[GH-ISSUE #4357] no sound with different user in firefox inside firejail

gitea-mirror commented

2026-05-05 09:17:40 -06:00

Owner

Originally created by @osevan on GitHub (Jun 17, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4357

i figured out new bug.

i have installed pulseaudio and alsa already.
i did internet user in audio grp plus
copy from my default user .asoundrc file to home/internet/

what i have now:
firefox starting in firejail as default user sound works with my hardened profile.
firefox starting as internet user inside firejail , sound didnt work
firefox starting as internet user without firejail sound works well.

some error messages :
when i want start with different user "internet"

2021-06-17 09:47:23,955 Warning: failed to query pulseaudio using 'pactl info'
2021-06-17 09:47:23,955  XDG_RUNTIME_DIR (/tmp) is not owned by us (uid 1001), but by uid 0! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
2021-06-17 09:47:23,956  Connection failure: Connection refused
2021-06-17 09:47:23,956  pa_context_connect() failed: Connection refused
2021-06-17 09:47:24,019 failed to instantiate the dbus notification handler:
.......
......

2021-06-17 09:47:36,663 D-Bus notification forwarding is available
2021-06-17 09:47:36,703 pulseaudio server started with pid 28817
2021-06-17 09:47:36,704  private server socket path:
2021-06-17 09:47:36,705  '/tmp/xpra/pulse-959/pulse/native'

but no sound as different user inside firejail..

inside profile additions:

apparmor
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
nogroups
seccomp
private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname,pulseaudio

#seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,swi$
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
#tracelog


# experimental features
private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,$
private-dev
private-tmp
private-cache

any other solution are welcome....

EDIT by @rusty-snake: code-blocks

Originally created by @osevan on GitHub (Jun 17, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4357 i figured out new bug. i have installed pulseaudio and alsa already. i did internet user in audio grp plus copy from my default user .asoundrc file to home/internet/ what i have now: firefox starting in firejail as default user sound works with my hardened profile. firefox starting as internet user inside firejail , sound didnt work firefox starting as internet user without firejail sound works well. some error messages : when i want start with different user "internet" ``` 2021-06-17 09:47:23,955 Warning: failed to query pulseaudio using 'pactl info' 2021-06-17 09:47:23,955 XDG_RUNTIME_DIR (/tmp) is not owned by us (uid 1001), but by uid 0! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.) 2021-06-17 09:47:23,956 Connection failure: Connection refused 2021-06-17 09:47:23,956 pa_context_connect() failed: Connection refused 2021-06-17 09:47:24,019 failed to instantiate the dbus notification handler: ....... ...... 2021-06-17 09:47:36,663 D-Bus notification forwarding is available 2021-06-17 09:47:36,703 pulseaudio server started with pid 28817 2021-06-17 09:47:36,704 private server socket path: 2021-06-17 09:47:36,705 '/tmp/xpra/pulse-959/pulse/native' ``` but no sound as different user inside firejail.. inside profile additions: ``` apparmor caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6,netlink nogroups seccomp private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname,pulseaudio #seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,swi$ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice #tracelog # experimental features private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,$ private-dev private-tmp private-cache ``` any other solution are welcome.... --- EDIT by @rusty-snake: code-blocks

gitea-mirror closed this issue

2026-05-05 09:17:41 -06:00

gitea-mirror commented

2026-05-05 09:17:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 17, 2021):

Distro? Firejail version? Does --noprofile work?

when i want start with different user "internet"

How do you do the user switch?

inside profile additions:

Where? Why? The half of them are in firefox.profile. And what is /etc/$? Can you reproduce this with an unmodified profile?

@rusty-snake commented on GitHub (Jun 17, 2021): Distro? Firejail version? Does `--noprofile` work? > when i want start with different user "internet" How do you do the user switch? > inside profile additions: Where? Why? The half of them are in firefox.profile. And what is `/etc/$`? Can you reproduce this with an unmodified profile?

gitea-mirror commented

2026-05-05 09:17:43 -06:00

Author

Owner

@osevan commented on GitHub (Jun 17, 2021):

sudo -A -u internet -H firejail --debug --x11=xpra firefox is my command

firejail --version
firejail version 0.9.65

Compile time support:
- Always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

debian buster
Linux 5.11.12-rt11

@osevan commented on GitHub (Jun 17, 2021): sudo -A -u internet -H firejail --debug --x11=xpra firefox is my command firejail --version firejail version 0.9.65 Compile time support: - Always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled debian buster Linux 5.11.12-rt11

gitea-mirror commented

2026-05-05 09:17:44 -06:00

Author

Owner

@osevan commented on GitHub (Jun 17, 2021):

i started with : sudo -A -u internet -H firejail --noprofile --debug --x11=xpra firefox

i have still no sound with --noprofile

(EE) Failed to open authorization file "/home/defaultuser/.Xauthority": Permission denied <-- here could be a mistake of firejail . they try the file in default user path not as internet user.
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1001' does not exist
 using '/tmp'

