github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5518] firefox: permissive access to /etc #3019

New issue
Closed
opened 2026-05-05 09:40:21 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 09:40:21 -06:00
Owner
Copy link

Originally created by @Boruch-Baum on GitHub (Dec 9, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5518

Running firejail for firefox-esr in debian allows me to read any file under /etc using keybinding C-o. That seems needlessly permissive to me. I created a firefox-esr.local file with the following contents that seem to fix the issue for me personally without any noticeable undesirable side-effects so far, but you may want to consider it for universal use

whitelist /etc/firefox-esr
whitelist /etc/mailcap*
blacklist /etc

Originally created by @Boruch-Baum on GitHub (Dec 9, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5518 Running firejail for firefox-esr in debian allows me to read any file under /etc using keybinding C-o. That seems needlessly permissive to me. I created a firefox-esr.local file with the following contents that seem to fix the issue for me personally without any noticeable undesirable side-effects so far, but you may want to consider it for universal use whitelist /etc/firefox-esr whitelist /etc/mailcap* blacklist /etc
gitea-mirror 2026-05-05 09:40:21 -06:00
gitea-mirror commented 2026-05-05 09:40:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 9, 2022):

  1. Why do you whitelist stuff in /etc if you blacklist entire /etc?
  2. What about resolv.conf
  3. There's a comment in firefox.profile about private-etc, if you test on all distros with all possible configurations, we can enabled it.
<!-- gh-comment-id:1344236979 --> @rusty-snake commented on GitHub (Dec 9, 2022): 1. Why do you whitelist stuff in `/etc` if you blacklist entire `/etc`? 2. What about `resolv.conf` 3. There's a comment in firefox.profile about `private-etc`, if you test on all distros with all possible configurations, we can enabled it.
gitea-mirror commented 2026-05-05 09:40:25 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Dec 9, 2022):

On 2022-12-09 04:16, rusty-snake wrote:

1. Why do you whitelist stuff in /etc if you blacklist entire /etc?

Because those two sub-folders are used by firefox

2. What about resolv.conf

Because firefox isn't directly doing DNS

3. There's a comment in firefox.profile about private-etc, if you test
   on all distros with all possible configurations, we can enabled it.

Oooh. I wasn't familiar with that feature, and with that option. So the
way to test it in debian would be to replace the contents of my firefox
local with that line, right? I'll do that now, and complain if any
trouble arises.


Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe.
You are receiving this because you authored the thread. Message ID:
@.***>

References

  1. https://github.com/netblue30/firejail/issues/5518#issuecomment-1344236979
  2. https://github.com/notifications/unsubscribe-auth/AAOE3KDF5VZNZAFMLQDIMGDWMMPKRANCNFSM6AAAAAASZGEUF4

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:1344295661 --> @Boruch-Baum commented on GitHub (Dec 9, 2022): On 2022-12-09 04:16, rusty-snake wrote: > 1. Why do you whitelist stuff in /etc if you blacklist entire /etc? Because those two sub-folders are used by firefox > 2. What about resolv.conf Because firefox isn't directly doing DNS > 3. There's a comment in firefox.profile about private-etc, if you test > on all distros with all possible configurations, we can enabled it. Oooh. I wasn't familiar with that feature, and with that option. So the way to test it in debian would be to replace the contents of my firefox local with that line, right? I'll do that now, and complain if any trouble arises. > > — > Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe. > You are receiving this because you authored the thread. Message ID: > ***@***.***> > > References > > 1. https://github.com/netblue30/firejail/issues/5518#issuecomment-1344236979 > 2. https://github.com/notifications/unsubscribe-auth/AAOE3KDF5VZNZAFMLQDIMGDWMMPKRANCNFSM6AAAAAASZGEUF4 -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
gitea-mirror commented 2026-05-05 09:40:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 9, 2022):

Because those two sub-folders are used by firefox

But how can firejail use them if it can not access them?

<!-- gh-comment-id:1344300857 --> @rusty-snake commented on GitHub (Dec 9, 2022): > Because those two sub-folders are used by firefox But how can firejail use them if it can not access them?
gitea-mirror commented 2026-05-05 09:40:27 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Dec 9, 2022):

OK. As an initial follow-up about your default private-etc:

  1. it's missing an entry for a firefox-esr folder, which in debian has
    some system-wide default settings

  2. it has some entries that I'm surprised are legitimately needed ever
    by firefox:

    group
    hostname
    machine-id
    passwd

  3. it has some entries that I suspect firefox itself doesn't need
    because the related functionality is handled by OS components:

    alternatives
    hosts
    nssswitch.conf
    resolv.conf
    selinux
    ssl
    X11

  4. it also has some entries for which firefox maintains its own data
    internally, so also likely is unnecessary:

    ca-certificates
    crypto-policies

  5. many of the other items I'm unsure about, so for now, I'm testing in
    debian with just the following:

    private-etc firefox-esr,mailcap,mime.types

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:1344321058 --> @Boruch-Baum commented on GitHub (Dec 9, 2022): OK. As an initial follow-up about your default private-etc: 1) it's missing an entry for a firefox-esr folder, which in debian has some system-wide default settings 2) it has some entries that I'm surprised are legitimately needed ever by firefox: group hostname machine-id passwd 3) it has some entries that I suspect firefox itself doesn't need because the related functionality is handled by OS components: alternatives hosts nssswitch.conf resolv.conf selinux ssl X11 4) it also has some entries for which firefox maintains its own data internally, so also likely is unnecessary: ca-certificates crypto-policies 5) many of the other items I'm unsure about, so for now, I'm testing in debian with just the following: private-etc firefox-esr,mailcap,mime.types -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
gitea-mirror commented 2026-05-05 09:40:28 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Dec 18, 2022):

