[GH-ISSUE #3329] keepassxc: please provide more options or more guidance

gitea-mirror commented

2026-05-05 08:45:46 -06:00

Owner

Originally created by @BillDietrich on GitHub (Apr 8, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3329

Expected behavior
There are several ways or desired ways of using KeePassXC:

with or without browser extension
with or without allowing the app to check for updates
with or without app acting as a secret service
with or without app acting as an SSH agent
with or without app being able to auto-type characters to another app

Please provide comments in the KeePassXC profile, or additional profiles, to support each of these choices. For example, I would like to run the app without browser extension, without update-checking, with secret service, with SSH agent, with auto-type. I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure. I want to lock down KeePassXC as tightly as possible given these choices. Please provide more commented sections in the profile, or more profiles, or something, to aid in this. Thanks.

Desktop:

Linux Mint 19.3 Cinnamon with 5.3 kernel
Firejail version 0.9.62

Additional context
KeePassXC 2.5.3

Originally created by @BillDietrich on GitHub (Apr 8, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3329 **Expected behavior** There are several ways or desired ways of using KeePassXC: - with or without browser extension - with or without allowing the app to check for updates - with or without app acting as a secret service - with or without app acting as an SSH agent - with or without app being able to auto-type characters to another app Please provide comments in the KeePassXC profile, or additional profiles, to support each of these choices. For example, I would like to run the app without browser extension, without update-checking, with secret service, with SSH agent, with auto-type. I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure. I want to lock down KeePassXC as tightly as possible given these choices. Please provide more commented sections in the profile, or more profiles, or something, to aid in this. Thanks. **Desktop:** - Linux Mint 19.3 Cinnamon with 5.3 kernel - Firejail version 0.9.62 **Additional context** KeePassXC 2.5.3

gitea-mirror added the

question

label 2026-05-05 08:45:46 -06:00

gitea-mirror commented

2026-05-05 08:45:48 -06:00

Author

Owner

@ghost commented on GitHub (Apr 8, 2020):

I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure.

Network access is already disabled via net none and protocol unix,netlink. What happens when you try with nodbus? Does that give you the desired setup? We can add comments later, no problem. But IMO it would create more confusion if we offered individual keepassxc profiles that accomodated all permutations you mention. But let's try to find your favo setup first okay?

@ghost commented on GitHub (Apr 8, 2020): > I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure. Network access is already disabled via `net none` and `protocol unix,netlink`. What happens when you try with `nodbus`? Does that give you the desired setup? We can add comments later, no problem. But IMO it would create more confusion if we offered individual keepassxc profiles that accomodated all permutations you mention. But let's try to find your favo setup first okay?

gitea-mirror commented

2026-05-05 08:45:49 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 8, 2020):

In the default configuration (nodbus commented out), neither clicking on an URL in KeePassXC nor auto-type using ctrl+shift+U works. I want them to work. So maybe my focus on dbus is wrong, something else needs to be changed or commented to change.

@BillDietrich commented on GitHub (Apr 8, 2020): In the default configuration (nodbus commented out), neither clicking on an URL in KeePassXC nor auto-type using ctrl+shift+U works. I want them to work. So maybe my focus on dbus is wrong, something else needs to be changed or commented to change.

gitea-mirror commented

2026-05-05 08:45:50 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 8, 2020):

You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work".

@BillDietrich commented on GitHub (Apr 8, 2020): You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work".

gitea-mirror commented

2026-05-05 08:45:51 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

FYI: #3314

or additional profiles,

The issue here is, how to select the profile. IMHO we have two options

comments (like thunderbird)
.incs (like feh)

You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work".

Almost all profiles do not support updates, because updates are usually install via apt, dnf, ….

clicking on an URL in KeePassXC

You will need to allow firefox to

read its profile, see thunderbird.profile (on master)
communicate to the running firefox (sometimes dbus)
be present in the sandbox: private-bin firefox (and maybe more #3308)

if you use chrome or something else it are the same point.

