[GH-ISSUE #3318] ungoogled-chromium: Error: no suitable /opt/ungoogled-chromium executable found #2084

New issue

Closed

opened 2026-05-05 08:45:28 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented 2026-05-05 08:45:28 -06:00

Owner

Copy link

Originally created by @alecStewart1 on GitHub (Apr 5, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3318

Ungoogled Chromium is a interesting project. I decided to try it out, and I've already used Chromium before with Firejail so I'd thought I'd try it.

One thing to note if you decide to check it out: it's a pain in the ass to build from source unless you have a powerful computer and your distro is able to install of it's dependencies easily.

Using just a pre-built binary for "portable linux" and follow these instructions after decompressing the tar.xz:

Before you run, you must setup your system so the browser's sandboxing will work. There are two options:
* Use the user namespace sandbox. This is the preferred option.
* Use the SUID sandbox. This should be used on systems that do not have support for user namespaces.

How to set up the user namespace sandbox:
If there is no user namespace sandbox, the kernel may be able to be configured to allow user namespaces. The method to enable it varies per system. Sometimes it's enabled by default. If it's not, sometimes sysctl can be used to set kernel.unprivileged_userns_clone to 1. There may also be a way to set it via the /sys partition. Specific instructions should be found online.

How to set up the SUID sandbox:
1. Rename "chrome_sandbox" to "chrome-sandbox"
2. Set the file mode to 4755
3. Set the group to root

RUNNING THE BROWSER

Once the sandbox is set up, the browser can be run by using the "chrome-wrapper" script.

A handy link can be also set up.  For example, and adjusting for your installation directory (/opt, etc), your ungoogled-chromium version and sandboxing arrangement:
sudo ln -s /opt/ungoogled-chromium_xxxxxxx/chrome-wrapper /opt/ungoogled-chromium

ungoogled-chromium could then be simply launched as `/opt/ungoogled-chromium`

I can successfully run the chrome-wrapper executable. Just running firejail chrome-wrapper does nothing, obviously. I create an honestly over the top profile in my $XDG_CONFIG_HOME/firejail directory.

# Firejail profile for ungoogled-chromium
#
# Persistent global definitions
# added by caller profile
#include globals.local

# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}

noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
include whitelist-common.inc
include whitelist-var-common.inc

apparmor
caps.keep sys_admin,sys_chroot
machine-id
netfilter
dns 1.1.1.1
dns 1.0.0.1
dns 8.8.8.8
nonewprivs
# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
nodvd
nogroups
noroot
notv
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
shell none

disable-mnt
private-dev
# private-tmp - problems with multiple browser sessions

# the file dialog needs to work without d-bus
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1

that I just named chrome.profile, because the process is named chrome in htop so fuck it.

Running firejail --profile=~/.config/firejail/chrome.profile /opt/ungoogled-chromium returns

Error: no suitable /opt/ungoogled-chromium executable found

Looking around, I'm not exactly sure what I would do to fix this.

Originally created by @alecStewart1 on GitHub (Apr 5, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3318 [Ungoogled Chromium](https://github.com/Eloston/ungoogled-chromium) is a interesting project. I decided to try it out, and I've already used Chromium before with Firejail so I'd thought I'd try it. One thing to note if you decide to check it out: it's a pain in the ass to build from source unless you have a powerful computer and your distro is able to install of it's dependencies easily. Using just a [pre-built binary for "portable linux"](https://ungoogled-software.github.io/ungoogled-chromium-binaries/) and follow these instructions after decompressing the `tar.xz`: ``` Before you run, you must setup your system so the browser's sandboxing will work. There are two options: * Use the user namespace sandbox. This is the preferred option. * Use the SUID sandbox. This should be used on systems that do not have support for user namespaces. How to set up the user namespace sandbox: If there is no user namespace sandbox, the kernel may be able to be configured to allow user namespaces. The method to enable it varies per system. Sometimes it's enabled by default. If it's not, sometimes sysctl can be used to set kernel.unprivileged_userns_clone to 1. There may also be a way to set it via the /sys partition. Specific instructions should be found online. How to set up the SUID sandbox: 1. Rename "chrome_sandbox" to "chrome-sandbox" 2. Set the file mode to 4755 3. Set the group to root RUNNING THE BROWSER Once the sandbox is set up, the browser can be run by using the "chrome-wrapper" script. A handy link can be also set up. For example, and adjusting for your installation directory (/opt, etc), your ungoogled-chromium version and sandboxing arrangement: sudo ln -s /opt/ungoogled-chromium_xxxxxxx/chrome-wrapper /opt/ungoogled-chromium ungoogled-chromium could then be simply launched as `/opt/ungoogled-chromium` ``` I can successfully run the `chrome-wrapper` executable. Just running `firejail chrome-wrapper` does nothing, obviously. I create an honestly over the top profile in my `$XDG_CONFIG_HOME/firejail` directory. ``` # Firejail profile for ungoogled-chromium # # Persistent global definitions # added by caller profile #include globals.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki whitelist ${DOWNLOADS} whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki include whitelist-common.inc include whitelist-var-common.inc apparmor caps.keep sys_admin,sys_chroot machine-id netfilter dns 1.1.1.1 dns 1.0.0.1 dns 8.8.8.8 nonewprivs # nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector nodvd nogroups noroot notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink seccomp !chroot shell none disable-mnt private-dev # private-tmp - problems with multiple browser sessions # the file dialog needs to work without d-bus ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 ``` that I just named `chrome.profile`, because the process is named `chrome` in htop so fuck it. Running `firejail --profile=~/.config/firejail/chrome.profile /opt/ungoogled-chromium` returns Error: no suitable /opt/ungoogled-chromium executable found Looking around, I'm not exactly sure what I would do to fix this.

gitea-mirror 2026-05-05 08:45:28 -06:00

• closed this issue
• added the
  stale
  needinfo
  labels

gitea-mirror commented 2026-05-05 08:45:31 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 5, 2020):

Running firejail --profile=~/.config/firejail/chrome.profile /opt/ungoogled-chromium returns

Error: no suitable /opt/ungoogled-chromium executable found

Is that path correct? I downloaded it and the binary is indeed called chrome as htop indicated. So you don't need to use the --profile option. You can try firejail /opt/ungoogled-chromium/chrome if that's where you have the big executable.

