github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3314] keepassxc: ssh-agent feature does not work #2081

New issue

Closed

opened 2026-05-05 08:44:58 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 08:44:58 -06:00

Owner

Originally created by @agraven on GitHub (Apr 4, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3314

Using the standard profile for keepassxc in version 0.9.62 causes the ssh-agent functionality to stop working. I'm running Ubuntu 19.10.

Originally created by @agraven on GitHub (Apr 4, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3314 Using the standard profile for keepassxc in version 0.9.62 causes the ssh-agent functionality to stop working. I'm running Ubuntu 19.10.

gitea-mirror

2026-05-05 08:44:58 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:45:01 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 4, 2020):

Works it if you allow access to .ssh?

nobalcklist ${HOME}/.ssh
# Other things to go.
# ignore machine-id
# ignore private-tmp
# noblacklist blacklist /tmp/ssh-*
# read-write ${HOME}/.ssh/authorized_keys

@rusty-snake commented on GitHub (Apr 4, 2020): Works it if you allow access to .ssh? ``` nobalcklist ${HOME}/.ssh # Other things to go. # ignore machine-id # ignore private-tmp # noblacklist blacklist /tmp/ssh-* # read-write ${HOME}/.ssh/authorized_keys ```

gitea-mirror commented

2026-05-05 08:45:02 -06:00

Author

Owner

@agraven commented on GitHub (Apr 4, 2020):

Thanks for the quick response! I presume you meant noblacklist ${HOME}/.ssh?

@agraven commented on GitHub (Apr 4, 2020): Thanks for the quick response! I presume you meant `noblacklist ${HOME}/.ssh`?

gitea-mirror commented

2026-05-05 08:45:03 -06:00

Author

Owner

@agraven commented on GitHub (Apr 4, 2020):

I tried adding all the suggested directives but nothing seemed to change.

As a side note, fetching favicons from websites also doesn't work because network access is disabled, I don't quite understand the networking settings well enough to figure out how to enable it

@agraven commented on GitHub (Apr 4, 2020): I tried adding all the suggested directives but nothing seemed to change. As a side note, fetching favicons from websites also doesn't work because network access is disabled, I don't quite understand the networking settings well enough to figure out how to enable it

gitea-mirror commented

2026-05-05 08:45:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 4, 2020):

Network: use host network namespace; allow AF_INET and AF_INET6 sockets; TLS + DNS files in /etc

ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf

@rusty-snake commented on GitHub (Apr 4, 2020): Network: use host network namespace; allow AF_INET and AF_INET6 sockets; TLS + DNS files in /etc ``` ignore net none protocol unix,inet,inet6,netlink private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf ```

gitea-mirror commented

2026-05-05 08:45:06 -06:00

Author

Owner

@agraven commented on GitHub (Apr 4, 2020):

Thanks! Would this be worth adding commented out to keepassxc.profile with a comment explaining what enabling them does? I'll gladly make a PR for that if so

@agraven commented on GitHub (Apr 4, 2020): Thanks! Would this be worth adding commented out to keepassxc.profile with a comment explaining what enabling them does? I'll gladly make a PR for that if so

gitea-mirror commented

2026-05-05 08:45:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 4, 2020):

Some users probably want to fetch favicons inside keepassxc. Even if internet access relaxes the sandbox and keepassxc is only an blacklisting profile due to #2874.

I make it whitelisting like this, then you have to save the database in ~/Documents/KeePassXC

disable-programs.local:

blacklist ${HOME}/Documents/KeePassXC

keepassxc.local:

noblacklist ${HOME}/Documents/KeePassXC

mkdir ${HOME}/.config/keepassxc
mkdir ${HOME}/.keepassxc
mkdir ${HOME}/Documents/KeePassXC
whitelist ${HOME}/.config/keepassxc
whitelist ${HOME}/.keepassxc
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Documents/KeePassXC
include whitelist-common.inc

@rusty-snake commented on GitHub (Apr 4, 2020): Some users probably want to fetch favicons inside keepassxc. Even if internet access relaxes the sandbox and keepassxc is only an blacklisting profile due to #2874. I make it whitelisting like this, then you have to save the database in ~/Documents/KeePassXC `disable-programs.local`: ``` blacklist ${HOME}/Documents/KeePassXC ``` `keepassxc.local`: ``` noblacklist ${HOME}/Documents/KeePassXC mkdir ${HOME}/.config/keepassxc mkdir ${HOME}/.keepassxc mkdir ${HOME}/Documents/KeePassXC whitelist ${HOME}/.config/keepassxc whitelist ${HOME}/.keepassxc whitelist ${HOME}/.mozilla whitelist ${HOME}/Documents/KeePassXC include whitelist-common.inc ```

gitea-mirror commented

2026-05-05 08:45:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 5, 2020):

Back to the ssh-agent. Is anything in the journal?

@rusty-snake commented on GitHub (Apr 5, 2020): Back to the ssh-agent. Is anything in the journal?

gitea-mirror commented

2026-05-05 08:45:09 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2020):

I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

#3329 is still open.

@rusty-snake commented on GitHub (Jun 4, 2020): I'm closing here due to inactivity, please fell free to reopen if you still have this issue. #3329 is still open.

gitea-mirror commented

2026-05-05 08:45:10 -06:00

Author

Owner

@ShellCode33 commented on GitHub (Nov 30, 2023):

noblacklist ${HOME}/.ssh
ignore private-tmp
noblacklist /tmp/ssh-*

Seems to be enough, thanks 👍

@ShellCode33 commented on GitHub (Nov 30, 2023): ``` noblacklist ${HOME}/.ssh ignore private-tmp noblacklist /tmp/ssh-* ``` Seems to be enough, thanks :+1:

gitea-mirror referenced this issue

2026-05-05 10:15:01 -06:00

[PR #2081] [MERGED] Add descriptions to profiles #4168

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2081

No description provided.

Rows
Columns