@rusty-snake commented on GitHub (Apr 9, 2020): FYI: #3314 > or additional profiles, The issue here is, how to select the profile. IMHO we have two options 1. comments (like thunderbird) 2. `.inc`s (like feh) > You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work". Almost all profiles do not support updates, because updates are usually install via apt, dnf, …. > clicking on an URL in KeePassXC You will need to allow firefox to - read its profile, see thunderbird.profile (on master) - communicate to the running firefox (sometimes dbus) - be present in the sandbox: private-bin firefox (and maybe more #3308) if you use chrome or something else it are the same point.

gitea-mirror commented

2026-05-05 08:45:52 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 9, 2020):

Almost all profiles do not support updates, because updates are usually install via apt, dnf, ….

I guess updates and update-checking are separate. Maybe add a comment to the profile saying "if you want update-checking to work, un-comment the following:"

@BillDietrich commented on GitHub (Apr 9, 2020): > Almost all profiles do not support updates, because updates are usually install via apt, dnf, …. I guess updates and update-checking are separate. Maybe add a comment to the profile saying "if you want update-checking to work, un-comment the following:"

gitea-mirror commented

2026-05-05 08:45:53 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 9, 2020):

clicking on an URL in KeePassXC

I am not running the browser (Firefox) under Firejail. If I run KeePassXC without Firejail, clicking URLs and auto-typing work. If I run KeePassXC under Firejail, they fail. So I think the issue is with the KeePassXC profile.

@BillDietrich commented on GitHub (Apr 9, 2020): > clicking on an URL in KeePassXC I am not running the browser (Firefox) under Firejail. If I run KeePassXC without Firejail, clicking URLs and auto-typing work. If I run KeePassXC under Firejail, they fail. So I think the issue is with the KeePassXC profile.

gitea-mirror commented

2026-05-05 08:45:54 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

So I think the issue is with the KeePassXC profile.

Yes, it is. KPXC will start your default handler for e.g. https:// which is firefox. But is has no access to is (private-bin) and firefox then has no access to its profiles (blacklist ${HOME}/.mozilla). The things I descripted above needs to be added to the keepassxc.profile.

@rusty-snake commented on GitHub (Apr 9, 2020): > So I think the issue is with the KeePassXC profile. Yes, it is. KPXC will start your default handler for e.g. `https://` which is firefox. But is has no access to is (`private-bin`) and firefox then has no access to its profiles (`blacklist ${HOME}/.mozilla`). The things I descripted above needs to be added to the keepassxc.profile.

gitea-mirror commented

2026-05-05 08:45:55 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

Try this keepassxc.local

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin

@rusty-snake commented on GitHub (Apr 9, 2020): Try this keepassxc.local ``` noblacklist ${HOME}/.mozilla read-only ${HOME}/.mozilla ignore private-bin ```

gitea-mirror commented

2026-05-05 08:45:55 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 9, 2020):

I added those lines in keepassxc.local, and with KeePasseXC running in Firejail:

if I click an URL in KeePassXC, after 5+ seconds I get a dialog "Your Firefox profile cannot be loaded. It may be missing or inaccessible."
if I auto-type in KeePassXC (ctrl+shift+U on an entry), I get the same error.

So do I have to run Firefox inside Firejail for this to work ? I'm running Firefox without Firejail.

@BillDietrich commented on GitHub (Apr 9, 2020): I added those lines in keepassxc.local, and with KeePasseXC running in Firejail: - if I click an URL in KeePassXC, after 5+ seconds I get a dialog "Your Firefox profile cannot be loaded. It may be missing or inaccessible." - if I auto-type in KeePassXC (ctrl+shift+U on an entry), I get the same error. So do I have to run Firefox inside Firejail for this to work ? I'm running Firefox without Firejail.

gitea-mirror commented

2026-05-05 08:45:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

Is firefox running in at this time? are there any other modification on the keepassxc profile/local?

@rusty-snake commented on GitHub (Apr 9, 2020): Is firefox running in at this time? are there any other modification on the keepassxc profile/local?

gitea-mirror commented

2026-05-05 08:45:57 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 9, 2020):

Yes, FF is running. No, nothing else but comments in keepassxc.local

A year ago I was messing with my keepassxc.profile, but I think by now it's been overwritten by latest standard version. ls says it's 1383 bytes, Dec 30 2019 20:40 keepassxc.profile

@BillDietrich commented on GitHub (Apr 9, 2020): Yes, FF is running. No, nothing else but comments in keepassxc.local A year ago I was messing with my keepassxc.profile, but I think by now it's been overwritten by latest standard version. ls says it's 1383 bytes, Dec 30 2019 20:40 keepassxc.profile

gitea-mirror commented

2026-05-05 08:45:57 -06:00

Author

Owner

@BillDietrich commented on GitHub (Apr 9, 2020):

What does "be present in the sandbox: private-bin firefox" in a previous comment mean ? I'm not running FF inside Firejail.

