[GH-ISSUE #394] bug with permissions #283

New issue

Closed

opened 2026-05-05 05:31:29 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 05:31:29 -06:00

Owner

Originally created by @soko1 on GitHub (Mar 30, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/394

Hi!

$ who
testuser
$ ls ~/
Desktop Download Testdir Videos Music Porn
$ firejail --seccomp firefox

When opening a File dialogue I see only "Desktop" and "Downloads". Okay. Running Telegram Desktop (https://desktop.telegram.org/):

$ firejail --seccomp /opt/telegram/Telegram

When opening a File dialogue I see all files (apart from ~/.gnupg, ~/.ssh...) - Desktop, Download, Testdir, Videos, Music, Porn.

$ diff -ru /etc/firejail/firefox.profile /etc/firejail/telegram.profile
--- /etc/firejail/firefox.profile   2016-02-08 02:14:01.000000000 +0300
+++ /etc/firejail/telegram.profile  2016-02-08 02:14:01.000000000 +0300
@@ -1,31 +1,14 @@
-# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
-noblacklist ${HOME}/.mozilla
+# Telegram profile
+noblacklist ${HOME}/.TelegramDesktop
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+
 caps.drop all
 seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
+protocol unix,inet,inet6
 noroot
-whitelist ${DOWNLOADS}
-whitelist ~/.mozilla
-whitelist ~/.cache/mozilla/firefox
-whitelist ~/dwhelper
-whitelist ~/.zotero
-whitelist ~/.lastpass
-whitelist ~/.vimperatorrc
-whitelist ~/.vimperator
-whitelist ~/.pentadactylrc
-whitelist ~/.pentadactyl
-whitelist ~/.keysnail.js
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
-include /etc/firejail/whitelist-common.inc
-
-# experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-

+whitelist ~/Downloads/Telegram Desktop
+whitelist ~/.TelegramDesktop

They are similar => this is bug.

Originally created by @soko1 on GitHub (Mar 30, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/394 Hi! ``` $ who testuser $ ls ~/ Desktop Download Testdir Videos Music Porn $ firejail --seccomp firefox ``` When opening a File dialogue I see only "Desktop" and "Downloads". Okay. Running Telegram Desktop (https://desktop.telegram.org/): ``` $ firejail --seccomp /opt/telegram/Telegram ``` When opening a File dialogue I see all files (apart from ~/.gnupg, ~/.ssh...) - Desktop, Download, Testdir, Videos, Music, Porn. ``` $ diff -ru /etc/firejail/firefox.profile /etc/firejail/telegram.profile --- /etc/firejail/firefox.profile 2016-02-08 02:14:01.000000000 +0300 +++ /etc/firejail/telegram.profile 2016-02-08 02:14:01.000000000 +0300 @@ -1,31 +1,14 @@ -# Firejail profile for Mozilla Firefox (Iceweasel in Debian) -noblacklist ${HOME}/.mozilla +# Telegram profile +noblacklist ${HOME}/.TelegramDesktop include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc + caps.drop all seccomp -protocol unix,inet,inet6,netlink -netfilter -tracelog +protocol unix,inet,inet6 noroot -whitelist ${DOWNLOADS} -whitelist ~/.mozilla -whitelist ~/.cache/mozilla/firefox -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.lastpass -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js -whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -include /etc/firejail/whitelist-common.inc - -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - +whitelist ~/Downloads/Telegram Desktop +whitelist ~/.TelegramDesktop ``` They are similar => this is bug.

gitea-mirror

2026-05-05 05:31:29 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:31:34 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 31, 2016):

I'm not using Telegram so I can't check this. But I suppose that this might be the same as issue #330 , i.e. that the file manager is opened over a socket. It's probably equivalent to going to about:support in Firefox and click "open directory". In this case it's not a security problem. Read that other thread - I had a hard time to understand, too. ;-)

@curiosity-seeker commented on GitHub (Mar 31, 2016): I'm not using Telegram so I can't check this. But I suppose that this might be the same as issue #330 , i.e. that the file manager is opened over a socket. It's probably equivalent to going to about:support in Firefox and click "open directory". In this case it's not a security problem. Read that other thread - I had a hard time to understand, too. ;-)

gitea-mirror commented

2026-05-05 05:31:36 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 13, 2016):

Yes, the file manager is opened over a socket.

@netblue30 commented on GitHub (Jun 13, 2016): Yes, the file manager is opened over a socket.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#283

No description provided.

Rows
Columns