github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3453] [Question not a bug] About Firefox under firejail #2170

New issue
Closed
opened 2026-05-05 08:51:01 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 08:51:01 -06:00
Owner
Copy link

Originally created by @Nokia808 on GitHub (Jun 6, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3453

Hi dear. It is not a bug.

My default command to run my Firefox on my Fedora 32 is "firefox %u"

I like to run firefox under firejail & to obtain more security I like to run it with "-no-remote"

I tried the following:
$ firejail firefox %u -no-remote
& I got an error: Firefox opened with blank screen within it following error message "file %u not found"
I think it is just that my way to write command was wrong due to wrong place of "%u" ...

Kindly, just to dictate the command here in correct way ...

Thanks.

Originally created by @Nokia808 on GitHub (Jun 6, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3453 Hi dear. It is not a bug. My default command to run my Firefox on my Fedora 32 is "firefox %u" I like to run firefox under firejail & to obtain more security I like to run it with "-no-remote" I tried the following: $ firejail firefox %u -no-remote & I got an error: Firefox opened with blank screen within it following error message "file %u not found" I think it is just that my way to write command was wrong due to wrong place of "%u" ... Kindly, just to dictate the command here in correct way ... Thanks.
gitea-mirror 2026-05-05 08:51:01 -06:00
gitea-mirror commented 2026-05-05 08:51:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 6, 2020):

%u is a thing special to .desktop files and has no meaning in bash, therefore it is forwarded to firefox, where it has too no meaning.

Use
$ firejail firerfox --no-remote
or if you executed firecfg
$ firefox --no-remote

<!-- gh-comment-id:639997441 --> @rusty-snake commented on GitHub (Jun 6, 2020): `%u` is a thing special to .desktop files and has no meaning in bash, therefore it is forwarded to firefox, where it has too no meaning. Use $ firejail firerfox --no-remote or if you executed firecfg $ firefox --no-remote
gitea-mirror commented 2026-05-05 08:51:04 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Jun 6, 2020):

@rusty-snake
Thank you for replay.
But I need to edit Firefox entry from within my Cinnamon applications menu editor. In this case how I should write the command? Kindly, see the following screenshot:

ff-default-command

<!-- gh-comment-id:639999112 --> @Nokia808 commented on GitHub (Jun 6, 2020): @rusty-snake Thank you for replay. But I need to edit Firefox entry from within my Cinnamon applications menu editor. In this case how I should write the command? Kindly, see the following screenshot: ![ff-default-command](https://user-images.githubusercontent.com/25375330/83938427-91838b80-a7c3-11ea-8b4d-7c4f0e218263.png)
gitea-mirror commented 2026-05-05 08:51:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 6, 2020):

If you executed firecfg:
firefox --no-remote %u
otherwise
firejail firefox --no-remote %u

%x in desktop files is usually the last part of the Exec key.

<!-- gh-comment-id:640003145 --> @rusty-snake commented on GitHub (Jun 6, 2020): If you executed firecfg: firefox --no-remote %u otherwise firejail firefox --no-remote %u `%x` in desktop files is usually the last part of the Exec key.
gitea-mirror commented 2026-05-05 08:51:06 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Jun 6, 2020):

It is clear now. I will close this issue.

But only further question - though not on topic - I have an AppImage program (jitsi-meet-x86_64.AppImage) which is based on chromium. I like to use same approach (from within application menu where I'm already created for it an entry manually). All what I have is just to start command by "firejail". It has no %u. But do I have to use -no-remote command to get additional security or -no-remote only for browsers ?

By the way: -no-remote or --no-remote ? In your blog you used -no-remote while here you using --no-remote

<!-- gh-comment-id:640008890 --> @Nokia808 commented on GitHub (Jun 6, 2020): It is clear now. I will close this issue. But only further question - though not on topic - I have an AppImage program (jitsi-meet-x86_64.AppImage) which is based on chromium. I like to use same approach (from within application menu where I'm already created for it an entry manually). All what I have is just to start command by "firejail". It has no %u. But do I have to use -no-remote command to get additional security or -no-remote only for browsers ? By the way: -no-remote or --no-remote ? In your blog you used -no-remote while here you using --no-remote
gitea-mirror commented 2026-05-05 08:51:06 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 6, 2020):

Hi, I see where you could be a bit confused. The --no-remote parameter is Firefox-specific, it does not offer any additional firejail security. You can see all the parameters it supports if you run 'firefox --help'. Basically when you start firefox with --no-remote (or -no-remote, I believe it supports both formats), each time you try to open a hyperlink from another application, a new firefox instance will be started, which might not be what you want. So I suggest you try it and if you don't like it you can remove the --no-remote option. Doing so will not affect the security offered by firejail.

I think the above also answers your jitsi-meet question. If a program doesn't have %u in its .desktop file that means it does not accept specific start parameters (like a URL for a web browser).