@BillDietrich commented on GitHub (Apr 9, 2020): What does "be present in the sandbox: private-bin firefox" in a previous comment mean ? I'm not running FF inside Firejail.

gitea-mirror commented

2026-05-05 08:45:58 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

keepassxc will call /usr/bin/firefox <URL> (or where ever firefox is in $PATH). firefox will then detect that it is already running and use D-Bus (firefox-wayland) or something else (direct IPC?) to tell the running firefox to open .

firejail's private-bin options restricts the content of /bin, /usr/bin, … to the listed programs. (If you just add firefox to the list, keep in mind that /usr/bin/firefox is often a shell script).

@rusty-snake commented on GitHub (Apr 9, 2020): keepassxc will call `/usr/bin/firefox <URL>` (or where ever firefox is in $PATH). firefox will then detect that it is already running and use D-Bus (firefox-wayland) or something else (direct IPC?) to tell the running firefox to open <URL>. firejail's `private-bin` options restricts the content of /bin, /usr/bin, … to the listed programs. (If you just add firefox to the list, keep in mind that /usr/bin/firefox is often a shell script).

gitea-mirror commented

2026-05-05 08:45:59 -06:00

Author

Owner

@MrFrank17 commented on GitHub (Nov 6, 2020):

Comment about the ssh-agent issue.
Proposed in the linked issue above were these changes:

noblacklist ${HOME}/.ssh
# Other things to go.
# ignore machine-id
# ignore private-tmp
# noblacklist /tmp/ssh-*
# read-write ${HOME}/.ssh/authorized_keys

For me the first line was not enough, I had to comment in all lines (haven't checked if a subset might be enough, though).

@MrFrank17 commented on GitHub (Nov 6, 2020): Comment about the ssh-agent issue. Proposed in the linked issue above were these changes: `noblacklist ${HOME}/.ssh` `# Other things to go.` `# ignore machine-id` `# ignore private-tmp` `# noblacklist /tmp/ssh-*` `# read-write ${HOME}/.ssh/authorized_keys` For me the first line was not enough, I had to comment in all lines (haven't checked if a subset might be enough, though).

gitea-mirror commented

2026-05-05 08:45:59 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Try this keepassxc.local

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin

Trying again. Now I'm in Fedora 34 KDE with X. I did the keepassxc.local changes you gave. I run "firejail --debug keepassxc DBNAME", open database, click on a link, get this on CLI:

Launch failed (/usr/bin/xdg-open THELINKURL)

Now I'm using KeePassXC 2.6.4 with Firejail 0.9.64.4. KeePassXC and Firefox are natively installed; no appimage, snap, flatpak. KP works fine if Firejail is not used. I also filed https://github.com/keepassxreboot/keepassxc/issues/6637

@BillDietrich commented on GitHub (Jun 14, 2021): > Try this keepassxc.local > > ``` > noblacklist ${HOME}/.mozilla > read-only ${HOME}/.mozilla > ignore private-bin > ``` Trying again. Now I'm in Fedora 34 KDE with X. I did the keepassxc.local changes you gave. I run "firejail --debug keepassxc DBNAME", open database, click on a link, get this on CLI: Launch failed (/usr/bin/xdg-open THELINKURL) Now I'm using KeePassXC 2.6.4 with Firejail 0.9.64.4. KeePassXC and Firefox are natively installed; no appimage, snap, flatpak. KP works fine if Firejail is not used. I also filed https://github.com/keepassxreboot/keepassxc/issues/6637

gitea-mirror commented

2026-05-05 08:46:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

I also filed keepassxreboot/keepassxc#6637

If firejail --noprofile keepassxc works, it's a firejail issue.

