[GH-ISSUE #3982] thunderbird: cannot open links in firefox (and vice-versa)

gitea-mirror commented

2026-05-05 09:10:31 -06:00

Owner

Originally created by @Shimergo on GitHub (Feb 12, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3982

I hope it's OK to ask 'help' questions here, rather than raise an issue as such. I've not been able to get any advice on the Linux Mint forum I usually use.

Anyway, I launch both Thunderbird and Firefox with Firejail (from a terminal). Both work fine on their own, and have all the settings, tabs, etc as they do without Firejail. But they don't work together:

When I click on a link in a Thunderbird email it launches a new Firefox window with a different profile. Two profiles are listed in that window (about:profiles), neither of which are the profile with all my tabs and bookmarks are in. Any idea how I can get Thunderbird to open links in the existing Firejailed Firefox window?
For comms the other way around, when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I get Firefox to pop a Thunderbird New Message like it does without Firejail?

When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other.

If it makes any difference, I installed Firejail from the Linux Mint Software Manager (version is 0.9.62; am more comfortable with that than pasting commands I don't understand into a terminal - my skills are pretty limited), and haven't done any other setup (eg. I don't want apps to be auto-Firejailed - I want to keep the option of running without Firejail).

Thanks!

Originally created by @Shimergo on GitHub (Feb 12, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3982 I hope it's OK to ask 'help' questions here, rather than raise an issue as such. I've not been able to get any advice on the Linux Mint forum I usually use. Anyway, I launch both Thunderbird and Firefox with Firejail (from a terminal). Both work fine on their own, and have all the settings, tabs, etc as they do without Firejail. But they don't work together: 1) When I click on a link in a Thunderbird email it launches a new Firefox window with a different profile. Two profiles are listed in that window (about:profiles), neither of which are the profile with all my tabs and bookmarks are in. Any idea how I can get Thunderbird to open links in the existing Firejailed Firefox window? 2) For comms the other way around, when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I get Firefox to pop a Thunderbird New Message like it does without Firejail? When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other. If it makes any difference, I installed Firejail from the Linux Mint Software Manager (version is 0.9.62; am more comfortable with that than pasting commands I don't understand into a terminal - my skills are pretty limited), and haven't done any other setup (eg. I don't want apps to be auto-Firejailed - I want to keep the option of running without Firejail). Thanks!

gitea-mirror

2026-05-05 09:10:31 -06:00

closed this issue
added the
sandbox-ipc
label

gitea-mirror commented

2026-05-05 09:10:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 12, 2021):

~~What's your firejail version?~~ EDIT: I should read, it's 0.9.62. There where improvements for this in 0.9.64.

@rusty-snake commented on GitHub (Feb 12, 2021): ~What's your firejail version?~ EDIT: I should read, it's 0.9.62. There where improvements for this in 0.9.64.

gitea-mirror commented

2026-05-05 09:10:34 -06:00

Author

Owner

@Shimergo commented on GitHub (Feb 12, 2021):

Any idea of the details that might affect this?
And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff?

@Shimergo commented on GitHub (Feb 12, 2021): Any idea of the details that might affect this? And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff?

gitea-mirror commented

2026-05-05 09:10:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 12, 2021):

And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff?

Stealing @glitsj16 comment.

Please update your firejail package, the 0.9.62 version is vulnerable to this. You can use the PPA maintained by one of our collaborators if the official repo's you use are not (yet) updated. The current chromium profiles block access to ${DESKTOP}, contrary to those in 0.9.62.

My opinion:
Firejail 0.9.64.4 has "fixes" for CVE-2021-26910. You should install an other distribution if you want security. Why? Firejail 0.9.64.4 is distributed by Arch Linux, Debian unstable, Fedora 33 and OpenSUSE (Leap and Tumbleweed). Gentoo has it in testing ATM and Debian stable has "fixed" CVE-2021-26910. While Alpine, Fedora 32, Mint (due to Ubuntu), MX Linux and Ubuntu (firejail is in universe) still distribute a vulnerable version.

When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other.

You can create a profile for both. They already share firefox-common.profile.

