[GH-ISSUE #420] xpra-winswitch trouble

gitea-mirror commented

2026-05-05 05:33:53 -06:00

Owner

Originally created by @suedi on GitHub (Apr 8, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/420

Trying out X11 separation with xpra, running firejail as of commit 42bb614

Having trouble with starting firejail –-x11 –-net=eth0 xterm

When checking log I get

"Xvfb command has terminated! xpra cannot continue"

I am using Arch and saw at #375 you(netblue30) wrote

So far I couldn't get it to run at all with xpa-winswitch on my Arch box

xpra runs fine without involving firejail!?

I don't know what extra data to include to help in research?

Maybe this form logfile

(EE) 
Fatal server error:
(EE) The '-logfile' option cannot be used with elevated privileges.
(EE) 
(EE)

and after F***ing around

Invalid argument for -config
    With elevated privileges, the file specified with -config must be
    a relative path and must not contain any ".." elements.
    Using default xorg.conf search path.

Did you get it to run on your Arch box?

edit

With further investigation I cannot run xpra as the unprivilegied user I use for firejail
even without firejail though it works for root?

hmm?

Originally created by @suedi on GitHub (Apr 8, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/420 Trying out X11 separation with xpra, running firejail as of commit 42bb614 Having trouble with starting `firejail –-x11 –-net=eth0 xterm` When checking log I get "Xvfb command has terminated! xpra cannot continue" I am using Arch and saw at #375 you(netblue30) wrote > So far I couldn't get it to run at all with xpa-winswitch on my Arch box xpra runs fine without involving firejail!? I don't know what extra data to include to help in research? Maybe this form logfile ``` (EE) Fatal server error: (EE) The '-logfile' option cannot be used with elevated privileges. (EE) (EE) ``` and after F***ing around ``` Invalid argument for -config With elevated privileges, the file specified with -config must be a relative path and must not contain any ".." elements. Using default xorg.conf search path. ``` Did you get it to run on your Arch box? _edit_ With further investigation I cannot run xpra as the unprivilegied user I use for firejail even without firejail though it works for root? hmm?

gitea-mirror

2026-05-05 05:33:53 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:33:57 -06:00

Author

Owner

@suedi commented on GitHub (Apr 8, 2016):

seems like it is a some setuid issue?

If I remove suid from /usr/lib/xorg-server/Xorg

I can start xpra as unprivilegied user

Firejail show another error though

2016-04-09 00:16:11,940 Error setting up dbus signals:
2016-04-09 00:16:11,940  No module named dbus.mainloop.glib
xpra initialization error:
 cannot find any live servers to connect to

I have dbus-glib installed?

@suedi commented on GitHub (Apr 8, 2016): seems like it is a some setuid issue? If I remove suid from /usr/lib/xorg-server/Xorg I can start xpra as unprivilegied user Firejail show another error though ``` 2016-04-09 00:16:11,940 Error setting up dbus signals: 2016-04-09 00:16:11,940 No module named dbus.mainloop.glib xpra initialization error: cannot find any live servers to connect to ``` I have dbus-glib installed?

gitea-mirror commented

2026-05-05 05:34:01 -06:00

Author

Owner

@suedi commented on GitHub (Apr 8, 2016):

So I installed python2-dbus and the previous error disappeared

new one

2016-04-09 00:23:29,414 failed to instantiate the dbus notification handler:
2016-04-09 00:23:29,415  org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2016-04-09 00:23:29,415  disable notifications to avoid this warning
2016-04-09 00:23:29,417 Error setting up dbus signals:
2016-04-09 00:23:29,417  org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory

I have in my environment variables

DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-ie3bpwQVr9,guid=dd8f42dc7e229920800408aa5707ef60

Are you by any chance scrubbing environment variables?

Maybe not, when I do it manually without firejail I can start xpra as unpriv. user
and get terminal. Same error displayed about dbus but terminal is working?