Launch failed (/usr/bin/xdg-open THELINKURL)

Good to know, that xdg-open is used. xdg-open is a shell-script, try

include allow-bin-sh.inc
ignore private-bin

@rusty-snake commented on GitHub (Jun 14, 2021): > I also filed keepassxreboot/keepassxc#6637 If `firejail --noprofile keepassxc` works, it's a firejail issue. > Launch failed (/usr/bin/xdg-open THELINKURL) Good to know, that xdg-open is used. xdg-open is a shell-script, try ``` include allow-bin-sh.inc ignore private-bin ```

gitea-mirror commented

2026-05-05 08:46:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

FWIW there as been done some more on "open-links-from-firejailed-applications" since 9 Apr 2020. #3919 and #3471 and #3881.

A summary for firefox under wayland: https://github.com/netblue30/firejail/issues/3471#issuecomment-646582480
firejail url handler: https://github.com/glitsj16/firejail-handler-http and https://github.com/glitsj16/firejail-handler-extra.
Workarounds using systemd-run (https://github.com/netblue30/firejail/issues/3881#issuecomment-805760626)
Workarounds using desktop portals (https://gist.github.com/rusty-snake/5104dc53ce3e52eef86cc34d359aa10e)

@rusty-snake commented on GitHub (Jun 14, 2021): FWIW there as been done some more on "open-links-from-firejailed-applications" since [9 Apr 2020](https://github.com/netblue30/firejail/issues/3329#issuecomment-611467970). #3919 and #3471 and #3881. - A summary for firefox under wayland: https://github.com/netblue30/firejail/issues/3471#issuecomment-646582480 - firejail url handler: https://github.com/glitsj16/firejail-handler-http and https://github.com/glitsj16/firejail-handler-extra. - Workarounds using `systemd-run` (https://github.com/netblue30/firejail/issues/3881#issuecomment-805760626) - Workarounds using desktop portals (https://gist.github.com/rusty-snake/5104dc53ce3e52eef86cc34d359aa10e)

gitea-mirror commented

2026-05-05 08:46:00 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

KP works fine with --noprofile.

I changed keepassxc.local to be:

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin
include allow-bin-sh.inc

And KP fails differently now. When I click on a link, instead of an error on the CLI, I get an error dialog from "KIO Client" saying "unknown host: THEURL host name not found" or words to that effect.

@BillDietrich commented on GitHub (Jun 14, 2021): KP works fine with --noprofile. I changed keepassxc.local to be: noblacklist ${HOME}/.mozilla read-only ${HOME}/.mozilla ignore private-bin include allow-bin-sh.inc And KP fails differently now. When I click on a link, instead of an error on the CLI, I get an error dialog from "KIO Client" saying "unknown host: THEURL host name not found" or words to that effect.

gitea-mirror commented

2026-05-05 08:46:01 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

Looks like KIO is involved in some way (inside the sandbox) and wants internet access:

ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

@rusty-snake commented on GitHub (Jun 14, 2021): Looks like KIO is involved in some way (inside the sandbox) and wants internet access: ``` ignore net none protocol unix,inet,inet6,netlink private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl ```

gitea-mirror commented

2026-05-05 08:46:01 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Okay, now keepassxc.local is:

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin
include allow-bin-sh.inc
ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

and when I click on a link, I get a dialog saying "Your Firefox profile could not be loaded, it may be missing or inaccessible". But I have an instance of FF running in the background. Without Firejail on KeePassXC, links will open in FF just fine.

@BillDietrich commented on GitHub (Jun 14, 2021): Okay, now keepassxc.local is: ``` noblacklist ${HOME}/.mozilla read-only ${HOME}/.mozilla ignore private-bin include allow-bin-sh.inc ignore net none protocol unix,inet,inet6,netlink private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl ``` and when I click on a link, I get a dialog saying "Your Firefox profile could not be loaded, it may be missing or inaccessible". But I have an instance of FF running in the background. Without Firejail on KeePassXC, links will open in FF just fine.

gitea-mirror commented

2026-05-05 08:46:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

If firejail --profile=keepassxc ls ~/.mozilla works fine, we need to focus on dbus? seccomp? ...?. If it does not work we need to focus on filesystem commands ((no)blacklist, whitelist (should be all commented), read-only, ...).