$ fjp diff thunderbird firefox
The following commands are unique to thunderbird.profile:
include thunderbird.local
ignore include whitelist-runuser-common.inc
ignore dbus-system none
writable-run-user
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.thunderbird
include disable-passwdmgr.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/thunderbird
mkdir ${HOME}/.gnupg
mkdir ${HOME}/.thunderbird
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.thunderbird
whitelist /usr/share/gnupg
whitelist /usr/share/thunderbird
novideo
ignore private-tmp

The following commands are unique to firefox.profile:
include firefox.local
noblacklist ${HOME}/.cache/mozilla
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
whitelist /usr/share/doc
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist /usr/share/gtk-doc/html
dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*

Any idea of the details that might affect this?

Allow TB to open links in a running FFX:

4b2914eb55/etc/profile-m-z/thunderbird.profile (L24-L27)

@rusty-snake commented on GitHub (Feb 12, 2021): > And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff? Stealing @glitsj16 comment. > Please update your firejail package, the 0.9.62 version is vulnerable to [this](https://github.com/netblue30/firejail#security-vulnerabilities). You can use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail) maintained by one of our collaborators if the official repo's you use are not (yet) updated. The current chromium profiles block access to ${DESKTOP}, contrary to those in 0.9.62. My opinion: Firejail 0.9.64.4 has "fixes" for CVE-2021-26910. You should install an other distribution if you want security. Why? Firejail 0.9.64.4 is distributed by Arch Linux, Debian unstable, Fedora 33 and OpenSUSE (Leap and Tumbleweed). Gentoo has it in testing ATM and Debian stable has "fixed" CVE-2021-26910. While Alpine, Fedora 32, Mint (due to Ubuntu), MX Linux and Ubuntu (firejail is in universe) still distribute a vulnerable version. > When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other. You can create a profile for both. They already share firefox-common.profile. ``` $ fjp diff thunderbird firefox The following commands are unique to thunderbird.profile: include thunderbird.local ignore include whitelist-runuser-common.inc ignore dbus-system none writable-run-user whitelist ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.mozilla/firefox/profiles.ini noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.thunderbird include disable-passwdmgr.inc include disable-xdg.inc mkdir ${HOME}/.cache/thunderbird mkdir ${HOME}/.gnupg mkdir ${HOME}/.thunderbird whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.gnupg whitelist ${HOME}/.thunderbird whitelist /usr/share/gnupg whitelist /usr/share/thunderbird novideo ignore private-tmp The following commands are unique to firefox.profile: include firefox.local noblacklist ${HOME}/.cache/mozilla mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla whitelist /usr/share/doc whitelist /usr/share/firefox whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist /usr/share/gtk-doc/html dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* ``` > Any idea of the details that might affect this? Allow TB to open links in a running FFX: https://github.com/netblue30/firejail/blob/4b2914eb554635ce11e0b721c59cbb0ec428af44/etc/profile-m-z/thunderbird.profile#L24-L27

gitea-mirror commented

2026-05-05 09:10:36 -06:00

Author

Owner

@Shimergo commented on GitHub (Feb 13, 2021):

Thanks, rusty-snake, much appreciated. Have made some progress, but not quite there yet.
I managed OK to replace Firejail with version 0.9.64.4

Now when I click on a link in a Thunderbird email it still opens a new Firefox window but at least it now uses my standard Firefox profile. If I close that new Firefox window and then click another Thunderbird email link it opens it in a new tab in the original Firejailed Firefox window, which is what I want. /etc/firejail/thunderbird.profile already has those lines you mention. So how do I get Thunderbird to open all links as a new tab in the open Firefox window, even the first link that I click on in Thunderbird (this is the behaviour I have without Firejail)?

Also I still have the problem for the reverse FF-TB interaction, that when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I fix that to get Firefox to pop a Thunderbird New Message like it does without Firejail?

