[GH-ISSUE #4995] problems with sylpheed

gitea-mirror commented

2026-05-05 09:30:15 -06:00

Owner

Originally created by @Rosika2 on GitHub (Mar 1, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4995

Hi all,

I´ve got a dedicated work-directory which I want the e-mail-client sylpheed to use with the option --private=[PATH to the DIR] .
This directory is located on my system on: /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed/ .

Strangely it seems to work just with the "--noprofile" option:
As an example I cd-ed into the respective directory and then issued the command

firejail --noprofile --private=(pwd) sylpheed

which works well.

firejail --private=(pwd) sylpheed

however won´t even open sylpheed´s GUI and shuts down the sandbox immediately:

firejail --private=(pwd) sylpheed
Reading profile /etc/firejail/sylpheed.profile
Reading profile /etc/firejail/email-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 11866, child pid 11869
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping gcrypt for private /etc
Warning: skipping gnupg for private /etc
Warning: skipping groups for private /etc
Warning: skipping hosts.conf for private /etc
Warning: skipping mailname for private /etc
Private /etc installed in 47.83 ms
Private /usr/etc installed in 0.01 ms
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 199.78 ms
dbus[22]: D-Bus library appears to be incorrectly set up: see the manual page for dbus-uuidgen to correct this issue. (Failed to open "/var/lib/dbus/machine-id": No such file or directory; Failed to open "/etc/machine-id": No such file or directory)
  D-Bus not built with -rdynamic so unable to print a backtrace

Parent is shutting down, bye...

Does anyone know why that might be?

Thanks a lot in advance
Many greetings
Rosika

P.S.:

my system: Linux/Lubuntu 20.04.4 LTS; 64 bit
kernel: 5.4.0-100-generic
firejail version: 0.9.68

Originally created by @Rosika2 on GitHub (Mar 1, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4995 Hi all, I´ve got a dedicated work-directory which I want the e-mail-client `sylpheed` to use with the option `--private=[PATH to the DIR]` . This directory is located on my system on: **/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed/** . Strangely it seems to work just with the "--noprofile" option: As an example I cd-ed into the respective directory and then issued the command `firejail --noprofile --private=(pwd) sylpheed` which works well. `firejail --private=(pwd) sylpheed` however won´t even open sylpheed´s GUI and shuts down the sandbox immediately: ``` firejail --private=(pwd) sylpheed Reading profile /etc/firejail/sylpheed.profile Reading profile /etc/firejail/email-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 11866, child pid 11869 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping crypto-policies for private /etc Warning: skipping gcrypt for private /etc Warning: skipping gnupg for private /etc Warning: skipping groups for private /etc Warning: skipping hosts.conf for private /etc Warning: skipping mailname for private /etc Private /etc installed in 47.83 ms Private /usr/etc installed in 0.01 ms Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 199.78 ms dbus[22]: D-Bus library appears to be incorrectly set up: see the manual page for dbus-uuidgen to correct this issue. (Failed to open "/var/lib/dbus/machine-id": No such file or directory; Failed to open "/etc/machine-id": No such file or directory) D-Bus not built with -rdynamic so unable to print a backtrace Parent is shutting down, bye... ``` Does anyone know why that might be? Thanks a lot in advance Many greetings Rosika P.S.: my system: Linux/Lubuntu 20.04.4 LTS; 64 bit kernel: 5.4.0-100-generic firejail version: 0.9.68

gitea-mirror closed this issue

2026-05-05 09:30:16 -06:00

gitea-mirror commented

2026-05-05 09:30:17 -06:00

Author

Owner

@ghost commented on GitHub (Mar 1, 2022):

Strangely it seems to work just with the "--noprofile" option

Please beware that --noprofile offers NO SECURITY whatsoever and is a debugging tool. When things work using that option, there isn't much of a mystery or strangeness involved. At least not when you realize that --noprofile uses default.profile behind the scenes. The latter doesn't have any private-etc defined, which is important in this context because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id.

Our sylpheed.profile includes email-common.profile, and that does define a private-etc but machine-id is not part of it. And that explains the D-Bus output you're seeing. Try adding --private-etc=machine-id on command line or use a ~/.config/firejail/sylpheed.local with private-etc machine-id.