@rusty-snake commented on GitHub (Jun 14, 2021): If `firejail --profile=keepassxc ls ~/.mozilla` works fine, we need to focus on dbus? seccomp? ...?. If it does not work we need to focus on filesystem commands (`(no)blacklist`, `whitelist` (should be all commented), `read-only`, ...).

gitea-mirror commented

2026-05-05 08:46:02 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

firejail --profile=keepassxc ls ~/.mozilla

works, it lists the dir. I guess I'll try commenting out all dbus stuff in keepassxc.profile ?

@BillDietrich commented on GitHub (Jun 14, 2021): firejail --profile=keepassxc ls ~/.mozilla works, it lists the dir. I guess I'll try commenting out all dbus stuff in keepassxc.profile ?

gitea-mirror commented

2026-05-05 08:46:02 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

It's something in disable-programs.inc that's doing it. If I comment out the include for that, KP works. Have to get back to a clean state and make just that change, re-verify.

@BillDietrich commented on GitHub (Jun 14, 2021): It's something in disable-programs.inc that's doing it. If I comment out the include for that, KP works. Have to get back to a clean state and make just that change, re-verify.

gitea-mirror commented

2026-05-05 08:46:03 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Okay, so it's working with stock keepassxc.profile BUT with disable-programs.inc commented out, AND with keepassxc.local containing:

ignore private-bin
include allow-bin-sh.inc
ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

@BillDietrich commented on GitHub (Jun 14, 2021): Okay, so it's working with stock keepassxc.profile BUT with disable-programs.inc commented out, AND with keepassxc.local containing: ``` ignore private-bin include allow-bin-sh.inc ignore net none protocol unix,inet,inet6,netlink private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl ```

gitea-mirror commented

2026-05-05 08:46:03 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

Then you can fiddle around with --build, --trace, --tracelog or do a binary search in disable-programs.inc (I guess this is caused by the KIO stuff that wants internet).

@rusty-snake commented on GitHub (Jun 14, 2021): Then you can fiddle around with `--build`, `--trace`, `--tracelog` or do a binary search in disable-programs.inc (I guess this is caused by the KIO stuff that wants internet).

gitea-mirror commented

2026-05-05 08:46:03 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Running with --trace shows a suspicious message "20:keepassxc:mkdir /run/user/1000:-1". 1000 is my userid. How can I allow access to that dir ? Or maybe that's the wrong idea.

The lines from --trace when I click a link are:

20:keepassxc:mkdir /run/user/1000:-1
20:keepassxc:access /usr/bin/xdg-open:0
Cannot open trace log file: No such device or address

@BillDietrich commented on GitHub (Jun 14, 2021): Running with --trace shows a suspicious message "20:keepassxc:mkdir /run/user/1000:-1". 1000 is my userid. How can I allow access to that dir ? Or maybe that's the wrong idea. The lines from --trace when I click a link are: ``` 20:keepassxc:mkdir /run/user/1000:-1 20:keepassxc:access /usr/bin/xdg-open:0 Cannot open trace log file: No such device or address ```

gitea-mirror commented

2026-05-05 08:46:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

It's very very very likely accessible from inside the sandbox. This line just says that mkdir("/run/user/1000", ...) returned -1 (likely with EEXIST but for that you need to run firejail --allow-debuggers --maybe-something-else --profile=keepassxc strace --strace-args /usr/bin/keepassxc).

@rusty-snake commented on GitHub (Jun 14, 2021): It's very very very likely accessible from inside the sandbox. This line just says that `mkdir("/run/user/1000", ...)` returned `-1` (likely with `EEXIST` but for that you need to run `firejail --allow-debuggers --maybe-something-else --profile=keepassxc strace --strace-args /usr/bin/keepassxc`).

gitea-mirror commented

2026-05-05 08:46:04 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

There is a sizable (5-second ?) pause between the trace line "xdg-open" and the line "Cannot open trace log file". I wonder if some kind of mime-type or protocol-handler lookup is failing. But I don't see anything named "xdg*" or "kio*" or other relevant names in disable-programs.inc

@BillDietrich commented on GitHub (Jun 14, 2021): There is a sizable (5-second ?) pause between the trace line "xdg-open" and the line "Cannot open trace log file". I wonder if some kind of mime-type or protocol-handler lookup is failing. But I don't see anything named "xdg*" or "kio*" or other relevant names in disable-programs.inc

gitea-mirror commented

2026-05-05 08:46:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

If a program crashes, the last (to all) lines of --trace are missing so my guess is that it's not flushed on every write.