@Shimergo commented on GitHub (Feb 13, 2021): Thanks, rusty-snake, much appreciated. Have made some progress, but not quite there yet. I managed OK to replace Firejail with version 0.9.64.4 Now when I click on a link in a Thunderbird email it still opens a new Firefox window but at least it now uses my standard Firefox profile. If I close that new Firefox window and then click another Thunderbird email link it opens it in a new tab in the original Firejailed Firefox window, which is what I want. /etc/firejail/thunderbird.profile already has those lines you mention. So how do I get Thunderbird to open all links as a new tab in the open Firefox window, even the first link that I click on in Thunderbird (this is the behaviour I have without Firejail)? Also I still have the problem for the reverse FF-TB interaction, that when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I fix that to get Firefox to pop a Thunderbird New Message like it does without Firejail?

gitea-mirror commented

2026-05-05 09:10:37 -06:00

Author

Owner

@Shimergo commented on GitHub (Feb 14, 2021):

With a bit more work:

The first part (TB -> FF) seems to be a wider problem with Firefox, so I'll open a new issue.

The second part (FF -> TB) I've found a solution to a similar issue for evolution and had a crack at adapting it for Thunderbird. It works, but I've no clue if I've done it right, so if someone has time, I'd appreciate a check it's safe (inc. noblacklist ${HOME}/.thunderbird which was a typo, but changing it to add /profiles.ini breaks it; then 'Email link' and 'mailto' ask for a TB profile):
noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/applications/thunderbird.desktop
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.local/share/applications/thunderbird.desktop
read-only ${HOME}/.thunderbird/profiles.ini
ignore nodbus
Thanks!

@Shimergo commented on GitHub (Feb 14, 2021): With a bit more work: The first part (TB -> FF) seems to be a wider problem with Firefox, so I'll open a new issue. The second part (FF -> TB) I've found a solution to a [similar issue for evolution](https://github.com/netblue30/firejail/issues/2795) and had a crack at adapting it for Thunderbird. It works, but I've no clue if I've done it right, so if someone has time, I'd appreciate a check it's safe (inc. `noblacklist ${HOME}/.thunderbird` which was a typo, but changing it to add `/profiles.ini` breaks it; then 'Email link' and 'mailto' ask for a TB profile): `noblacklist /var/mail` `noblacklist /var/spool/mail` `noblacklist ${HOME}/.cache/thunderbird` `noblacklist ${HOME}/.thunderbird` `noblacklist ${HOME}/.gnupg` `noblacklist ${HOME}/.local/share/applications/thunderbird.desktop` `whitelist /var/mail` `whitelist /var/spool/mail` `whitelist ${HOME}/.cache/thunderbird` `whitelist ${HOME}/.thunderbird/profiles.ini` `whitelist ${HOME}/.gnupg` `whitelist ${HOME}/.local/share/applications/thunderbird.desktop` `read-only ${HOME}/.thunderbird/profiles.ini` `ignore nodbus` Thanks!

gitea-mirror commented

2026-05-05 09:10:38 -06:00

Author

Owner

@reinerh commented on GitHub (Feb 21, 2021):

A similar issue was reported on the Debian bug tracker, but I was not able to reproduce it so far.

@reinerh commented on GitHub (Feb 21, 2021): A similar issue was reported on the Debian [bug tracker](https://bugs.debian.org/968551), but I was not able to reproduce it so far.

gitea-mirror commented

2026-05-05 09:10:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 21, 2021):

With firejail >= 0.9.64 you should be able to open links from thunderbird in a running firefox.

42e2db1275/etc/profile-m-z/thunderbird.profile (L24-L27)

@rusty-snake commented on GitHub (Feb 21, 2021): With firejail >= 0.9.64 you should be able to open links from thunderbird in a running firefox. https://github.com/netblue30/firejail/blob/42e2db1275e37bf669a074c023ea9f9a8b40db43/etc/profile-m-z/thunderbird.profile#L24-L27

gitea-mirror commented

2026-05-05 09:10:39 -06:00

Author

Owner

@Shimergo commented on GitHub (Feb 23, 2021):

Thanks, both for getting back.

reinerh: It’s similar, but different. My spurious window from the first Thunderbird link click is in the same Firefox profile as the already open window.

rusty-snake: “should be able to”, but it doesn’t :) . I have those lines in my thunderbird.profile. Firejail is setup exactly as it came by default!

