[GH-ISSUE #3894] newsboat unable to launch default browser #2443

New issue

Closed

opened 2026-05-05 09:07:45 -06:00 by gitea-mirror · 13 comments

gitea-mirror commented 2026-05-05 09:07:45 -06:00

Owner

Copy link

Originally created by @ayham-1 on GitHub (Jan 14, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3894

Write clear, concise and in textual form.
When having firejail enabled (running firecfg), opening any link using the o key or a link number key, would just fail with: Unable to spawn browser. I don't think the default cfg has support for lynx.

Bug and expected behavior

• Describe the bug.
  Open feed, try opening browser
• What did you expect to happen?
  The browser to open.

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal?
  It worked.
• What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)?
  No such file or directory

Reproduce
Steps to reproduce the behavior:

1. Run in bash `newsboat
2. Try to spawn browser
3. error

Environment

• Arch Linux, 5.10.7.a-1-hardened
• FireJail version 0.9.64, apparmor support is enabled

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• [?] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

debug output

OUTPUT OF `firejail --debug PROGRAM`

https://pastebin.com/ZLDusshM

Originally created by @ayham-1 on GitHub (Jan 14, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3894 Write clear, concise and in textual form. When having firejail enabled (running `firecfg`), opening any link using the o key or a link number key, would just fail with: `Unable to spawn browser`. I don't think the default cfg has support for lynx. **Bug and expected behavior** - Describe the bug. Open feed, try opening browser - What did you expect to happen? The browser to open. **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? It worked. - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? No such file or directory **Reproduce** Steps to reproduce the behavior: 1. Run in bash `newsboat 2. Try to spawn browser 3. error **Environment** - Arch Linux, 5.10.7.a-1-hardened - FireJail version 0.9.64, apparmor support is enabled **Checklist** - [x] The profile ([and redirect profile if exists](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/newsboat.profile)) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [?] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. <details><summary> debug output </summary> ``` OUTPUT OF `firejail --debug PROGRAM` ``` https://pastebin.com/ZLDusshM </details>

gitea-mirror closed this issue 2026-05-05 09:07:46 -06:00

gitea-mirror commented 2026-05-05 09:07:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 14, 2021):

Maybe that helps: #3312.

<!-- gh-comment-id:760297807 --> @rusty-snake commented on GitHub (Jan 14, 2021): Maybe that helps: #3312.

gitea-mirror commented 2026-05-05 09:07:49 -06:00

Author

Owner

Copy link

@ayham-1 commented on GitHub (Jan 14, 2021):

Maybe that helps: #3312.

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

<!-- gh-comment-id:760332541 --> @ayham-1 commented on GitHub (Jan 14, 2021): > Maybe that helps: #3312. `firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat` This works. Is there a chance I can make a PR through to add these into the default profile?

gitea-mirror commented 2026-05-05 09:07:50 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 15, 2021):

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

It's a bit odd that private-etc needs lynx,sh,gzip as these files do not exist on Arch Linux. I assume adding the below to your newsboat.local should work:

private-bin gzip,lynx,sh
private-etc lynx.cfg,lynx.lss

After doing so you can run firejail newsboat (if you don't use firecfg) or simply newsboat (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already?

<!-- gh-comment-id:760575889 --> @ghost commented on GitHub (Jan 15, 2021): > firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat This works. Is there a chance I can make a PR through to add these into the default profile? It's a bit odd that private-etc needs `lynx,sh,gzip` as these files do not exist on Arch Linux. I assume adding the below to your `newsboat.local` should work: ``` private-bin gzip,lynx,sh private-etc lynx.cfg,lynx.lss ``` After doing so you can run `firejail newsboat` (if you don't use firecfg) or simply `newsboat` (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already?

gitea-mirror commented 2026-05-05 09:07:51 -06:00

Author

Owner

Copy link

@ayham-1 commented on GitHub (Jan 15, 2021):

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

It's a bit odd that private-etc needs lynx,sh,gzip as these files do not exist on Arch Linux. I assume adding the below to your newsboat.local should work:

private-bin gzip,lynx,sh
private-etc lynx.cfg,lynx.lss

After doing so you can run firejail newsboat (if you don't use firecfg) or simply newsboat (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already?

Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser

<!-- gh-comment-id:760653742 --> @ayham-1 commented on GitHub (Jan 15, 2021): > > firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat > > This works. Is there a chance I can make a PR through to add these into the default profile? > > It's a bit odd that private-etc needs `lynx,sh,gzip` as these files do not exist on Arch Linux. I assume adding the below to your `newsboat.local` should work: > > ``` > private-bin gzip,lynx,sh > private-etc lynx.cfg,lynx.lss > ``` > > After doing so you can run `firejail newsboat` (if you don't use firecfg) or simply `newsboat` (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already? Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser

gitea-mirror commented 2026-05-05 09:07:51 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 15, 2021):

Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser

Now I understand! I am not familiar with newsboat so I installed it. Only after looking inside its config it became clear that when a BROWSER env var isn't set it falls back to lynx. So please do make a PR.

<!-- gh-comment-id:760745575 --> @ghost commented on GitHub (Jan 15, 2021): > Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser Now I understand! I am not familiar with newsboat so I installed it. Only after looking inside its config it became clear that when a BROWSER env var isn't set it falls back to lynx. So please do make a PR.

gitea-mirror commented 2026-05-05 09:07:52 -06:00

Author

Owner

Copy link

@ayham-1 commented on GitHub (Jan 15, 2021):

solved #3895

<!-- gh-comment-id:761164295 --> @ayham-1 commented on GitHub (Jan 15, 2021): solved #3895

gitea-mirror commented 2026-05-05 09:07:53 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 19, 2021):

I am having a similar problem to this one. My default browser is Brave and have I firejail desktop configuration running. I would like to open links in a sandboxed Brave session, but I can only do this if running Newsboat outside of Firejail. I am able to launch a sandboxed version of Lynx from inside a sandboxed Newsboat by adding 'browser "/usr/local/bin/lynx %u"' to the config file or through the command line with 'set browser...'. The same strategy does not work with Brave.

<!-- gh-comment-id:782308587 --> @ghost commented on GitHub (Feb 19, 2021): I am having a similar problem to this one. My default browser is Brave and have I firejail desktop configuration running. I would like to open links in a sandboxed Brave session, but I can only do this if running Newsboat outside of Firejail. I am able to launch a sandboxed version of Lynx from inside a sandboxed Newsboat by adding 'browser "/usr/local/bin/lynx %u"' to the config file or through the command line with 'set browser...'. The same strategy does not work with Brave.

gitea-mirror commented 2026-05-05 09:07:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 19, 2021):

Try to add this to your newsboat.local:

ignore noexec /tmp
ignore noexec ${HOME}
ignore caps.drop all
ignore ipc-namespace
ignore no3d
ignore nonewprivs
ignore noroot
ignore novideo
ignore protocol
ignore seccomp
ignore private-bin
ignore private-etc
ignore private-tmp
ignore dbus-user none
ignore dbus-system none
ignore memory-deny-write-execute

noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
noblacklist ${HOME}/.gnupg
noblacklist /proc/config.gz
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki

mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg

caps.keep sys_admin,sys_chroot

<!-- gh-comment-id:782315637 --> @rusty-snake commented on GitHub (Feb 19, 2021): Try to add this to your newsboat.local: ``` ignore noexec /tmp ignore noexec ${HOME} ignore caps.drop all ignore ipc-namespace ignore no3d ignore nonewprivs ignore noroot ignore novideo ignore protocol ignore seccomp ignore private-bin ignore private-etc ignore private-tmp ignore dbus-user none ignore dbus-system none ignore memory-deny-write-execute noblacklist ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware noblacklist ${HOME}/.config/brave noblacklist ${HOME}/.config/brave-flags.conf noblacklist ${HOME}/.gnupg noblacklist /proc/config.gz noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki mkdir ${HOME}/.cache/BraveSoftware mkdir ${HOME}/.config/BraveSoftware mkdir ${HOME}/.config/brave whitelist ${HOME}/.cache/BraveSoftware whitelist ${HOME}/.config/BraveSoftware whitelist ${HOME}/.config/brave whitelist ${HOME}/.config/brave-flags.conf whitelist ${HOME}/.gnupg caps.keep sys_admin,sys_chroot ```

gitea-mirror commented 2026-05-05 09:07:53 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 19, 2021):

@rusty-snake You mean ~/.newsboat or the ~/.local directory? I'm unsure where to find or create it?