On a side-note I want to ask you something. We don't see that many sylpheed users on our issue tracker. I use claws-mail myself, which is related to sylpheed. And that never seems to need access to /etc/machine-id. So I'm wondering if you could confirm it your sylpheed does when you run it 'regularly', meaning aside from this specific use-case you want to implement. We might need to fix that in our sylpheed.profile so you don't need anything special in the future.

@ghost commented on GitHub (Mar 1, 2022): > Strangely it seems to work just with the "--noprofile" option Please beware that --noprofile offers NO SECURITY whatsoever and is a debugging tool. When things work using that option, there isn't much of a mystery or strangeness involved. At least not when you realize that `--noprofile` uses `default.profile` behind the scenes. The latter doesn't have any `private-etc` defined, which is important in this context because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id. Our sylpheed.profile includes email-common.profile, and that does define a private-etc but machine-id is not part of it. And that explains the D-Bus output you're seeing. Try adding `--private-etc=machine-id` on command line or use a ~/.config/firejail/sylpheed.local with `private-etc machine-id`. On a side-note I want to ask you something. We don't see that many sylpheed users on our issue tracker. I use claws-mail myself, which is related to sylpheed. And that never seems to need access to /etc/machine-id. So I'm wondering if you could confirm it your sylpheed does when you run it 'regularly', meaning aside from this specific use-case you want to implement. We might need to fix that in our sylpheed.profile so you don't need anything special in the future.

gitea-mirror commented

2026-05-05 09:30:18 -06:00

Author

Owner

@Rosika2 commented on GitHub (Mar 1, 2022):

@glitsj16:

Hi and thank you so much for your very fast and detailed reply.

Please beware that --noprofile offers NO SECURITY whatsoever

O.k., I think I knew that already. Still it´s good of you to point it out. I was providing that command just to show that sylpheed works by itself.

there isn't much of a mystery or strangeness involved

You´re right. My wording was a bit unfortunate. Sorry.

[default.profile] The latter doesn't have any private-etc defined, which is important in this context because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id.

Yes, you´re right. I checked it. Of course I believed you right away; but I always want to learn something new. Therefore my checking. :)

In email-common.profile I found the line
private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg

Am I right in assuming that anything following "private-etc" are the items which define what´s in it? I´m asking because of the syntax. After "private-etc" there´s just a whitespace and all the other items follow (however they´re separated by commas).
So actually there´s no entry named "machine-id", like you pointed out.

You suggestion works well:

firejail --private-etc=machine-id --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed sylpheed

works perfectly. Thanks a lot. :)

Thanks for your reference to claws-mail.

And that never seems to need access to /etc/machine-id.

Interesting.

So I'm wondering if you could confirm it your sylpheed does when you run it 'regularly', meaning aside from this specific use-case you want to implement.

Hmm, I´m a bit confused here.
Do you mean I can confiirm it needs acces to /etc/machine-id ?
I´d be glad to look it up, but how exactly do I go about doing that?
I´m using sylpheed on a regular (almost daily) basis but haven´t been able to sandbox it properly - up to now. I´ve always used the "--noprofile" option which isn´t the thing to do (as you pointed out).

Thanks again and many greetings.
Rosika

@Rosika2 commented on GitHub (Mar 1, 2022): @glitsj16: Hi and thank you so much for your very fast and detailed reply. > Please beware that --noprofile offers NO SECURITY whatsoever O.k., I think I knew that already. Still it´s good of you to point it out. I was providing that command just to show that sylpheed works by itself. > there isn't much of a mystery or strangeness involved You´re right. My wording was a bit unfortunate. Sorry. > [default.profile] The latter doesn't have any private-etc defined, which is important in this context because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id. Yes, you´re right. I checked it. Of course I believed you right away; but I always want to learn something new. Therefore my checking. :) In `email-common.profile` I found the line `private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg` Am I right in assuming that anything following "private-etc" are the items which define what´s in it? I´m asking because of the syntax. After "private-etc" there´s just a whitespace and all the other items follow (however they´re separated by commas). So actually there´s no entry named "machine-id", like you pointed out. You suggestion works well: `firejail --private-etc=machine-id --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed sylpheed` works perfectly. Thanks a lot. :) Thanks for your reference to claws-mail. > And that never seems to need access to /etc/machine-id. Interesting. > So I'm wondering if you could confirm it your sylpheed does when you run it 'regularly', meaning aside from this specific use-case you want to implement. Hmm, I´m a bit confused here. Do you mean I can confiirm it needs acces to **/etc/machine-id** ? I´d be glad to look it up, but how exactly do I go about doing that? I´m using sylpheed on a regular (almost daily) basis but haven´t been able to sandbox it properly - up to now. I´ve always used the "--noprofile" option which isn´t the thing to do (as you pointed out). Thanks again and many greetings. Rosika

gitea-mirror commented

2026-05-05 09:30:18 -06:00

Author

Owner

@ghost commented on GitHub (Mar 1, 2022):

Am I right in assuming that anything following "private-etc" are the items which define what´s in it? I´m asking because of the syntax. After "private-etc" there´s just a whitespace and all the other items follow (however they´re separated by commas).