I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me:

private-etc firefox-esr,fonts,mailcap,mime.types

Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types

<!-- gh-comment-id:1356749484 --> @Boruch-Baum commented on GitHub (Dec 18, 2022): I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me: private-etc firefox-esr,fonts,mailcap,mime.types Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types
gitea-mirror commented 2026-05-05 09:40:29 -06:00
Author
Owner
Copy link

@layderv commented on GitHub (Jan 11, 2023):

I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me:

private-etc firefox-esr,fonts,mailcap,mime.types

Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types

Did you have to edit settings in Firefox? With a default profile, I need to allow resolv.conf too

<!-- gh-comment-id:1379562223 --> @layderv commented on GitHub (Jan 11, 2023): > I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me: > > private-etc firefox-esr,fonts,mailcap,mime.types > > Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types Did you have to edit settings in Firefox? With a default profile, I need to allow resolv.conf too
gitea-mirror commented 2026-05-05 09:40:29 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Jan 12, 2023):

I don't remember making that change, using Debian's firefox-esr
--version "Mozilla Firefox 102.6.0esr". Firefox can be a kind of 'moving
target' in that they change defaults, and Debian puts their own layer of
patches on everything. With that in mind: From firefox's 'about:config'
tab, when I search for 'dns' and 'resolv' I see no changes to the
default settings (firefox would display such lines in bold). From the
command-line, I could have grepped file prefs.js, I guess.

I am glad you mentioned the DNS issue, because it's a subject that I'm
finding confusing on one of my machines. See, in addition to using
firejail, I'm using a application firewall called 'opensnitch', and I
notice that it is logging port 53 and 443 events from firefox to a bunch
of websites with names that sound like resolvers, for instance:

mozilla.cloudflare-dns.com
doh.test
use-application-dns.net

However, the events aren't anywhere near frequent enough to be
individual DNS queries, even considering a firefox local DNS cache. It
could be, though, that firefox is keeping a single DOH 443 connection
active for as long as firefox remains open, which sounds sensible to me,
but I don't know if that's how firefox DOH works, and opensnitch is also
logging firefox port 53 event to localhost and a bunch of other destinations.

On 2023-01-11 14:23, layderv wrote:

 I've been using a custom firefox-esr.local file for about a week
 now, and I can report that the following works fine for me:

 private-etc firefox-esr,fonts,mailcap,mime.types

 Note that I needed to add 'fonts' to my original proposal, and also
 that I did not test using firefox without mailcap or mime.types

Did you have to edit settings in Firefox? With a default profile, I
need to allow resolv.conf too


Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe.
You are receiving this because you authored the thread. Message ID:
@.***>

References

  1. https://github.com/netblue30/firejail/issues/5518#issuecomment-1379562223
  2. https://github.com/notifications/unsubscribe-auth/AAOE3KGZPWAMGJCVL3JRN3DWR4XGJANCNFSM6AAAAAASZGEUF4

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:1379893267 --> @Boruch-Baum commented on GitHub (Jan 12, 2023): I don't remember making that change, using Debian's firefox-esr --version "Mozilla Firefox 102.6.0esr". Firefox can be a kind of 'moving target' in that they change defaults, and Debian puts their own layer of patches on everything. With that in mind: From firefox's 'about:config' tab, when I search for 'dns' and 'resolv' I see no changes to the default settings (firefox would display such lines in bold). From the command-line, I could have grepped file prefs.js, I guess. I am glad you mentioned the DNS issue, because it's a subject that I'm finding confusing on one of my machines. See, in addition to using firejail, I'm using a application firewall called 'opensnitch', and I notice that it is logging port 53 and 443 events from firefox to a bunch of websites with names that sound like resolvers, for instance: mozilla.cloudflare-dns.com doh.test use-application-dns.net However, the events aren't anywhere near frequent enough to be individual DNS queries, even considering a firefox local DNS cache. It could be, though, that firefox is keeping a single DOH 443 connection active for as long as firefox remains open, which sounds sensible to me, but I don't know if that's how firefox DOH works, and opensnitch is also logging firefox port 53 event to localhost and a bunch of other destinations. On 2023-01-11 14:23, layderv wrote: > I've been using a custom firefox-esr.local file for about a week > now, and I can report that the following works fine for me: > > private-etc firefox-esr,fonts,mailcap,mime.types > > Note that I needed to add 'fonts' to my original proposal, and also > that I did not test using firefox without mailcap or mime.types > > Did you have to edit settings in Firefox? With a default profile, I > need to allow resolv.conf too > > — > Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe. > You are receiving this because you authored the thread. Message ID: > ***@***.***> > > References > > 1. https://github.com/netblue30/firejail/issues/5518#issuecomment-1379562223 > 2. https://github.com/notifications/unsubscribe-auth/AAOE3KGZPWAMGJCVL3JRN3DWR4XGJANCNFSM6AAAAAASZGEUF4 -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
gitea-mirror commented 2026-05-05 09:40:30 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 23, 2024):

private-etc is now enabled in firefox-common:

Closing as resolved.

Feel free to open a new issue for bugs or improvements.

<!-- gh-comment-id:2307389369 --> @kmk3 commented on GitHub (Aug 23, 2024): private-etc is now enabled in firefox-common: * #6435 Closing as resolved. Feel free to open a new issue for bugs or improvements.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3019
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?