(xpra:3013): dbind-WARNING **: 10:17:16.972: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2021-06-17 10:17:17,266 Xpra GTK3 X11 client version 4.2-r0 64-bit

(Xpra:3036): dbind-WARNING **: 10:17:17.380: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2021-06-17 10:17:17,416  running on Linux Debian 10 buster
2021-06-17 10:17:17,418  window manager is 'IceWM 2.3.4 (Linux/x86_64)'
Warning: failed to import GStreamer 1.x:
 Namespace Gst not available
2021-06-17 10:17:20,148 Error: failed to query sound subsystem:
2021-06-17 10:17:20,149  query did not return any data
2021-06-17 10:17:20,197 Warning: failed to query pulseaudio using 'pactl info'
2021-06-17 10:17:20,198  XDG_RUNTIME_DIR (/tmp) is not owned by us (uid 1001), but by uid 0! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)

EDIT by @rusty-snake: code-block

@osevan commented on GitHub (Jun 17, 2021): i started with : `sudo -A -u internet -H firejail --noprofile --debug --x11=xpra firefox` i have still no sound with --noprofile ``` (EE) Failed to open authorization file "/home/defaultuser/.Xauthority": Permission denied <-- here could be a mistake of firejail . they try the file in default user path not as internet user. Warning: XDG_RUNTIME_DIR is not defined and '/run/user/1001' does not exist using '/tmp' (xpra:3013): dbind-WARNING **: 10:17:16.972: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 2021-06-17 10:17:17,266 Xpra GTK3 X11 client version 4.2-r0 64-bit (Xpra:3036): dbind-WARNING **: 10:17:17.380: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 2021-06-17 10:17:17,416 running on Linux Debian 10 buster 2021-06-17 10:17:17,418 window manager is 'IceWM 2.3.4 (Linux/x86_64)' Warning: failed to import GStreamer 1.x: Namespace Gst not available 2021-06-17 10:17:20,148 Error: failed to query sound subsystem: 2021-06-17 10:17:20,149 query did not return any data 2021-06-17 10:17:20,197 Warning: failed to query pulseaudio using 'pactl info' 2021-06-17 10:17:20,198 XDG_RUNTIME_DIR (/tmp) is not owned by us (uid 1001), but by uid 0! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.) ``` --- EDIT by @rusty-snake: code-block

gitea-mirror commented

2026-05-05 09:17:45 -06:00

Author

Owner

@osevan commented on GitHub (Jun 17, 2021):

i tried even effective group id solution.

i created startinternet file in home directory of internet

newgrp audio && firejail --debug --x11=xpra firefox

and started
sudo -A -u internet -H /home/internet/startinternet

same issue with effective group id set

@osevan commented on GitHub (Jun 17, 2021): i tried even effective group id solution. i created startinternet file in home directory of internet newgrp audio && firejail --debug --x11=xpra firefox and started sudo -A -u internet -H /home/internet/startinternet same issue with effective group id set

gitea-mirror commented

2026-05-05 09:17:45 -06:00

Author

Owner

@osevan commented on GitHub (Jun 17, 2021):

i tried already
sudo -A -u internet -H firecfg --fix-sound
Writing file /home/internet//.config/pulse/client.conf
PulseAudio configured, please logout and login back again

no luck

@osevan commented on GitHub (Jun 17, 2021): i tried already sudo -A -u internet -H firecfg --fix-sound Writing file /home/internet//.config/pulse/client.conf PulseAudio configured, please logout and login back again no luck

gitea-mirror commented

2026-05-05 09:17:46 -06:00

Author

Owner

@osevan commented on GitHub (Jun 17, 2021):

when i start with default user firejail and firefox and pulseaudio running with

ps aux |grep -i pulse 25873 0.0 0.1 468596 23832 ? Sl 12:21 0:00 /usr/bin/pulseaudio --start --log-target=syslog
31370 0.1 0.0 270128 8700 pts/0 Sl+ 12:27 0:00 pulseaudio --start -n --daemonize=false --system=false --exit-idle-time=-1 --load=module-suspend-on-idle --load=module-null-sink sink_name="Xpra-Speaker" sink_properties=device.description="Xpra\ Speaker" --load=module-null-sink sink_name="Xpra-Microphone" sink_properties=device.description="Xpra\ Microphone" --load=module-native-protocol-unix socket=/run/user/1000/xpra/pulse-466/pulse/native --load=module-dbus-protocol --load=module-x11-publish --log-level=2 --log-target=stderr --enable-memfd=no

if i run with my command sudo -A -u internet -H firejail --noprofile --debug --x11=xpra firefox