That's correct. The syntax is indeed very specific: a space between private-etc and the list of files/directories, each one seperated by a comma (and preferably in alphabetical order). A full breakfast :-) On top of that, private-etc 'accumulates', which is a complicated way of expressing that you can have more than one private-etc line in a profile, and Firejail combines thom all together when setting up the sandbox. That's the reason why you only need one extra in this case, for machine-id. Everything else from email-common.profile will be added already. I hope this clears things up a bit.

Thanks for your reference to claws-mail.

Very welcome. Not that I'm trying to get you to use that instead of sylpheed, but it does have very active development, including reliable and speedy responses to CVE's. See https://www.claws-mail.org/ and here for details if you're interested.

Greetings!

@ghost commented on GitHub (Mar 1, 2022): > Am I right in assuming that anything following "private-etc" are the items which define what´s in it? I´m asking because of the syntax. After "private-etc" there´s just a whitespace and all the other items follow (however they´re separated by commas). That's correct. The syntax is indeed very specific: a space between `private-etc` and the list of files/directories, each one seperated by a comma (and preferably in alphabetical order). A full breakfast :-) On top of that, private-etc 'accumulates', which is a complicated way of expressing that you can have more than one private-etc line in a profile, and Firejail combines thom all together when setting up the sandbox. That's the reason why you only need one extra in this case, for machine-id. Everything else from email-common.profile will be added already. I hope this clears things up a bit. > Thanks for your reference to claws-mail. Very welcome. Not that I'm trying to get you to use that instead of sylpheed, but it does have very active development, including reliable and speedy responses to CVE's. See https://www.claws-mail.org/ and [here](https://www.claws-mail.org/faq/index.php/General_Information#What_are_the_differences_between_Claws_Mail_and_Sylpheed.3F) for details if you're interested. Greetings!

gitea-mirror commented

2026-05-05 09:30:18 -06:00

Author

Owner

@Rosika2 commented on GitHub (Mar 3, 2022):

@glitsj16:

Hi again,

so sorry I couldn´t reply earlier.

That's correct. The syntax is indeed very specific

Thanks for the confirmation . :)

that you can have more than one private-etc line in a profile, and Firejail combines thom all together when setting up the sandbox

Wow, that´s great and really good to know. This makes adding machine-id easier indeed.

Not that I'm trying to get you to use that [claws-mail] instead of sylpheed

No need to worry. I´m always grateful for any recommendations. Thanks a lot for the links. I´ll look into them.

So I'm wondering if you could confirm it your sylpheed does [need access to /etc/machine-id] when you run it 'regularly', meaning aside from this specific use-case you want to implement.

I´d be glad to answer your question ...
... if you could just give me a hint of how to ascertain it (perhaps with lsof ?)

Thanks a lot for your help.
Many grettings from Rosika :)

@Rosika2 commented on GitHub (Mar 3, 2022): @glitsj16: Hi again, so sorry I couldn´t reply earlier. > That's correct. The syntax is indeed very specific Thanks for the confirmation . :) > that you can have more than one private-etc line in a profile, and Firejail combines thom all together when setting up the sandbox Wow, that´s great and really good to know. This makes adding `machine-id` easier indeed. > Not that I'm trying to get you to use that [claws-mail] instead of sylpheed No need to worry. I´m always grateful for any recommendations. Thanks a lot for the links. I´ll look into them. > So I'm wondering if you could confirm it your sylpheed does [need access to /etc/machine-id] when you run it 'regularly', meaning aside from this specific use-case you want to implement. I´d be glad to answer your question ... ... if you could just give me a hint of how to ascertain it (perhaps with `lsof` ?) Thanks a lot for your help. Many grettings from Rosika :)

gitea-mirror commented

2026-05-05 09:30:19 -06:00

Author

Owner

@ghost commented on GitHub (Mar 3, 2022):

I´d be glad to answer your question ...
... if you could just give me a hint of how to ascertain it

You can use Firejail's --trace[=filename] option:

--trace[=filename]
    Trace open, access and connect system calls. If filename is specified, log trace output to filename, otherwise log to console.