Both/All: A fellow Mint user has now kindly been able to replicate this problem, and added some more detail here (see especially later posts). For LibreOffice the same issue is affected by symbolic links to Firejail, but Thunderbird isn’t. Hopefully this may give you some clues to help figure out what’s going on? I’m obviously happy to test any suggestions you have.

@Shimergo commented on GitHub (Feb 23, 2021): Thanks, both for getting back. reinerh: It’s similar, but different. My spurious window from the first Thunderbird link click is in the same Firefox profile as the already open window. rusty-snake: “should be able to”, but it doesn’t :) . I have those lines in my thunderbird.profile. Firejail is setup exactly as it came by default! Both/All: A fellow Mint user has now kindly been able to replicate this problem, and added some more detail [here](https://forums.linuxmint.com/viewtopic.php?f=90&t=342043&p=1976117) (see especially later posts). For LibreOffice the same issue is affected by symbolic links to Firejail, but Thunderbird isn’t. Hopefully this may give you some clues to help figure out what’s going on? I’m obviously happy to test any suggestions you have.

gitea-mirror commented

2026-05-05 09:10:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 24, 2021):

For reference: https://github.com/netblue30/firejail/issues/3471#issuecomment-646582480
For reference: Firefox' IPC differs between Wayland and X11. DBus is only used when firefox runs native under wayland, otherwise SystemV-IPC (?) is used AKAIK.

Does cat ${HOME}/.mozilla/firefox/profiles.ini looks like?

[Profile0]
Name=foo
IsRelative=1
Path=foo
Default=1

[General]
StartWithLastProfile=1
Version=2

[Install123bar]
Default=foo
Locked=1

What happens if you whitelist ${HOME}/.mozilla/firefox/installs.ini in TB?

What happens if you run

firejail --profile=thunderbird /usr/bin/firefox https://github.com/
firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/
firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/
firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/
firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/
firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/

while firefox is running inside firejail?

I will try to reproduce this in a mint VM when I have the time.

@rusty-snake commented on GitHub (Feb 24, 2021): For reference: https://github.com/netblue30/firejail/issues/3471#issuecomment-646582480 For reference: Firefox' IPC differs between Wayland and X11. DBus is only used when firefox runs native under wayland, otherwise SystemV-IPC (?) is used AKAIK. Does `cat ${HOME}/.mozilla/firefox/profiles.ini` looks like? ``` [Profile0] Name=foo IsRelative=1 Path=foo Default=1 [General] StartWithLastProfile=1 Version=2 [Install123bar] Default=foo Locked=1 ``` What happens if you `whitelist ${HOME}/.mozilla/firefox/installs.ini` in TB? What happens if you run - `firejail --profile=thunderbird /usr/bin/firefox https://github.com/` - `firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/` - `firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/` - `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/` - `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/` - `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/` while firefox is running inside firejail? I will try to reproduce this in a mint VM when I have the time.

gitea-mirror commented

2026-05-05 09:10:40 -06:00

Author

Owner

@Shimergo commented on GitHub (Feb 25, 2021):

Does cat ${HOME}/.mozilla/firefox/profiles.ini looks like?

No, I get this:

[Install4F96D1932A9F858E]
Default=mwad0hks.default
Locked=1

[Profile0]
Name=default
IsRelative=1
Path=mwad0hks.default
Default=1

[General]
StartWithLastProfile=1
Version=2

What happens if you whitelist ${HOME}/.mozilla/firefox/installs.ini in TB?

Same problem

What happens if you run

* `firejail --profile=thunderbird /usr/bin/firefox https://github.com/`

Opens a new Firefox window with my home page, nothing else

* `firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/`

Opens the GitHub page in a new tab in current Firefox window :)

* `firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/`

Opens the GitHub page in a new window

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/`

Opens a new Firefox window with my home page, nothing else

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/`

Opens the GitHub page in a new tab in current Firefox window :)

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/`

Opens the GitHub page in a new window

while firefox is running inside firejail?

