020): If you set for example `private-bin foo,bar,baz` this in you profile, then firejail will look if foo, bar and baz exists. Then it creates a tmpfs over /bin, /usr/bin, /sbin, ... and bind-mount all program it has found (vaguely). Why is that good? It restricts the available program, for example if an attacker can know a vulnerability in quiterss which allows him to execute various shell command but there is no bash, no ls, no curl he can't exploit it. > There is not much information on this in the wiki. also look at the manpage If it works with `ignore private-bin`, it is maybe enough to add firefox (or whatever) to private-bin `firejail --private-bin=firefox quiterss`.

gitea-mirror commented 2026-05-05 08:44:49 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

I see, thanks for the clarification @rusty-snake

I did try with
private-bin quiterss,firefox
i even tried with
private-bin quiterss,firefox,xdg-open,exo-open
and it wont open the hyperlinks.
Is there any other other executable it uses for hyperlinks? There is no error in the log im generating.

Could you try reproduce?

<!-- gh-comment-id:605935620 --> @svc88 commented on GitHub (Mar 30, 2020): I see, thanks for the clarification @rusty-snake I did try with `private-bin quiterss,firefox` i even tried with `private-bin quiterss,firefox,xdg-open,exo-open` and it wont open the hyperlinks. Is there any other other executable it uses for hyperlinks? There is no error in the log im generating. Could you try reproduce?

gitea-mirror commented 2026-05-05 08:44:50 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

start quiterss with this and open a link firejail --build quiterss | grep private-bin

<!-- gh-comment-id:605937441 --> @rusty-snake commented on GitHub (Mar 30, 2020): start quiterss with this and open a link `firejail --build quiterss | grep private-bin`

gitea-mirror commented 2026-05-05 08:44:51 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

I see that executable for firefox is a link to a firefox.sh file.
Do you think maybe thats why theres an issue?

<!-- gh-comment-id:605937520 --> @svc88 commented on GitHub (Mar 30, 2020):  I see that executable for firefox is a link to a firefox.sh file. Do you think maybe thats why theres an issue?

gitea-mirror commented 2026-05-05 08:44:51 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

firefox.sh will need a shell

<!-- gh-comment-id:605937861 --> @rusty-snake commented on GitHub (Mar 30, 2020): firefox.sh will need a shell

gitea-mirror commented 2026-05-05 08:44:52 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

firejail --build quiterss | grep private-bin

This opens links now but i dont see any output in terminal or in a generated log file.

firefox.sh will need a shell

I used:
private-bin quiterss,sh,firefox.sh,bash,firefox
Still wont open links

<!-- gh-comment-id:605940570 --> @svc88 commented on GitHub (Mar 30, 2020): > firejail --build quiterss | grep private-bin This opens links now but i dont see any output in terminal or in a generated log file. > firefox.sh will need a shell I used: `private-bin quiterss,sh,firefox.sh,bash,firefox` Still wont open links

gitea-mirror commented 2026-05-05 08:44:52 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

no output? ok, then try firejail --build firefox | grep private-bin.

<!-- gh-comment-id:605944958 --> @rusty-snake commented on GitHub (Mar 30, 2020): no output? ok, then try `firejail --build firefox | grep private-bin`.

gitea-mirror commented 2026-05-05 08:44:52 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

firejail --build firefox | grep private-bin
Sandbox: SandboxReporter: packet too short (32 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)

And i tried in a different terminal with opening a link:
firejail --build quiterss | grep private-bin
no output

<!-- gh-comment-id:605946689 --> @svc88 commented on GitHub (Mar 30, 2020): ``` firejail --build firefox | grep private-bin Sandbox: SandboxReporter: packet too short (32 < 88) Sandbox: SandboxReporter: packet too short (33 < 88) Sandbox: SandboxReporter: packet too short (33 < 88) Sandbox: SandboxReporter: packet too short (33 < 88) Sandbox: SandboxReporter: packet too short (33 < 88) ``` And i tried in a different terminal with opening a link: `firejail --build quiterss | grep private-bin` no output

gitea-mirror commented 2026-05-05 08:44:53 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

So now i got this:
Error: cannot open whitelist-common.inc
when closing QuiteRSS after that in terminal

<!-- gh-comment-id:605947250 --> @svc88 commented on GitHub (Mar 30, 2020): So now i got this: `Error: cannot open whitelist-common.inc` when closing QuiteRSS after that in terminal

gitea-mirror commented 2026-05-05 08:44:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

ok then run firejail --trace=quiterss.trace quiterss and after that grep -oE " /usr/bin//?[^/:]+" quiterss.trace | sort -u.

alternative go trough firefox.sh and select every program.

<!-- gh-comment-id:605947816 --> @rusty-snake commented on GitHub (Mar 30, 2020): ok then run `firejail --trace=quiterss.trace quiterss` and after that `grep -oE " /usr/bin//?[^/:]+" quiterss.trace | sort -u`. alternative go trough firefox.sh and select every program.

gitea-mirror commented 2026-05-05 08:44:54 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

Thanks @rusty-snake
ok so i went into firefox.sh and literally used every single executable: export, exec, exit, break, etc

It came down to it needing only the following to make hyperlinks work again:
private-bin quiterss,firefox,sh,which

All the other executables that were not included, does that mean the firefox.sh wouldnt run entirely correctly if i leave them out and only use firefox,sh,which ?