<!-- gh-comment-id:609115884 --> @ghost commented on GitHub (Apr 5, 2020): > Running firejail --profile=~/.config/firejail/chrome.profile /opt/ungoogled-chromium returns > > Error: no suitable /opt/ungoogled-chromium executable found Is that path correct? I downloaded it and the binary is indeed called `chrome` as htop indicated. So you don't need to use the _--profile_ option. You can try `firejail /opt/ungoogled-chromium/chrome` if that's where you have the big executable.

gitea-mirror commented 2026-05-05 08:45:32 -06:00

Author

Owner

Copy link

@alecStewart1 commented on GitHub (Apr 5, 2020):

Well if you read the README bit, it tells you to run the chrome-wrapper executable:

Once the sandbox is set up, the browser can be run by using the "chrome-wrapper" script.

A handy link can be also set up.  For example, and adjusting for your installation directory (/opt, etc), your ungoogled-chromium version and sandboxing arrangement:
sudo ln -s /opt/ungoogled-chromium_xxxxxxx/chrome-wrapper /opt/ungoogled-chromium

Not the chrome executable.

EDIT:

Well actually just looking at the chrome-wrapper executable it's just a shell script that does some things before running the chrome executable.

<!-- gh-comment-id:609116180 --> @alecStewart1 commented on GitHub (Apr 5, 2020): Well if you read the README bit, it tells you to run the `chrome-wrapper` executable: Once the sandbox is set up, the browser can be run by using the "chrome-wrapper" script. A handy link can be also set up. For example, and adjusting for your installation directory (/opt, etc), your ungoogled-chromium version and sandboxing arrangement: sudo ln -s /opt/ungoogled-chromium_xxxxxxx/chrome-wrapper /opt/ungoogled-chromium Not the `chrome` executable. **EDIT:** Well actually just looking at the `chrome-wrapper` executable it's just a shell script that does some things before running the `chrome` executable.

gitea-mirror commented 2026-05-05 08:45:33 -06:00

Author

Owner

Copy link

@alecStewart1 commented on GitHub (Apr 5, 2020):

Nope, running firejail /path/to/ungoogled-chromium-folder/chromejust returns the same error message

Error: no suitable /path/to/ungoogled-chromium-folder/chrome executable found

<!-- gh-comment-id:609117304 --> @alecStewart1 commented on GitHub (Apr 5, 2020): Nope, running `firejail /path/to/ungoogled-chromium-folder/chrome`just returns the same error message Error: no suitable /path/to/ungoogled-chromium-folder/chrome executable found

gitea-mirror commented 2026-05-05 08:45:34 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 5, 2020):

I did check the README, but I run a kernel that supports user namespaces so I didn't do the SUID sandbox setup. Copied over the extracted files to /opt/ungoogled-chromium and using firejail's native chromium profile I can start the browser just fine via firejail --profile=chromium /opt/ungoogled-chromium/chrome. Didn't have to touch the profiles. Perhaps you can try that and integrate the dns options in a chromium.local file. BTW, what firejail version are you using?

<!-- gh-comment-id:609148130 --> @ghost commented on GitHub (Apr 5, 2020): I did check the README, but I run a kernel that supports user namespaces so I didn't do the SUID sandbox setup. Copied over the extracted files to /opt/ungoogled-chromium and using firejail's native chromium profile I can start the browser just fine via `firejail --profile=chromium /opt/ungoogled-chromium/chrome`. Didn't have to touch the profiles. Perhaps you can try that and integrate the dns options in a chromium.local file. BTW, what firejail version are you using?

gitea-mirror commented 2026-05-05 08:45:34 -06:00

Author

Owner

Copy link

@alecStewart1 commented on GitHub (Apr 5, 2020):

Firejail version is 0.9.62.

I tried both the chrome-wrapper and just chrome with firejail and both the google-chrome and chromium profiles. Still the same error.

<!-- gh-comment-id:609171158 --> @alecStewart1 commented on GitHub (Apr 5, 2020): Firejail version is 0.9.62. I tried both the `chrome-wrapper` and just `chrome` with firejail and both the `google-chrome` and `chromium` profiles. Still the same error.

gitea-mirror commented 2026-05-05 08:45:35 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 5, 2020):

Odd indeed. Can you post the output of a test run using firejail's --debug option please? And throw in a ls of the installed files under /opt, just to rule out permission issues.

<!-- gh-comment-id:609366878 --> @ghost commented on GitHub (Apr 5, 2020): Odd indeed. Can you post the output of a test run using firejail's --debug option please? And throw in a ls of the installed files under /opt, just to rule out permission issues.

gitea-mirror commented 2026-05-05 08:45:36 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 6, 2020):

I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:624734583 --> @rusty-snake commented on GitHub (May 6, 2020): I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2084

No description provided.