So maybe it is not the dbus error that gives

but this one from terminal

xpra initialization error:
 cannot find any live servers to connect to

and this one from .xpra/${DISPLAY}.log file

[ 25321.589] (II) Server terminated successfully (0). Closing log file.

Seems like server terminated gracefully?

@suedi commented on GitHub (Apr 8, 2016): So I installed python2-dbus and the previous error disappeared new one ``` 2016-04-09 00:23:29,414 failed to instantiate the dbus notification handler: 2016-04-09 00:23:29,415 org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 2016-04-09 00:23:29,415 disable notifications to avoid this warning 2016-04-09 00:23:29,417 Error setting up dbus signals: 2016-04-09 00:23:29,417 org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory ``` I have in my environment variables ``` DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-ie3bpwQVr9,guid=dd8f42dc7e229920800408aa5707ef60 ``` Are you by any chance scrubbing environment variables? Maybe not, when I do it manually without firejail I can start xpra as unpriv. user and get terminal. Same error displayed about dbus but terminal is working? So maybe it is not the dbus error that gives but this one from terminal ``` xpra initialization error: cannot find any live servers to connect to ``` and this one from .xpra/${DISPLAY}.log file ``` [ 25321.589] (II) Server terminated successfully (0). Closing log file. ``` Seems like server terminated gracefully?

gitea-mirror commented

2026-05-05 05:34:03 -06:00

Author

Owner

@suedi commented on GitHub (Apr 8, 2016):

When I tried it as root that is firejail –-x11 –-net=eth0 xterm

Child process initialized
/bin/bash: $'\342\200\223-x11': command not found

No evidence of xpra starting at all

@suedi commented on GitHub (Apr 8, 2016): When I tried it as root that is `firejail –-x11 –-net=eth0 xterm` ``` Child process initialized /bin/bash: $'\342\200\223-x11': command not found ``` No evidence of xpra starting at all

gitea-mirror commented

2026-05-05 05:34:05 -06:00

Author

Owner

@suedi commented on GitHub (Apr 9, 2016):

If as unprivileged user I execute

firejail –-x11 xterm

it works and I get a xterm.

But then network namespace is the only way to isolate abstract socket so that is availible in jail.

Also when checking netstat -a I have access to /tmp/.X11-unix/X0

however when I look into /tmp/.X11-unix inside jail there is only X883=

On my system /tmp is a symlink to another place so maybe this has something todo with it?

Anyway then I get no extra isolation with xpra :(

I vaguely remember we had a discussion about using wlan interface and I believe the
conclusion that this was not so easy? am I right?

I tested that thesis out by trying firejail --net=wlan0 firefox
that starts firefox but I get no connection.

Wasn't there some problems bridging wlan devices in linux?

If that is true then my conslusions are if you use wlan exclusively
the extra use of xpra for further isolation does not add any extra protection

Am I right?

This is really a B**** with wlan devices

@suedi commented on GitHub (Apr 9, 2016): If as unprivileged user I execute `firejail –-x11 xterm` it works and I get a xterm. But then network namespace is the only way to isolate abstract socket so that is availible in jail. Also when checking netstat -a I have access to /tmp/.X11-unix/X0 however when I look into /tmp/.X11-unix inside jail there is only X883= On my system /tmp is a symlink to another place so maybe this has something todo with it? Anyway then I get no extra isolation with xpra :( I vaguely remember we had a discussion about using wlan interface and I believe the conclusion that this was not so easy? am I right? I tested that thesis out by trying `firejail --net=wlan0 firefox` that starts firefox but I get no connection. Wasn't there some problems bridging wlan devices in linux? If that is true then my conslusions are if you use wlan exclusively the extra use of xpra for further isolation does not add any extra protection Am I right? This is really a B***\* with wlan devices

gitea-mirror commented

2026-05-05 05:34:06 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 9, 2016):

Never run xpra as root, it has more security problems than what you are fixing by sandboxing the x11 socket. In my opinion you are better of without x11 isolation.

