github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4027] firejail prevent my firefox from login to "Ask Fedora" site ! #2510

New issue
Closed
opened 2026-05-05 09:11:39 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 09:11:39 -06:00
Owner
Copy link

Originally created by @Nokia808 on GitHub (Mar 2, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4027

Hi. I noticed that if I launch my firefox with firejail then I can not login to "Ask Fedora" site ! But if I run firefox without firejail, then I can login !

To reproduce this:

  1. run firefox with firejail,
  2. go to https://ask.fedoraproject.org
    No problem till now.
  3. click on "log in" icon of this site. You will see that firefox will struggle to visit login screen but it remain sticky to non log in page & remain so for ever ! Firefox will never display login screen inspite the fact that it trying to do so !
  4. close firefox.
  5. now try to re-launch firefox, then you will receive error message: "firefox is currently running ......... you need to exit it 1st .......". It will remain so until restart PC ! No way to re-launch firefox neither from icon nor from terminal till restart PC !
  6. now restart PC. Then launch firefox without firejail, then go to "Ask Fedora" site. After that click on "log in" icon, you will redirected okay to sign in screen & you can sign in !

Additional notes:

  • this only happening with https://ask.fedoraproject.org
  • I'm on Fedora 32 X64 bit Cinnamon edition
  • I installed firejail from my official Fedora repositories
  • my firejail version is 0.9.62.4
  • my firefox version is 85.0.1 (64 bit) from official Fedora repositories

Best.

Originally created by @Nokia808 on GitHub (Mar 2, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4027 Hi. I noticed that if I launch my firefox with firejail then I can not login to "Ask Fedora" site ! But if I run firefox without firejail, then I can login ! To reproduce this: 1) run firefox with firejail, 2) go to https://ask.fedoraproject.org No problem till now. 3) click on "log in" icon of this site. You will see that firefox will struggle to visit login screen but it remain sticky to non log in page & remain so for ever ! Firefox will never display login screen inspite the fact that it trying to do so ! 4) close firefox. 5) now try to re-launch firefox, then you will receive error message: "firefox is currently running ......... you need to exit it 1st .......". It will remain so until restart PC ! No way to re-launch firefox neither from icon nor from terminal till restart PC ! 6) now restart PC. Then launch firefox without firejail, then go to "Ask Fedora" site. After that click on "log in" icon, you will redirected okay to sign in screen & you can sign in ! Additional notes: - this only happening with https://ask.fedoraproject.org - I'm on Fedora 32 X64 bit Cinnamon edition - I installed firejail from my official Fedora repositories - my firejail version is 0.9.62.4 - my firefox version is 85.0.1 (64 bit) from official Fedora repositories Best.
gitea-mirror commented 2026-05-05 09:11:42 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 2, 2021):

  1. click on "log in" icon of this site. You will see that firefox will struggle to visit login screen but it remain sticky to non log in page & remain so for ever ! Firefox will never display login screen inspite the fact that it trying to do so !

For me this works as expected and a sandboxed Firefox 86.0 on Arch Linux is happy to show that login page. I'm assuming you have already checked your FF preferences (cookies, javascript access, add-ons etc.). In case you didn't please do so, even try a fresh profile to rule out any internal FF issues.

my firejail version is 0.9.62.4
my firefox version is 85.0.1 (64 bit) from official Fedora repositories

You should update firejail as soon as possible. Besides a big chunk of updates and improvements to our profiles your version 0.9.62.4 is vulnerable to CVE-2021-26910, which is fixed in 0.9.64.4. I'm not familiar with Fedora, so I cannot judge if your specific 32 X64 Cinnamon Edition offers an upgraded firejail package via its package management tools. You can get the latest from git though by following these instructions from our wiki.

<!-- gh-comment-id:788724762 --> @ghost commented on GitHub (Mar 2, 2021): > 3. click on "log in" icon of this site. You will see that firefox will struggle to visit login screen but it remain sticky to non log in page & remain so for ever ! Firefox will never display login screen inspite the fact that it trying to do so ! For me this works as expected and a sandboxed Firefox 86.0 on Arch Linux is happy to show that login page. I'm assuming you have already checked your FF preferences (cookies, javascript access, add-ons etc.). In case you didn't please do so, even try a fresh profile to rule out any internal FF issues. > my firejail version is 0.9.62.4 my firefox version is 85.0.1 (64 bit) from official Fedora repositories You should update firejail as soon as possible. Besides a big chunk of updates and improvements to our profiles your version 0.9.62.4 is vulnerable to CVE-2021-26910, which is fixed in 0.9.64.4. I'm not familiar with Fedora, so I cannot judge if your specific 32 X64 Cinnamon Edition offers an upgraded firejail package via its package management tools. You can get the latest from git though by following [these](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git#fedora) instructions from our wiki.
gitea-mirror commented 2026-05-05 09:11:43 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Mar 2, 2021):

@glitsj16
Hi. Thank you very much !

