github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4789] keepassxc: Error: permission is denied to join a sandbox created by a different user #2779

New issue
Closed
opened 2026-05-05 09:26:26 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 09:26:26 -06:00
Owner
Copy link

Originally created by @MiltosKoutsokeras on GitHub (Dec 22, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4789

Description

KeePassXC 2.6.6 does not start on Arch Linux when already launched by other user with the following error:

Error: permission is denied to join a sandbox created by a different user.

Steps to Reproduce

Login as user A and launch keepassxc as expected, switch to another user and try to run it again. It fails with the message above.

Expected behavior

The expected behavior is to run keepassxc normally from multiple users in their own sandbox.

Actual behavior

The second user fails to start the program.

Behavior without a profile

Calling LC_ALL=C firejail --noprofile /usr/bin/keepassxc in a terminal, starts the application normally.

Additional context

firejail installed from official Arch Pacman repositoy.

Installed /etc/firejail/keepassxc.profile contents 

# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.cache/keepassxc
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.config/KeePassXCrc
noblacklist ${HOME}/.keepassxc
noblacklist ${DOCUMENTS}

# Allow browser profiles, required for browser integration.
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/google-chrome
noblacklist ${HOME}/.config/vivaldi
noblacklist ${HOME}/.local/share/torbrowser
noblacklist ${HOME}/.mozilla

blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
#mkdir ${HOME}/Documents/KeePassXC
#whitelist ${HOME}/Documents/KeePassXC
# Needed for KeePassXC-Browser.
#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#mkdir ${HOME}/.cache/keepassxc
#mkdir ${HOME}/.config/keepassxc
#whitelist ${HOME}/.cache/keepassxc
#whitelist ${HOME}/.config/keepassxc
#whitelist ${HOME}/.config/KeePassXCrc
#include whitelist-common.inc

whitelist /usr/share/keepassxc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,netlink
seccomp !name_to_handle_at
seccomp.block-secondary
shell none
tracelog

private-bin keepassxc,keepassxc-cli,keepassxc-proxy
private-dev
private-etc alternatives,fonts,ld.so.cache,machine-id
private-tmp

dbus-user filter
#dbus-user.own org.keepassxc.KeePassXC
dbus-user.talk com.canonical.Unity.Session
dbus-user.talk org.freedesktop.ScreenSaver
dbus-user.talk org.freedesktop.login1.Manager
dbus-user.talk org.freedesktop.login1.Session
dbus-user.talk org.gnome.ScreenSaver
dbus-user.talk org.gnome.SessionManager
dbus-user.talk org.gnome.SessionManager.Presence
# Add the next line to your keepassxc.local to allow notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your keepassxc.local to allow the tray menu.
#dbus-user.talk org.kde.StatusNotifierWatcher
#dbus-user.own org.kde.*
dbus-system none

# Mutex is stored in /tmp by default, which is broken by private-tmp.
join-or-start keepassxc

Environment

  • Linux distribution and version: Arch Linux
  • Firejail version (firejail --version): 0.9.66

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 27506, the first child process inside the sandbox
Error: permission is denied to join a sandbox created by a different user.

Output of LC_ALL=C firejail --debug /path/to/program 

Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/keepassxc' 
Command name #keepassxc#
Found keepassxc.profile profile in /etc/firejail directory
Reading profile /etc/firejail/keepassxc.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-shell.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-shell.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
[profile] combined protocol list: "unix,netlink"
Switching to pid 27506, the first child process inside the sandbox
Error: permission is denied to join a sandbox created by a different user.