So if you executed firecfg
jitsi-meet-desktop
otherwise
firejail --appimage jitsi-meet-desktop

<!-- gh-comment-id:640026781 --> @ghost commented on GitHub (Jun 6, 2020): Hi, I see where you could be a bit confused. The --no-remote parameter is Firefox-specific, it does **not** offer any additional firejail security. You can see all the parameters it supports if you run 'firefox --help'. Basically when you start firefox with --no-remote (or -no-remote, I believe it supports both formats), each time you try to open a hyperlink from another application, a _new_ firefox instance will be started, which might not be what you want. So I suggest you try it and if you don't like it you can remove the --no-remote option. Doing so will **not** affect the security offered by firejail. I think the above also answers your jitsi-meet question. If a program doesn't have %u in its .desktop file that means it does not accept specific start parameters (like a URL for a web browser). So if you executed firecfg jitsi-meet-desktop otherwise firejail --appimage jitsi-meet-desktop
gitea-mirror commented 2026-05-05 08:51:07 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Jun 6, 2020):

@glitsj16

  1. Dear I made mistake in name of jitsi package. It's full name is:
    jitsi-meet-x86_64.AppImage
    I will correct it in previous post.
    So, it will be: firejail --appimage jitsi-meet-x86_64.AppImage

  2. regarding Firefox & --no-remote , if I'm NOT USING "firecfg" & only use "firejail firefox %u" from within applications menu then how it will be safe it I will open Firefox from other application like click on a link within chat message? In the last scenario click link within chat application should it leading to open new Firefox instance in the default non-firejail because firecfg not run ?
    I understood from post in blog - please correct to me - that "--no-remote" (or "-no-remote") is designated to overcome the last behaviour ....

<!-- gh-comment-id:640058868 --> @Nokia808 commented on GitHub (Jun 6, 2020): @glitsj16 1) Dear I made mistake in name of jitsi package. It's full name is: jitsi-meet-x86_64.AppImage I will correct it in previous post. So, it will be: `firejail --appimage jitsi-meet-x86_64.AppImage` 2) regarding Firefox & --no-remote , if I'm NOT USING "firecfg" & only use "firejail firefox %u" from within applications menu then how it will be safe it I will open Firefox from other application like click on a link within chat message? In the last scenario click link within chat application should it leading to open new Firefox instance in the default non-firejail because firecfg not run ? I understood from post in blog - please correct to me - that "--no-remote" (or "-no-remote") is designated to overcome the last behaviour ....
gitea-mirror commented 2026-05-05 08:51:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 6, 2020):

So, it will be: firejail --appimage jitsi-meet-x86_64.AppImage

Yes, maybe you need in addition to specific the profile:
firejail --profile=jitsi-meet-desktop --appimage jitsi-meet-x86_64.AppImage

if I'm NOT USING "firecfg" & only use "firejail firefox %u" from within applications menu then how it will be safe it I will open Firefox from other application like click on a link within chat message? In the last scenario click link within chat application should it leading to open new Firefox instance in the default non-firejail because firecfg not run ?

GUI-Programs usually also use the .desktop file. If firefox is started w/o --no-remote the link will be opened in the running firefox.

<!-- gh-comment-id:640059974 --> @rusty-snake commented on GitHub (Jun 6, 2020): > So, it will be: firejail --appimage jitsi-meet-x86_64.AppImage Yes, maybe you need in addition to specific the profile: `firejail --profile=jitsi-meet-desktop --appimage jitsi-meet-x86_64.AppImage` > if I'm NOT USING "firecfg" & only use "firejail firefox %u" from within applications menu then how it will be safe it I will open Firefox from other application like click on a link within chat message? In the last scenario click link within chat application should it leading to open new Firefox instance in the default non-firejail because firecfg not run ? GUI-Programs usually also use the .desktop file. If firefox is started w/o `--no-remote` the link will be opened in the running firefox.
gitea-mirror commented 2026-05-05 08:51:09 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Jun 6, 2020):

@rusty-snake
No it is very clear now. If not using "--no-remote" (only "firejail firefox %u") then any external referral to Firefox will opened within safe runing Firefox WHICH IS ALREADY SUNDBOX. But if "--no-remote" is used (firejail firefox -no-remote %u) then any external referral for Firefox will lead to open NEW Firefox instance WHICH ALSO SANDBOX. So, using/nonusing "--no-remote" will not change level of security offered by firejail to Firefox .....

<!-- gh-comment-id:640061461 --> @Nokia808 commented on GitHub (Jun 6, 2020): @rusty-snake No it is very clear now. If not using "--no-remote" (only "firejail firefox %u") then any external referral to Firefox will opened within safe runing Firefox WHICH IS ALREADY SUNDBOX. But if "--no-remote" is used (firejail firefox -no-remote %u) then any external referral for Firefox will lead to open NEW Firefox instance WHICH ALSO SANDBOX. So, using/nonusing "--no-remote" will not change level of security offered by firejail to Firefox .....
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2170
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?