@rusty-snake commented on GitHub (Jun 14, 2021): If a program crashes, the last (to all) lines of `--trace` are missing so my guess is that it's not flushed on every write.

gitea-mirror commented

2026-05-05 08:46:05 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Okay, I'm confused about something. disable-programs.inc is full of "blacklist" statements. I copied it to disable-programs.local and changed every "blacklist" to "noblacklist". I thought that would negate every line in disable-programs.inc, but it didn't (KP still doesn't work). How do I negate a "blacklist" line ?

@BillDietrich commented on GitHub (Jun 14, 2021): Okay, I'm confused about something. disable-programs.inc is full of "blacklist" statements. I copied it to disable-programs.local and changed every "blacklist" to "noblacklist". I thought that would negate every line in disable-programs.inc, but it didn't (KP still doesn't work). How do I negate a "blacklist" line ?

gitea-mirror commented

2026-05-05 08:46:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

Assuming disable-programs.local is included (no typo or so, check top of --debug) it's maybe IDK I don't think there's a hardcoded limit of noblacklists and globbing should work too. 😕 You can try to ignore blacklist PATH instead.

@rusty-snake commented on GitHub (Jun 14, 2021): Assuming disable-programs.local is included (no typo or so, check top of `--debug`) it's maybe IDK I don't think there's a hardcoded limit of noblacklists and globbing should work too. :confused: You can try to `ignore blacklist PATH` instead.

gitea-mirror commented

2026-05-05 08:46:06 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Okay, here's a good one:
--trace fails
--debug works
--trace=xxx.txt works

@BillDietrich commented on GitHub (Jun 14, 2021): Okay, here's a good one: --trace fails --debug works --trace=xxx.txt works

gitea-mirror commented

2026-05-05 08:46:06 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Okay, looks like Firefox is being launched inside the KP firejail, so adding this to keepassxc.local made it work:

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla

@BillDietrich commented on GitHub (Jun 14, 2021): Okay, looks like Firefox is being launched inside the KP firejail, so adding this to keepassxc.local made it work: ``` noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla ```

gitea-mirror commented

2026-05-05 08:46:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

looks like Firefox is being launched inside the KP firejail

That's true, but if firefox is already running (in it's own sandbox) it usually communicates to this instance to open a new tab/window. At least until now this worked without access to it's cache. ... anyway

@rusty-snake commented on GitHub (Jun 14, 2021): > looks like Firefox is being launched inside the KP firejail That's true, but if firefox is already running (in it's own sandbox) it usually communicates to this instance to open a new tab/window. At least until now this worked without access to it's cache. ... anyway

gitea-mirror commented

2026-05-05 08:46:07 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Didn't mean to close the issue; can it be re-opened, please ?

@BillDietrich commented on GitHub (Jun 14, 2021): Didn't mean to close the issue; can it be re-opened, please ?

gitea-mirror commented

2026-05-05 08:46:07 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Confirmed that noblacklist of .cache is needed if an instance of FF is running already. Will check case where FF is not already running.

@BillDietrich commented on GitHub (Jun 14, 2021): Confirmed that noblacklist of .cache is needed if an instance of FF is running already. Will check case where FF is not already running.

gitea-mirror commented

2026-05-05 08:46:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 14, 2021):

Will check case where FF is not already running.

Then FF will start in the KPXC sandbox and totally fail becaus of seccomp, tracelog, blacklist /usr/libexec, ...

@rusty-snake commented on GitHub (Jun 14, 2021): > Will check case where FF is not already running. Then FF will start in the KPXC sandbox and totally fail becaus of seccomp, tracelog, blacklist /usr/libexec, ...

gitea-mirror commented

2026-05-05 08:46:08 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 14, 2021):

Yes, checked case where FF is not already running, and it dies horribly. Browser window opens but never loads the page, underneath it seems to be copying my FF profile, and then FF crashes. Is this a known limitation of Firejail or something ?