Originally created by @MiltosKoutsokeras on GitHub (Dec 22, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4789 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description KeePassXC 2.6.6 does not start on Arch Linux when already launched by other user with the following error: ``` Error: permission is denied to join a sandbox created by a different user. ``` ### Steps to Reproduce Login as user A and launch `keepassxc` as expected, switch to another user and try to run it again. It fails with the message above. ### Expected behavior The expected behavior is to run `keepassxc` normally from multiple users in their own sandbox. ### Actual behavior The second user fails to start the program. ### Behavior without a profile Calling `LC_ALL=C firejail --noprofile /usr/bin/keepassxc` in a terminal, starts the application normally. ### Additional context firejail installed from official Arch Pacman repositoy. <details> <summary>Installed /etc/firejail/keepassxc.profile contents</summary> <p> ``` # Firejail profile for keepassxc # Description: Cross Platform Password Manager # This file is overwritten after every install/update # Persistent local customizations include keepassxc.local # Persistent global definitions include globals.local noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.cache/keepassxc noblacklist ${HOME}/.config/keepassxc noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc noblacklist ${DOCUMENTS} # Allow browser profiles, required for browser integration. noblacklist ${HOME}/.config/BraveSoftware noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/google-chrome noblacklist ${HOME}/.config/vivaldi noblacklist ${HOME}/.local/share/torbrowser noblacklist ${HOME}/.mozilla blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc # You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. # If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. #mkdir ${HOME}/Documents/KeePassXC #whitelist ${HOME}/Documents/KeePassXC # Needed for KeePassXC-Browser. #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #mkdir ${HOME}/.cache/keepassxc #mkdir ${HOME}/.config/keepassxc #whitelist ${HOME}/.cache/keepassxc #whitelist ${HOME}/.config/keepassxc #whitelist ${HOME}/.config/KeePassXCrc #include whitelist-common.inc whitelist /usr/share/keepassxc include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all machine-id net none no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,netlink seccomp !name_to_handle_at seccomp.block-secondary shell none tracelog private-bin keepassxc,keepassxc-cli,keepassxc-proxy private-dev private-etc alternatives,fonts,ld.so.cache,machine-id private-tmp dbus-user filter #dbus-user.own org.keepassxc.KeePassXC dbus-user.talk com.canonical.Unity.Session dbus-user.talk org.freedesktop.ScreenSaver dbus-user.talk org.freedesktop.login1.Manager dbus-user.talk org.freedesktop.login1.Session dbus-user.talk org.gnome.ScreenSaver dbus-user.talk org.gnome.SessionManager dbus-user.talk org.gnome.SessionManager.Presence # Add the next line to your keepassxc.local to allow notifications. #dbus-user.talk org.freedesktop.Notifications # Add the next line to your keepassxc.local to allow the tray menu. #dbus-user.talk org.kde.StatusNotifierWatcher #dbus-user.own org.kde.* dbus-system none # Mutex is stored in /tmp by default, which is broken by private-tmp. join-or-start keepassxc ``` </p> </details> ### Environment - Linux distribution and version: Arch Linux - Firejail version (`firejail --version`): 0.9.66 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/keepassxc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Switching to pid 27506, the first child process inside the sandbox Error: permission is denied to join a sandbox created by a different user. ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/keepassxc' Command name #keepassxc# Found keepassxc.profile profile in /etc/firejail directory Reading profile /etc/firejail/keepassxc.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-shell.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-shell.inc Found disable-xdg.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-xdg.inc Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-usr-share-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc [profile] combined protocol list: "unix,netlink" Switching to pid 27506, the first child process inside the sandbox Error: permission is denied to join a sandbox created by a different user. ``` </p> </details>
gitea-mirror 2026-05-05 09:26:26 -06:00
  • closed this issue
  • added the
    duplicate
         label
gitea-mirror commented 2026-05-05 09:26:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 22, 2021):

Duplicate of #2768

<!-- gh-comment-id:999469636 --> @rusty-snake commented on GitHub (Dec 22, 2021): Duplicate of #2768
gitea-mirror commented 2026-05-05 09:26:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 22, 2021):

As a workaround you can create keepassxc.locals like

join-or-start keepassxc-userA
ignore join-or-start keepassxc
<!-- gh-comment-id:999470671 --> @rusty-snake commented on GitHub (Dec 22, 2021): As a workaround you can create `keepassxc.local`s like ``` join-or-start keepassxc-userA ignore join-or-start keepassxc ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2779
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?