<!-- gh-comment-id:782401299 --> @ghost commented on GitHub (Feb 19, 2021): @rusty-snake You mean ~/.newsboat or the ~/.local directory? I'm unsure where to find or create it?

gitea-mirror commented 2026-05-05 09:07:54 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 19, 2021):

~/.config/firejail/newsboat.local

<!-- gh-comment-id:782406273 --> @rusty-snake commented on GitHub (Feb 19, 2021): `~/.config/firejail/newsboat.local`

gitea-mirror commented 2026-05-05 09:07:54 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 19, 2021):

It works now! Would I just add similar lines for any application-related directories in ~ if I wanted to use other browsers at some point?

<!-- gh-comment-id:782425498 --> @ghost commented on GitHub (Feb 19, 2021): It works now! Would I just add similar lines for any application-related directories in ~ if I wanted to use other browsers at some point?

gitea-mirror commented 2026-05-05 09:07:55 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 21, 2021):

You mean that you switch from brave to e.g. vivaldi, then yes. Just replace the brave specific noblacklist/mkdir/whitelist with the one form vivaldi. In addition, vivaldi does not need ignore noexec /tmp but ignore noexec /var, so you always need to look at the profiles (if something is broken).

Be warned, though, that this deactivates the half sandbox. If your system supports unprivileged userns you should add seccomp !chroot and remove

ignore caps.drop all
ignore nonewprivs
ignore noroot
ignore protocol
ignore seccomp
caps.keep sys_admin,sys_chroot

<!-- gh-comment-id:782824389 --> @rusty-snake commented on GitHub (Feb 21, 2021): You mean that you switch from brave to e.g. vivaldi, then yes. Just replace the brave specific `noblacklist`/`mkdir`/`whitelist` with the one form vivaldi. In addition, vivaldi does not need `ignore noexec /tmp` but `ignore noexec /var`, so you always need to look at the profiles (if something is broken). Be warned, though, that this deactivates the half sandbox. If your system supports unprivileged userns you should add `seccomp !chroot` and remove ``` ignore caps.drop all ignore nonewprivs ignore noroot ignore protocol ignore seccomp caps.keep sys_admin,sys_chroot ```

gitea-mirror commented 2026-05-05 09:07:55 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 22, 2021):

If your system supports unprivileged userns you should …

… also uncomment chromium-common-hardened.inc

---

Much more secure way

Allow only the permissions required to run system-run and use.

Use the newsboat.local below instead the from above and configure xdg-open as browser (and add the xdg-open script) or configure /usr/bin/systemd-run --user --quiet --no-block /usr/bin/firejail /usr/bin/brave-browser %u directly.

newsboat.local:

noblacklist ${PATH}/systemd-run
ignore dbus-user none
dbus-user filter
dbus-user.talk org.freedesktop.systemd1
private-bin systemd-run

/usr/local/bin/xdg-open:

#!/bin/sh
systemd-run --user --quiet --no-block /usr/bin/xdg-open "$@"

EDIT: Added noblacklist ${PATH}/systemd-run. Forgot that we blacklist ${PATH}/systemd-run.

<!-- gh-comment-id:783280202 --> @rusty-snake commented on GitHub (Feb 22, 2021): > If your system supports unprivileged userns you should … … also uncomment chromium-common-hardened.inc -------- ### Much more secure way Allow only the permissions required to run `system-run` and use. Use the `newsboat.local` below instead the from above and configure `xdg-open` as browser (and add the xdg-open script) or configure `/usr/bin/systemd-run --user --quiet --no-block /usr/bin/firejail /usr/bin/brave-browser %u` directly. `newsboat.local`: ``` noblacklist ${PATH}/systemd-run ignore dbus-user none dbus-user filter dbus-user.talk org.freedesktop.systemd1 private-bin systemd-run ``` `/usr/local/bin/xdg-open`: ``` #!/bin/sh systemd-run --user --quiet --no-block /usr/bin/xdg-open "$@" ``` EDIT: Added `noblacklist ${PATH}/systemd-run`. Forgot that we `blacklist ${PATH}/systemd-run`.

gitea-mirror referenced this issue 2026-05-05 10:17:46 -06:00

[PR #2443] [MERGED] Fix include in enchant redirect profiles #4315

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2443

No description provided.