@BillDietrich commented on GitHub (Jun 14, 2021): Yes, checked case where FF is not already running, and it dies horribly. Browser window opens but never loads the page, underneath it seems to be copying my FF profile, and then FF crashes. Is this a known limitation of Firejail or something ?

gitea-mirror commented

2026-05-05 08:46:08 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 15, 2021):

So, I have it working if FF is default browser and an instance is running and click on a link in KP. But can't do same with either Brave browser or ungoogled-chromium. I tried noblacklist of all their config stuff, but still they're failing silently if they're default browser and a browser instance is running and then I click on a link in KP.

@BillDietrich commented on GitHub (Jun 15, 2021): So, I have it working if FF is default browser and an instance is running and click on a link in KP. But can't do same with either Brave browser or ungoogled-chromium. I tried noblacklist of all their config stuff, but still they're failing silently if they're default browser and a browser instance is running and then I click on a link in KP.

gitea-mirror commented

2026-05-05 08:46:09 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2021):

For chrom* you need to noblacklist their paths and at least I guess

ignore caps.drop all
caps.keep sys_admin,sys_chroot
ignore nonewprivs
ignore noroot
ignore protocol
ignore seccomp
ignore seccomp.block-secondary
ignore tracelog

@rusty-snake commented on GitHub (Jun 15, 2021): For chrom* you need to `noblacklist` their paths and at least I guess ``` ignore caps.drop all caps.keep sys_admin,sys_chroot ignore nonewprivs ignore noroot ignore protocol ignore seccomp ignore seccomp.block-secondary ignore tracelog ```

gitea-mirror commented

2026-05-05 08:46:09 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2021):

Is this a known limitation of Firejail or something ?

Without workarounds (https://github.com/netblue30/firejail/issues/3329#issuecomment-860897740), firefox is started in the keepassxc sandbox. If there is a running firefox instance, firefox just does early startup tasks (parse commandline, find profile, ...) and communicates to the running instance. If not, it does a full startup inside the kpxc sandbox. Starting program A in the sandbox made for program B will fail if A requires a permission that is blocked (because B does need it).

@rusty-snake commented on GitHub (Jun 15, 2021): > Is this a known limitation of Firejail or something ? Without workarounds (https://github.com/netblue30/firejail/issues/3329#issuecomment-860897740), firefox is started in the keepassxc sandbox. If there is a running firefox instance, firefox just does early startup tasks (parse commandline, find profile, ...) and communicates to the running instance. If not, it does a full startup inside the kpxc sandbox. Starting program A in the sandbox made for program B will fail if A requires a permission that is blocked (because B does need it).

gitea-mirror commented

2026-05-05 08:46:10 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 15, 2021):

Okay, the chrom* statements you gave me sort-of worked. If Brave or ungoogled-chromium is default browser and an instance is running, clicking on a link in KP opens another instance of the browser (should use existing instance) and shows some error messages about unable to read profile and want to restore session, but does open the right page. I think if no instance is running and click on a link, instance is launched and page loaded with no error dialogs.

@BillDietrich commented on GitHub (Jun 15, 2021): Okay, the chrom* statements you gave me sort-of worked. If Brave or ungoogled-chromium is default browser and an instance is running, clicking on a link in KP opens another instance of the browser (should use existing instance) and shows some error messages about unable to read profile and want to restore session, but does open the right page. I think if no instance is running and click on a link, instance is launched and page loaded with no error dialogs.

gitea-mirror commented

2026-05-05 08:46:10 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 15, 2021):

firefox is started in the keepassxc sandbox

Yes, this seems to be a key lack in Firejail. There should be some directive to say "launch-outside-sandbox xdg-open" or something. So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside.

@BillDietrich commented on GitHub (Jun 15, 2021): > firefox is started in the keepassxc sandbox Yes, this seems to be a key lack in Firejail. There should be some directive to say "launch-outside-sandbox xdg-open" or something. So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside.

gitea-mirror commented

2026-05-05 08:46:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2021):

There should be some directive to say "launch-outside-sandbox xdg-open" or something.

You can use systemd-run for that (see workarounds above) but Why do you want to use a sandbox with escape feature? I would call this sandbox anymore.

Related: #3785

So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside.

See xdg-open.c or firejail-handler-http workarounds above.