than

ps aux |grep -i pulse
508 0.0 0.0 81828 892 pts/1 S+ 12:29 0:00 grep -i pulse
25873 0.0 0.1 468596 23832 ? Sl 12:21 0:00 /usr/bin/pulseaudio --start --log-target=syslog
internet 32759 0.1 0.0 270440 8812 pts/0 Sl+ 12:29 0:00 pulseaudio --start -n --daemonize=false --system=false --exit-idle-time=-1 --load=module-suspend-on-idle --load=module-null-sink sink_name="Xpra-Speaker" sink_properties=device.description="Xpra\ Speaker" --load=module-null-sink sink_name="Xpra-Microphone" sink_properties=device.description="Xpra\ Microphone" --load=module-native-protocol-unix socket=/tmp/xpra/pulse-372/pulse/native --load=module-dbus-protocol --load=module-x11-publish --log-level=2 --log-target=stderr --enable-memfd=no

with default user i have sound

with internet user i havent

@osevan commented on GitHub (Jun 17, 2021): when i start with default user firejail and firefox and pulseaudio running with ps aux |grep -i pulse 25873 0.0 0.1 468596 23832 ? Sl 12:21 0:00 /usr/bin/pulseaudio --start --log-target=syslog 31370 0.1 0.0 270128 8700 pts/0 Sl+ 12:27 0:00 pulseaudio --start -n --daemonize=false --system=false --exit-idle-time=-1 --load=module-suspend-on-idle --load=module-null-sink sink_name="Xpra-Speaker" sink_properties=device.description="Xpra\ Speaker" --load=module-null-sink sink_name="Xpra-Microphone" sink_properties=device.description="Xpra\ Microphone" --load=module-native-protocol-unix socket=/run/user/1000/xpra/pulse-466/pulse/native --load=module-dbus-protocol --load=module-x11-publish --log-level=2 --log-target=stderr --enable-memfd=no if i run with my command sudo -A -u internet -H firejail --noprofile --debug --x11=xpra firefox than ps aux |grep -i pulse 508 0.0 0.0 81828 892 pts/1 S+ 12:29 0:00 grep -i pulse 25873 0.0 0.1 468596 23832 ? Sl 12:21 0:00 /usr/bin/pulseaudio --start --log-target=syslog internet 32759 0.1 0.0 270440 8812 pts/0 Sl+ 12:29 0:00 pulseaudio --start -n --daemonize=false --system=false --exit-idle-time=-1 --load=module-suspend-on-idle --load=module-null-sink sink_name="Xpra-Speaker" sink_properties=device.description="Xpra\ Speaker" --load=module-null-sink sink_name="Xpra-Microphone" sink_properties=device.description="Xpra\ Microphone" --load=module-native-protocol-unix socket=/tmp/xpra/pulse-372/pulse/native --load=module-dbus-protocol --load=module-x11-publish --log-level=2 --log-target=stderr --enable-memfd=no with default user i have sound with internet user i havent

gitea-mirror commented

2026-05-05 09:17:46 -06:00

Author

Owner

@osevan commented on GitHub (Jun 21, 2021):

Any solution or workaround are welcome

@osevan commented on GitHub (Jun 21, 2021): Any solution or workaround are welcome

gitea-mirror commented

2026-05-05 09:17:46 -06:00

Author

Owner

@osevan commented on GitHub (Jul 22, 2021):

YEAAAAH I FIXED SOUND PROBLEM WITH DIFFERENT USER!!!!!

i followed this setup for unix sockets and adding internet user to audio group
https://dhole.github.io/post/pulseaudio_multiple_users/

i added pulse to my private-etc
private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,pulse,

private-tmp
private-cache
even
private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname,pulseaudio
and

private-lib /usr/lib/firefox-esr/libmozgtk.so,/usr/lib/firefox-esr/libxul.so,/usr/lib/firefox-esr/lib*

now both works fine with audio

even additional user runs perfectly inside firejail with sound, with some workaraound....

you should consider this workaround on next release

thanks and

best regards

@osevan commented on GitHub (Jul 22, 2021): YEAAAAH I FIXED SOUND PROBLEM WITH DIFFERENT USER!!!!! i followed this setup for unix sockets and adding internet user to audio group https://dhole.github.io/post/pulseaudio_multiple_users/ i added pulse to my private-etc private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,pulse, private-tmp private-cache even private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname,pulseaudio and private-lib /usr/lib/firefox-esr/libmozgtk.so,/usr/lib/firefox-esr/libxul.so,/usr/lib/firefox-esr/lib* now both works fine with audio even additional user runs perfectly inside firejail with sound, with some workaraound.... you should consider this workaround on next release thanks and best regards

gitea-mirror referenced this issue

2026-05-05 10:20:29 -06:00

[PR #2633] [MERGED] private-bin breaks --join for filezilla #4457

Rows
Columns

[GH-ISSUE #4357] no sound with different user in firefox inside firejail #2633