<!-- gh-comment-id:605952753 --> @svc88 commented on GitHub (Mar 30, 2020): Thanks @rusty-snake ok so i went into firefox.sh and literally used every single executable: export, exec, exit, break, etc It came down to it needing only the following to make hyperlinks work again: `private-bin quiterss,firefox,sh,which` All the other executables that were not included, does that mean the firefox.sh wouldnt run entirely correctly if i leave them out and only use `firefox,sh,which` ?

gitea-mirror commented 2026-05-05 08:44:54 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 30, 2020):

export, exec, exit, break,

thats are all shell builtins, I downloaded the firefox.deb for ubuntu and came to this: sh,which,readlink,dirname,sed,basename,gdb,valgrind
sed is only used for the usage output and basename,gdb,valgrind only for debugging. for readlink and dirname I'm not sure, but if you see no warnings in the terminal it should be ok. I the worst case firefox can't start.

<!-- gh-comment-id:605991122 --> @rusty-snake commented on GitHub (Mar 30, 2020): > export, exec, exit, break, thats are all shell builtins, I downloaded the firefox.deb for ubuntu and came to this: `sh,which,readlink,dirname,sed,basename,gdb,valgrind` sed is only used for the usage output and basename,gdb,valgrind only for debugging. for readlink and dirname I'm not sure, but if you see no warnings in the terminal it should be ok. I the worst case firefox can't start.

gitea-mirror commented 2026-05-05 08:44:55 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Mar 30, 2020):

Well i never start firefox by opening a link from quiterss. So only when firefox is already open will i open a link and it seems to open the tab fine so far.
Just wondering (because a system installation of firefox is using a stupid shell script to run and not just its executable) can i use the portable version https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2 with firejail, do you think its safer to use that without sh,which, etc. ?

<!-- gh-comment-id:606017004 --> @svc88 commented on GitHub (Mar 30, 2020): Well i never start firefox by opening a link from quiterss. So only when firefox is already open will i open a link and it seems to open the tab fine so far. Just wondering (because a system installation of firefox is using a stupid shell script to run and not just its executable) can i use the portable version `https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2` with firejail, do you think its safer to use that without sh,which, etc. ?

gitea-mirror commented 2026-05-05 08:44:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 31, 2020):

fedora and arch are also using shell script to start firefox.

can i use the portable version https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2 with firejail,

you mean like this https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#mozilla-firefox-opt-install

do you think its safer to use that without sh,which, etc.

for quiterss yes, because there is no shell
for firefox no, because mozillas binarys have no PIE.

<!-- gh-comment-id:606499830 --> @rusty-snake commented on GitHub (Mar 31, 2020): fedora and arch are also using shell script to start firefox. > can i use the portable version https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2 with firejail, you mean like this https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#mozilla-firefox-opt-install > do you think its safer to use that without sh,which, etc. for quiterss yes, because there is no shell for firefox no, because mozillas binarys have no PIE.

gitea-mirror commented 2026-05-05 08:44:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 6, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

<!-- gh-comment-id:624734414 --> @rusty-snake commented on GitHub (May 6, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror commented 2026-05-05 08:44:57 -06:00

Author

Owner

Copy link

@gasull commented on GitHub (Nov 15, 2021):

The suggested solutions didn't work for me on Debian 11. For anybody landing here, this is what I put in my ~/.config/firejail/quiterss.profile:

ignore private-bin
ignore blacklist ${PATH}/dash
ignore blacklist ${PATH}/sh
include /etc/firejail/quiterss.profile

<!-- gh-comment-id:968583131 --> @gasull commented on GitHub (Nov 15, 2021): The suggested solutions didn't work for me on Debian 11. For anybody landing here, this is what I put in my `~/.config/firejail/quiterss.profile`: ``` ignore private-bin ignore blacklist ${PATH}/dash ignore blacklist ${PATH}/sh include /etc/firejail/quiterss.profile ```

gitea-mirror commented 2026-05-05 08:44:57 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 15, 2021):

~/.config/firejail/quiterss.profile:

ignore private-bin
ignore blacklist ${PATH}/dash
ignore blacklist ${PATH}/sh
include /etc/firejail/quiterss.profile

The prettier way: ~/.config/firejail/quiterss.local

ignore private-bin       <--- maybe private-bin foo,bar works too
include allow-bin-sh.inc

<!-- gh-comment-id:968621892 --> @rusty-snake commented on GitHub (Nov 15, 2021): > `~/.config/firejail/quiterss.profile`: > > ``` > ignore private-bin > ignore blacklist ${PATH}/dash > ignore blacklist ${PATH}/sh > include /etc/firejail/quiterss.profile > ``` The prettier way: `~/.config/firejail/quiterss.local` ``` ignore private-bin <--- maybe private-bin foo,bar works too include allow-bin-sh.inc ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2077

No description provided.