It is a big failure for Firejail & for my distro packager.

A big failure for firejail because as I got that firejail affected since 0.9.30 & only fixed at 0.9.64.4 !! This mean - correct to me if I'm wrong - very enough time to cause a damage to some users !! Do you received any report about a damage already had been happened from this security hole ?

A big failure for my distro - see this post that opened by me:
https://bugzilla.redhat.com/show_bug.cgi?id=1934020

I removed firejail from my system just after receiving replay from packager ..... This is the safest solution because I run:
vi /etc/firejail/firejail.config
to see where "overlays" to set it "no" but did not see it (or may be escape from my eyes). Moreover, I do not know - if I could find it & set it to "no" - what I should be done when I received version 0.9.64.4 when upgrading to Fedora 34: does I will receive new firejail.conf or old one will remain & need to remove it or deal with it manually ??

I will close this issue.

<!-- gh-comment-id:788853021 --> @Nokia808 commented on GitHub (Mar 2, 2021): @glitsj16 Hi. Thank you very much ! It is a big failure for Firejail & for my distro packager. A big failure for firejail because as I got that firejail affected since 0.9.30 & only fixed at 0.9.64.4 !! This mean - correct to me if I'm wrong - very enough time to cause a damage to some users !! Do you received any report about a damage already had been happened from this security hole ? A big failure for my distro - see this post that opened by me: https://bugzilla.redhat.com/show_bug.cgi?id=1934020 I removed firejail from my system just after receiving replay from packager ..... This is the safest solution because I run: vi /etc/firejail/firejail.config to see where "overlays" to set it "no" but did not see it (or may be escape from my eyes). Moreover, I do not know - if I could find it & set it to "no" - what I should be done when I received version 0.9.64.4 when upgrading to Fedora 34: does I will receive new firejail.conf or old one will remain & need to remove it or deal with it manually ?? I will close this issue.
gitea-mirror commented 2026-05-05 09:11:43 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 2, 2021):

A big failure for firejail because as I got that firejail affected since 0.30 & only fixed at 0.9.64.4 !! This mean - correct to me if I'm wrong - very enough time to cause a damage to some users !! Do you received any report about a damage already had been happened from this security hole ?

I have no knowledge about real-world damage being done by the overlayfs bug and affected versions started with 0.9.30, not 0.30. Long Term Support (LTS) Firejail branch is not affected by this bug.

The file that needs editing on an affected version is not /etc/firejail/firejail.conf but /etc/firejail/firejail.config and the overlayfs setting is here. When you get onto Fedora 34 and install firejail >= 0.9.64.4 this will not be strictly necessary as the undelying bug has been fixed.

That being said, it is considered good practice to disable any functionality you don't use in that same file, regardless of CVE's. Minimizing your attack surface is important!

Hope this clears up some confusion, regards!

<!-- gh-comment-id:788880561 --> @ghost commented on GitHub (Mar 2, 2021): > A big failure for firejail because as I got that firejail affected since 0.30 & only fixed at 0.9.64.4 !! This mean - correct to me if I'm wrong - very enough time to cause a damage to some users !! Do you received any report about a damage already had been happened from this security hole ? I have no knowledge about real-world damage being done by the overlayfs bug and [affected versions](https://github.com/netblue30/firejail#security-vulnerabilities) started with 0.9.30, not 0.30. Long Term Support (LTS) Firejail branch is not affected by this bug. The file that needs editing on an affected version is not /etc/firejail/firejail.conf but `/etc/firejail/firejail.config` and the overlayfs setting is [here](https://github.com/netblue30/firejail/blob/0.9.64.4/etc/firejail.config#L84). When you get onto Fedora 34 and install firejail >= 0.9.64.4 this will not be strictly necessary as the undelying bug has been fixed. That being said, it is considered _good practice_ to disable any functionality you don't use in that same file, regardless of CVE's. Minimizing your attack surface is important! Hope this clears up some confusion, regards!
gitea-mirror commented 2026-05-05 09:11:44 -06:00
Author
Owner
Copy link

@Nokia808 commented on GitHub (Mar 2, 2021):

@glitsj16
Hi again. Sorry for my bad typo in my previous replay ! All mistakes that I made I was know their correct !
I was know that the bug started from version 0.9.30 and file is "/etc/firejail/firejail.config" and remaining of my replay was based on the correct things. I mean that I was already run:
vi /etc/firejail/firejail.config

I will correct typo errors in the previous replay.

<!-- gh-comment-id:788902713 --> @Nokia808 commented on GitHub (Mar 2, 2021): @glitsj16 Hi again. Sorry for my bad typo in my previous replay ! All mistakes that I made I was know their correct ! I was know that the bug started from version 0.9.30 and file is "/etc/firejail/firejail.config" and remaining of my replay was based on the correct things. I mean that I was already run: vi /etc/firejail/firejail.config I will correct typo errors in the previous replay.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2510
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?