github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4105] firejail --x11=xorg result in unable to open display #2535

New issue

Open

opened 2026-05-05 09:12:34 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:12:34 -06:00

Owner

Originally created by @ckorder on GitHub (Mar 16, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4105

Bug and expected behavior
firejail --x11=xorg firefox result in unable to open display
x11=xorg isnt working for any application while xpra is working

No protocol specified
/usr/bin/xauth: (argv):1: unable to open display ":0".
Failed to create untrusted X cookie: xauth: exit 1

Reproduce
Using default profiles with sudo firecfg

im only getting this kind of errors with Intel © Core™ i7 and not with AMD.

What changed calling firejail --noprofile /path/to/program in a terminal? nothing beside not loading profile
firejail --noprofile --x11=xorg firefox

Parent pid 607099, child pid 607100
No protocol specified
/usr/bin/xauth: (argv):1:  unable to open display ":0".
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 607099 cannot sync with peer: unexpected EOF
Peer 607100 unexpectedly exited with status 1

firejail --noprofile --x11=xorg firefox
Parent pid 607099, child pid 607100
No protocol specified
/usr/bin/xauth: (argv):1: unable to open display ":0".
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 607099 cannot sync with peer: unexpected EOF
Peer 607100 unexpectedly exited with status 1
user@pc:/opt$ firejail --x11=xorg firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 607408, child pid 607409
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
No protocol specified
/usr/bin/xauth: (argv):1: unable to open display ":0".
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 607408 cannot sync with peer: unexpected EOF
Peer 607409 unexpectedly exited with status 1

Environment
Linux Mint 20.1
firejail version 0.9.62
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

within virtual machine its working without these errors
used sudo firecfg as well, but window is showing everything is working.
rly weird like #4104 where the issue just does not occur in a virtual machine, but i don't get why

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 3738, child pid 3739
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 130.06 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory
[GFX1-]: glxtest: GLX extension missing
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Originally created by @ckorder on GitHub (Mar 16, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4105 **Bug and expected behavior** firejail --x11=xorg firefox result in unable to open display x11=xorg isnt working for any application while xpra is working **No protocol specified /usr/bin/xauth: (argv):1: unable to open display ":0". Failed to create untrusted X cookie: xauth: exit 1** **Reproduce** Using default profiles with sudo firecfg **im only getting this kind of errors with Intel © Core™ i7 and not with AMD.** - What changed calling `firejail --noprofile /path/to/program` in a terminal? nothing beside not loading profile firejail --noprofile --x11=xorg firefox ``` Parent pid 607099, child pid 607100 No protocol specified /usr/bin/xauth: (argv):1: unable to open display ":0". Failed to create untrusted X cookie: xauth: exit 1 Error: proc 607099 cannot sync with peer: unexpected EOF Peer 607100 unexpectedly exited with status 1 ``` firejail --noprofile --x11=xorg firefox Parent pid 607099, child pid 607100 No protocol specified /usr/bin/xauth: (argv):1: unable to open display ":0". Failed to create untrusted X cookie: xauth: exit 1 Error: proc 607099 cannot sync with peer: unexpected EOF Peer 607100 unexpectedly exited with status 1 user@pc:/opt$ firejail --x11=xorg firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 607408, child pid 607409 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled No protocol specified /usr/bin/xauth: (argv):1: unable to open display ":0". **Failed to create untrusted X cookie: xauth: exit 1** Error: proc 607408 cannot sync with peer: unexpected EOF Peer 607409 unexpectedly exited with status 1 **Environment** Linux Mint 20.1 firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled **within virtual machine its working without these errors** used sudo firecfg as well, but window is showing everything is working. rly weird like #4104 where the issue just does not occur in a virtual machine, but i don't get why ```firejail --x11=xorg firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 3738, child pid 3739 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 130.06 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory [GFX1-]: glxtest: GLX extension missing ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ```

gitea-mirror commented

2026-05-05 09:12:36 -06:00

Author

Owner

@ghost commented on GitHub (Mar 16, 2021):

firejail version 0.9.62

Please update this 0.9.62 version as soon as possible. Besides being outdated it is vulnerable to CVE-2021-26910, which is fixed in 0.9.64.4. You can install/update firejail from this PPA, which happens to be maintained by one of our collaborators.

It could be that you'll encounter the reported issue on the latest stable release too, but at least we then have a sound 'base' to start looking at it in detail.

@ghost commented on GitHub (Mar 16, 2021): > firejail version 0.9.62 Please update this `0.9.62` version as soon as possible. Besides being outdated it is vulnerable to [CVE-2021-26910](https://github.com/netblue30/firejail#security-vulnerabilities), which is fixed in `0.9.64.4.` You can install/update firejail from [this PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail), which happens to be maintained by one of our collaborators. It could be that you'll encounter the reported issue on the latest stable release too, but at least we then have a sound 'base' to start looking at it in detail.

gitea-mirror commented

2026-05-05 09:12:37 -06:00

Author

Owner

@ckorder commented on GitHub (Mar 17, 2021):

official-package-repositories.list:
ubuntu focal main restricted universe multiverse

who's responsible for... never mind, i dont care its ubuntu anyway 🗑️ 😄

@ckorder commented on GitHub (Mar 17, 2021): ``` official-package-repositories.list: ubuntu focal main restricted universe multiverse ``` who's responsible for... never mind, i dont care its ubuntu anyway 🗑️ 😄

gitea-mirror commented

2026-05-05 09:12:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 17, 2021):

Duplicate of #1741

@rusty-snake commented on GitHub (Mar 17, 2021): Duplicate of #1741

gitea-mirror commented

2026-05-05 09:12:39 -06:00

Author

Owner

@ckorder commented on GitHub (Mar 23, 2021):

@eevee
any one else please respond if the circumstances are equal or different

im only getting this kind of errors with Intel © Core™ i7 and not with AMD.

@ckorder commented on GitHub (Mar 23, 2021): @eevee any one else please respond if the circumstances are equal or different > im only getting this kind of errors with Intel © Core™ i7 and not with AMD.

gitea-mirror commented

2026-05-05 09:12:40 -06:00

Author

Owner

@u132 commented on GitHub (Jan 2, 2022):

Try running xhost si:localuser:username

@u132 commented on GitHub (Jan 2, 2022): Try running `xhost si:localuser:username`