BTW, I also had that extra whitelist in the thunderbird profile for all the above tests. That line is still there for now.

I will try to reproduce this in a mint VM when I have the time.

Thanks – much appreciate it!

And in case it’s relevant, for all 6 of the above tests I got the error:
dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory
And for the last 3, it was preceded by:
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

@Shimergo commented on GitHub (Feb 25, 2021): > Does `cat ${HOME}/.mozilla/firefox/profiles.ini` looks like? No, I get this: ``` [Install4F96D1932A9F858E] Default=mwad0hks.default Locked=1 [Profile0] Name=default IsRelative=1 Path=mwad0hks.default Default=1 [General] StartWithLastProfile=1 Version=2 ``` > What happens if you `whitelist ${HOME}/.mozilla/firefox/installs.ini` in TB? Same problem > What happens if you run > > * `firejail --profile=thunderbird /usr/bin/firefox https://github.com/` Opens a new Firefox window with my home page, nothing else > > * `firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/` Opens the GitHub page in a new tab in current Firefox window :) > > * `firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/` Opens the GitHub page in a new window > > * `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/` Opens a new Firefox window with my home page, nothing else > > * `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/` Opens the GitHub page in a new tab in current Firefox window :) > > * `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/` Opens the GitHub page in a new window > > while firefox is running inside firejail? BTW, I also had that extra whitelist in the thunderbird profile for all the above tests. That line is still there for now. > I will try to reproduce this in a mint VM when I have the time. Thanks – much appreciate it! And in case it’s relevant, for all 6 of the above tests I got the error: `dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory` And for the last 3, it was preceded by: `Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features`

gitea-mirror commented

2026-05-05 09:10:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 25, 2021):

And in case it’s relevant, for all 6 of the above tests I got the error:
dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory

#3680

@rusty-snake commented on GitHub (Feb 25, 2021): > And in case it’s relevant, for all 6 of the above tests I got the error: dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory #3680

gitea-mirror commented

2026-05-05 09:10:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 6, 2021):

I will try to reproduce this in a mint VM when I have the time.

Did, here what I found:

I was able to reproduce it. firejail --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/ opens https://www.linuxmint.com/start/ulyssa/ in a new window.
firejail --profile=thunderbird /usr/lib/firefox/firefox https://duckduckgo.com/ opens https://duckduckgo.com/ in the current window. So the issues is caused by the wrapper script.
After reading /usr/bin/firefox in vim and running firejail --profile=thunderbird bash -x /usr/bin/firefox https://duckduckgo.com/ turns out that the differences between unsandboxed and sandboxed is that firefox is started with --purgecaches.
firejail --whitelist=/var/lib/dpkg --whitelist=${HOME}/.mozilla/*.dpkg_version --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/ opens https://duckduckgo.com/ in the current window.

Conclusion: The following thunderbird.local should work.

mkfile ${HOME}/.mozilla/0.dpkg_version
whitelist ${HOME}/.mozilla/0.dpkg_version

@rusty-snake commented on GitHub (Mar 6, 2021): > I will try to reproduce this in a mint VM when I have the time. Did, here what I found: 1. I was able to reproduce it. `firejail --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/` opens `https://www.linuxmint.com/start/ulyssa/` in a new window. 2. `firejail --profile=thunderbird /usr/lib/firefox/firefox https://duckduckgo.com/` opens `https://duckduckgo.com/` in the current window. So the issues is caused by the wrapper script. 3. After reading `/usr/bin/firefox` in vim and running `firejail --profile=thunderbird bash -x /usr/bin/firefox https://duckduckgo.com/` turns out that the differences between unsandboxed and sandboxed is that firefox is started with `--purgecaches`. 4. `firejail --whitelist=/var/lib/dpkg --whitelist=${HOME}/.mozilla/*.dpkg_version --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/` opens `https://duckduckgo.com/` in the current window. Conclusion: The following thunderbird.local should work. ``` mkfile ${HOME}/.mozilla/0.dpkg_version whitelist ${HOME}/.mozilla/0.dpkg_version ```

gitea-mirror commented

2026-05-05 09:10:41 -06:00

Author

Owner

@Shimergo commented on GitHub (Mar 6, 2021):

Yep, that works - Brilliant! - Much appreciate your time on this.