@rusty-snake commented on GitHub (Jun 15, 2021): > There should be some directive to say "launch-outside-sandbox xdg-open" or something. You can use `systemd-run` for that (see workarounds above) but Why do you want to use a sandbox with escape feature? I would call this sandbox anymore. Related: #3785 > So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside. See xdg-open.c or firejail-handler-http workarounds above.

gitea-mirror commented

2026-05-05 08:46:11 -06:00

Author

Owner

@BillDietrich commented on GitHub (Jun 15, 2021):

You can use systemd-run

Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev.

Why do you want to use a sandbox with escape feature?

The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it".

@BillDietrich commented on GitHub (Jun 15, 2021): > You can use systemd-run Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev. > Why do you want to use a sandbox with escape feature? The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it".

gitea-mirror commented

2026-05-05 08:46:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2021):

Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev.

One option, however we can not add such firejail support in every app. Therefore it needs to be somewhere else. And systemd-run allows you to start everything outside of the sandbox.

The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it".

👍 That already possible with xdg-open.c or firejail-handler-http.

@rusty-snake commented on GitHub (Jun 15, 2021): > Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev. One option, however we can not add such firejail support in every app. Therefore it needs to be somewhere else. And `systemd-run` allows you to start _everything_ outside of the sandbox. > The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it". :+1: That already possible with xdg-open.c or firejail-handler-http.

gitea-mirror commented

2026-05-05 08:46:12 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Jun 15, 2022):

with or without browser extension

Support is being worked on upstream. KeePassXC already has the changes is
master, but pending release:

https://github.com/keepassxreboot/keepassxc/pull/8030

You also need a proxy with these changes:

https://github.com/varjolintu/keepassxc-proxy-rust/pull/10

with or without allowing the app to check for updates

This seems really out-of-scope for a password manager, and requires giving it
network access. Why not simply rely on your distribution's update mechanisms?

Regarding opening URLs in the browser, we have a few options:

Allow running Firefox inside the sandbox. If an instance is already running,
it will talk to it over dbus and open the window. However, if no instance is
running, this will run Firefox inside KeePassXC's sandbox. This approach
seems risky.
We could place a tiny script in the sandbox's $PATH that uses the D-Bus
OpenURL portal: https://github.com/flatpak/xdg-desktop-portal/pull/741
Regrettably, the portal is broken and won't work with non-flakpak
sandboxes. This is really an ideal approach for sandboxed applications, but
the PR is simply stalled.
Ideally, KeePassXC could use the above mentioned portal API to open URLs.
Again, the portal will reject the request due to the same issue above, so
this is not viable either.

Perhaps an alternative implementation of the xdg-desktop-portal would help us
fix this, but given its monolithic design, we'd need to re-implement ALL of it

@WhyNotHugo commented on GitHub (Jun 15, 2022): > with or without browser extension Support is being worked on upstream. KeePassXC already has the changes is master, but pending release: https://github.com/keepassxreboot/keepassxc/pull/8030 You also need a proxy with these changes: https://github.com/varjolintu/keepassxc-proxy-rust/pull/10 > with or without allowing the app to check for updates This seems really out-of-scope for a password manager, and requires giving it network access. Why not simply rely on your distribution's update mechanisms? --- Regarding opening URLs in the browser, we have a few options: 1. Allow running Firefox inside the sandbox. If an instance is already running, it will talk to it over dbus and open the window. However, if no instance is running, this will run Firefox inside KeePassXC's sandbox. This approach seems risky. 2. We could place a tiny script in the sandbox's $PATH that uses the D-Bus OpenURL portal: https://github.com/flatpak/xdg-desktop-portal/pull/741 Regrettably, the portal is broken and won't work with non-flakpak sandboxes. This is really an ideal approach for sandboxed applications, but the PR is simply stalled. 3. Ideally, KeePassXC could use the above mentioned portal API to open URLs. Again, the portal will reject the request due to the same issue above, so this is not viable either. Perhaps an alternative implementation of the xdg-desktop-portal would help us fix this, but given its monolithic design, we'd need to re-implement ALL of it

gitea-mirror referenced this issue

2026-05-05 10:15:02 -06:00

[PR #2091] [CLOSED] Create pybitmessage.profile #4169

Rows
Columns

[GH-ISSUE #3329] keepassxc: please provide more options or more guidance #2091