Something like
firejail --private-etc=machine-id --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed --trace=~/Downloads/sylpheed-trace.log sylpheed will produce a file in your ~Downloads directory. After checking mail you can close sylpheed and grep the file for any references to /etc/machine-id.

@ghost commented on GitHub (Mar 3, 2022): > I´d be glad to answer your question ... ... if you could just give me a hint of how to ascertain it You can use Firejail's `--trace[=filename]` option: ``` --trace[=filename] Trace open, access and connect system calls. If filename is specified, log trace output to filename, otherwise log to console. ``` Something like `firejail --private-etc=machine-id --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/kgw_work3_sylpheed --trace=~/Downloads/sylpheed-trace.log sylpheed` will produce a file in your ~Downloads directory. After checking mail you can close sylpheed and grep the file for any references to /etc/machine-id.

gitea-mirror commented

2026-05-05 09:30:19 -06:00

Author

Owner

@Rosika2 commented on GitHub (Mar 3, 2022):

Hi again @glitsj16 ,

thanks so much for your help.
Indeed I have to admit that I´ve never used Firejail´s --trace option before. I´m glad you brought that to my attention. :)

So I applied the command you kindly provided for me and it worked well. After running sylpheed that way, actively checking for new mails and then closing it again I got the following results:

cat sylpheed-trace.log | grep machine-id
23:sylpheed:open /var/lib/dbus/machine-id:9
23:sylpheed:open /var/lib/dbus/machine-id:11

As you pointed out in your first answer:

[...] because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id.

I think it´s safe to say:

I seems I can confirm sylpheed does need access to /etc/machine-id when I run it ...

If any other information might be needed feel free to ask for it.

Many thanks again and many greetings.
Rosika

@Rosika2 commented on GitHub (Mar 3, 2022): Hi again @glitsj16 , thanks so much for your help. Indeed I have to admit that I´ve never used Firejail´s `--trace` option before. I´m glad you brought that to my attention. :) So I applied the command you kindly provided for me and it worked well. After running `sylpheed` that way, actively checking for new mails and then closing it again I got the following results: ``` cat sylpheed-trace.log | grep machine-id 23:sylpheed:open /var/lib/dbus/machine-id:9 23:sylpheed:open /var/lib/dbus/machine-id:11 ``` As you pointed out in your first answer: > [...] because /var/lib/dbus/machine-id usually is a symlink to /etc/machine-id. I think it´s safe to say: I seems I can confirm `sylpheed` does need access to /etc/machine-id when I run it ... If any other information might be needed feel free to ask for it. Many thanks again and many greetings. Rosika

gitea-mirror commented

2026-05-05 09:30:20 -06:00

Author

Owner

@ghost commented on GitHub (Mar 3, 2022):

Thanks for confirming. I've opened a PR so in a next release you shouldn't be needing the workaround any longer.

Take care out there :-)

@ghost commented on GitHub (Mar 3, 2022): Thanks for confirming. I've opened a PR so in a next release you shouldn't be needing the workaround any longer. Take care out there :-)

gitea-mirror commented

2026-05-05 09:30:20 -06:00

Author

Owner

@Rosika2 commented on GitHub (Mar 3, 2022):

Thanks very much for your kind help @glitsj16,

it´s highly appreciated.
I´ve seen your pull request already and I´m very thankful for your work.

I´ve learnt a lot in the process and I´m happy of being able to use firejail with my Linux distro.

Many thanks again and keep safe.
Many greetings from Rosika :-)

@Rosika2 commented on GitHub (Mar 3, 2022): Thanks very much for your kind help @glitsj16, it´s highly appreciated. I´ve seen your pull request already and I´m very thankful for your work. I´ve learnt a lot in the process and I´m happy of being able to use `firejail` with my Linux distro. Many thanks again and keep safe. Many greetings from Rosika :-)

gitea-mirror referenced this issue

2026-05-05 10:22:22 -06:00

[PR #2848] [MERGED] Sort private-bin in obs.profile #4557

Rows
Columns

[GH-ISSUE #4995] problems with sylpheed #2848