One last question (a quick one hopefully): From further up the thread, are the following lines safe to add to firefox.local? I edited them from someone who had the same issue with evolution, ie. that Firefox 'mailto' and 'File -> Email link' were not working. But I have no clue what these lines do. Bottom line is I just want to check the noblacklists and whitelists aren't adding any vulnerability to the system? Thanks.

noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/applications/thunderbird.desktop
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.local/share/applications/thunderbird.desktop
read-only ${HOME}/.thunderbird/profiles.ini
ignore nodbus

@Shimergo commented on GitHub (Mar 6, 2021): Yep, that works - Brilliant! - Much appreciate your time on this. One last question (a quick one hopefully): From further up the thread, are the following lines safe to add to firefox.local? I edited them from someone who had the [same issue with evolution](https://github.com/netblue30/firejail/issues/2795), ie. that Firefox 'mailto' and 'File -> Email link' were not working. But I have no clue what these lines do. Bottom line is I just want to check the noblacklists and whitelists aren't adding any vulnerability to the system? Thanks. ``` noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.thunderbird noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/applications/thunderbird.desktop whitelist /var/mail whitelist /var/spool/mail whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.thunderbird/profiles.ini whitelist ${HOME}/.gnupg whitelist ${HOME}/.local/share/applications/thunderbird.desktop read-only ${HOME}/.thunderbird/profiles.ini ignore nodbus ```

gitea-mirror commented

2026-05-05 09:10:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 6, 2021):

noblacklist ${HOME}/.local/share/applications/thunderbird.desktop

There is no such blacklist.

whitelist ${HOME}/.local/share/applications/thunderbird.desktop

Depending: useless or overkill

noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
read-only ${HOME}/.thunderbird/profiles.ini

If TB is already running, you can remove /var/... and .gnupg and .cache/thunderbird (maybe) I guess.

ignore nodbus

Allows full escape and does not work with fj>=0.9.64

@rusty-snake commented on GitHub (Mar 6, 2021): > noblacklist ${HOME}/.local/share/applications/thunderbird.desktop There is no such `blacklist`. > whitelist ${HOME}/.local/share/applications/thunderbird.desktop Depending: useless or overkill > noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.thunderbird noblacklist ${HOME}/.gnupg whitelist /var/mail whitelist /var/spool/mail whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.thunderbird/profiles.ini whitelist ${HOME}/.gnupg read-only ${HOME}/.thunderbird/profiles.ini If TB is already running, you can remove /var/... and .gnupg and .cache/thunderbird (maybe) I guess. > ignore nodbus Allows full escape and does not work with fj>=0.9.64

gitea-mirror commented

2026-05-05 09:10:42 -06:00

Author

Owner

@Shimergo commented on GitHub (Mar 7, 2021):

Great, so to confirm for others, all I need in firefox.local is this, which works a treat:

noblacklist ${HOME}/.thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
read-only ${HOME}/.thunderbird/profiles.ini

As you say, it only works if TB is already running - but turns out that the code I had before didn’t work either with TB closed. For me, that’s all fine cos TB is always open.

@Shimergo commented on GitHub (Mar 7, 2021): Great, so to confirm for others, all I need in firefox.local is this, which works a treat: ``` noblacklist ${HOME}/.thunderbird whitelist ${HOME}/.thunderbird/profiles.ini read-only ${HOME}/.thunderbird/profiles.ini ``` As you say, it only works if TB is already running - but turns out that the code I had before didn’t work either with TB closed. For me, that’s all fine cos TB is always open.

gitea-mirror referenced this issue

2026-05-05 10:18:31 -06:00

[PR #2492] [MERGED] Add new profile for d-feet #4355

gitea-mirror referenced this issue

2026-05-05 10:49:01 -06:00

[PR #6420] [MERGED] profiles: refactor dbus debugger profiles #6007

Rows
Columns

[GH-ISSUE #3982] thunderbird: cannot open links in firefox (and vice-versa) #2492