[GH-ISSUE #3513] docs: Improve U2F documentation #2210

New issue

Open

opened 2026-05-05 08:53:47 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 08:53:47 -06:00

Owner

Copy link

Originally created by @reinerh on GitHub (Jul 16, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3513

On the Debian bugtracker someone reported problems with enabling U2F, which is disabled by default.
The setting in firejail.config is a bit confusing, as it is named browser-disable-u2f, which is enabled by default (which means that u2f is disabled).
The manpages are only documenting the command line flag --nou2f and nou2f / BROWSER_DISABLE_U2F for profiles.
But from the documentation alone it's not possible to figure out, why U2F might be disabled. One needs to look into the configuration for that (and not get confused).

He also suggests to enable U2F (for browsers) by default. Opinions on that?

Originally created by @reinerh on GitHub (Jul 16, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3513 On the [Debian bugtracker](https://bugs.debian.org/965097) someone reported problems with enabling U2F, which is disabled by default. The setting in firejail.config is a bit confusing, as it is named `browser-disable-u2f`, which is **enabled** by default (which means that u2f is **disabled**). The manpages are only documenting the command line flag `--nou2f` and `nou2f` / `BROWSER_DISABLE_U2F` for profiles. But from the documentation alone it's not possible to figure out, why U2F might be disabled. One needs to look into the configuration for that (and not get confused). He also suggests to enable U2F (for browsers) by default. Opinions on that?

gitea-mirror added the

enhancement

documentation

labels 2026-05-05 08:53:47 -06:00

gitea-mirror commented 2026-05-05 08:53:49 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 16, 2020):

He also suggests to enable U2F (for browsers) by default. Opinions on that?

This would mean full /dev access for browsers (except the devices blacklisted by no*).

ce462b6b1f/etc/profile-a-l/firefox-common.profile (L52)

32c3669115
https://github.com/netblue30/firejail/issues/3170

<!-- gh-comment-id:659305667 --> @rusty-snake commented on GitHub (Jul 16, 2020): > He also suggests to enable U2F (for browsers) by default. Opinions on that? This would mean full /dev access for browsers (except the devices blacklisted by no*). https://github.com/netblue30/firejail/blob/ce462b6b1fbfe497df7f045844b2bb5a74e5c777/etc/profile-a-l/firefox-common.profile#L52 https://github.com/netblue30/firejail/commit/32c3669115a7168e5a7fa13347bd6f8daf838be0 https://github.com/netblue30/firejail/issues/3170

gitea-mirror commented 2026-05-05 08:53:50 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Jul 16, 2020):

This would mean full /dev access for browsers (except the devices blacklisted by no*).

Thanks, I wasn't aware that this would grant so wide access to /dev.

<!-- gh-comment-id:659332094 --> @reinerh commented on GitHub (Jul 16, 2020): > This would mean full /dev access for browsers (except the devices blacklisted by no*). Thanks, I wasn't aware that this would grant so wide access to /dev.

gitea-mirror commented 2026-05-05 08:53:51 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Jul 16, 2020):

iirc the private-dev is disabled only to allow u2f dongles be connected at will
you can remove that conditional for more security, but you then have to have your dongle connected before launching the browser/sandbox
I personally prefer the latter, but too many issues were filed that u2f wasn't working.

<!-- gh-comment-id:659549081 --> @SkewedZeppelin commented on GitHub (Jul 16, 2020): iirc the private-dev is disabled only to allow u2f dongles be connected at will you can remove that conditional for more security, but you then have to have your dongle connected before launching the browser/sandbox I personally prefer the latter, but too many issues were filed that u2f wasn't working.

gitea-mirror commented 2026-05-05 08:53:52 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 16, 2020):

Thanks, I wasn't aware that this would grant so wide access to /dev

My impression is that in its current form BROWSER_DISABLE_U2F is a bit of a misnomer

<!-- gh-comment-id:659703210 --> @smitsohu commented on GitHub (Jul 16, 2020): > Thanks, I wasn't aware that this would grant so wide access to /dev My impression is that in its current form `BROWSER_DISABLE_U2F` is a bit of a misnomer

gitea-mirror commented 2026-05-05 08:53:52 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 16, 2020):

My impression is that in its current form BROWSER_DISABLE_U2F is a bit of a misnomer

Indeed. I have seen users on the archlinux IRC channel asking questions about it. Maybe something like BROWSER_SUPPORT_U2F would be less confusing...

<!-- gh-comment-id:659709442 --> @ghost commented on GitHub (Jul 16, 2020): > My impression is that in its current form `BROWSER_DISABLE_U2F` is a bit of a misnomer Indeed. I have seen users on the archlinux IRC channel asking questions about it. Maybe something like `BROWSER_SUPPORT_U2F` would be less confusing...

gitea-mirror commented 2026-05-05 08:53:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 4, 2021):

For the record: https://github.com/netblue30/firejail/blob/master/contrib/firejail-welcome.sh

<!-- gh-comment-id:754073561 --> @rusty-snake commented on GitHub (Jan 4, 2021): For the record: https://github.com/netblue30/firejail/blob/master/contrib/firejail-welcome.sh

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2210

No description provided.