I vaguely remember we had a discussion about using wlan interface and I believe the
conclusion that this was not so easy? am I right?

Yes, wlan devices are not supported in this moment.

If that is true then my conslusions are if you use wlan exclusively
the extra use of xpra for further isolation does not add any extra protection

You are right, there isn't any extra protection. The abstract X11 socket is still visible. In fact by default this is what most programs attempt to connect first. You really need a network namespace.

@netblue30 commented on GitHub (Apr 9, 2016): Never run xpra as root, it has more security problems than what you are fixing by sandboxing the x11 socket. In my opinion you are better of without x11 isolation. > I vaguely remember we had a discussion about using wlan interface and I believe the > conclusion that this was not so easy? am I right? Yes, wlan devices are not supported in this moment. > If that is true then my conslusions are if you use wlan exclusively > the extra use of xpra for further isolation does not add any extra protection You are right, there isn't any extra protection. The abstract X11 socket is still visible. In fact by default this is what most programs attempt to connect first. You really need a network namespace.

gitea-mirror commented

2026-05-05 05:34:09 -06:00

Author

Owner

@suedi commented on GitHub (Apr 9, 2016):

I mounted tmpfs on /tmp/.X11-unix and then

I tried the suggestion in #57

firejail --net=wlan0 xpra start :744 --start-child=xterm --no-daemon --exit-with-children

and then xpra attach from another terminal I get the desired result

No X0 sockets

Does not work with firefox or midori.

Yes, wlan devices are not supported in this moment.

At the moment? So you think it is possible to do?

@suedi commented on GitHub (Apr 9, 2016): I mounted tmpfs on /tmp/.X11-unix and then I tried the suggestion in #57 `firejail --net=wlan0 xpra start :744 --start-child=xterm --no-daemon --exit-with-children` and then xpra attach from another terminal I get the desired result No X0 sockets Does not work with firefox or midori. > Yes, wlan devices are not supported in this moment. At the moment? So you think it is possible to do?

gitea-mirror commented

2026-05-05 05:34:11 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 10, 2016):

wlan: I am still looking into it, it is probably the biggest feature missing in this moment.

To check, run "netstat -a | grep X11". On a regular unsandboxed window you will get:

$ netstat -a | grep X11
unix  2      [ ACC ]     STREAM     LISTENING     14698    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     14697    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     13804    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     13212    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     13865    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15887    @/tmp/.X11-unix/X0

So, there are two listening sockets: /tmp/.X11-unix/X0 (regular Unix socket) and @/tmp/.X11-unix/X0 (abstract socket). Notice how clients are connecting to the abstract socket. If they don't find the abstract socket, they try the regular one. In your sandbox, you shouldn't see any X0 socket, unix or abstract.

@netblue30 commented on GitHub (Apr 10, 2016): wlan: I am still looking into it, it is probably the biggest feature missing in this moment. To check, run "netstat -a | grep X11". On a regular unsandboxed window you will get: ``` $ netstat -a | grep X11 unix 2 [ ACC ] STREAM LISTENING 14698 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 14697 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 13804 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 13212 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 13865 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 15887 @/tmp/.X11-unix/X0 ``` So, there are two listening sockets: /tmp/.X11-unix/X0 (regular Unix socket) and @/tmp/.X11-unix/X0 (abstract socket). Notice how clients are connecting to the abstract socket. If they don't find the abstract socket, they try the regular one. In your sandbox, you shouldn't see any X0 socket, unix or abstract.

gitea-mirror commented

2026-05-05 05:34:13 -06:00

Author

Owner

@suedi commented on GitHub (Apr 11, 2016):

OK, you seem aware of the importance of supporting wlan so I feel no need
in keeping this ticket open as a reminder.

Thanks for information.

closing...

@suedi commented on GitHub (Apr 11, 2016): OK, you seem aware of the importance of supporting wlan so I feel no need in keeping this ticket open as a reminder. Thanks for information. closing...

Rows
Columns

[GH-ISSUE #420] xpra-winswitch trouble #306