github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5907] telegram: program asks to relogin on every launch #3127

New issue

Closed

opened 2026-05-05 09:45:52 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:45:52 -06:00

Owner

Originally created by @aphyav on GitHub (Jul 18, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5907

Description

Telegram desktop(v 4.8.3) on debian bookworm asks to relogin every time when launching with firejail(v 0.9.72).

Steps to Reproduce

Steps to reproduce the behavior

Launch telegram as usual, without firejail:

mkdir /tmp/tg1
/opt/Telegram/Telegram -many -workdir /tmp/tg1
Login by entering confirmation code from other device. Close the app.
Launch telegram without firejail again, to ensure that it loads created profile correctly and deosn't ask to login again:

/opt/Telegram/Telegram -many -workdir /tmp/tg1
Close the app.
Launch telegram with firejail:

LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1

Expected behavior

When launching Telegram with firejail:

LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1

it must be already logined in.

Log

user@pc:/tmp$ LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /home/user/tg1
Reading profile /etc/firejail/telegram.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 165377, child pid 165380
4 programs installed in 3.66 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping ld.so.preload for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 15.47 ms
Private /usr/etc installed in 0.00 ms
Child process initialized in 63.52 ms
Detected locale "C" with character encoding "UTF-8", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.

(Telegram:26): dbind-WARNING **: 08:05:16.246: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
QPainter::begin: Paint device returned engine == 0, type: 2
QWidget::render: Cannot render with an inactive painter
qt.accessibility.atspi: Error in contacting registry: "org.freedesktop.DBus.Error.Disconnected" "Not connected to D-Bus server"

Workaround

To make it work as it must I use firejail profile for telegram from bullseye version with some changes, here it is:

# Firejail profile for telegram
# This file is overwritten after every install/update
# Persistent local customizations
include telegram.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.TelegramDesktop
noblacklist ${HOME}/.local/share/TelegramDesktop

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

caps.drop all
netfilter
nodvd
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp

disable-mnt
private-cache
private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg
# private-tmp

Originally created by @aphyav on GitHub (Jul 18, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5907  ### Description Telegram desktop(v 4.8.3) on debian bookworm asks to relogin every time when launching with firejail(v 0.9.72). ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Launch telegram as usual, without firejail: mkdir /tmp/tg1 /opt/Telegram/Telegram -many -workdir /tmp/tg1 2. Login by entering confirmation code from other device. Close the app. 3. Launch telegram without firejail again, to ensure that it loads created profile correctly and deosn't ask to login again: /opt/Telegram/Telegram -many -workdir /tmp/tg1 4. Close the app. 5. Launch telegram with firejail: LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1 ### Expected behavior When launching Telegram with firejail: LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1 it must be already logined in. ### Log ``` user@pc:/tmp$ LC_ALL=C firejail --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /home/user/tg1 Reading profile /etc/firejail/telegram.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 165377, child pid 165380 4 programs installed in 3.66 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping crypto-policies for private /etc Warning: skipping ld.so.preload for private /etc Warning: skipping pki for private /etc Private /etc installed in 15.47 ms Private /usr/etc installed in 0.00 ms Child process initialized in 63.52 ms Detected locale "C" with character encoding "UTF-8", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. (Telegram:26): dbind-WARNING **: 08:05:16.246: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory QPainter::begin: Paint device returned engine == 0, type: 2 QWidget::render: Cannot render with an inactive painter qt.accessibility.atspi: Error in contacting registry: "org.freedesktop.DBus.Error.Disconnected" "Not connected to D-Bus server" ``` </p> </details> ### Workaround To make it work as it must I use firejail profile for telegram from bullseye version with some changes, here it is: ``` # Firejail profile for telegram # This file is overwritten after every install/update # Persistent local customizations include telegram.local # Persistent global definitions include globals.local noblacklist ${HOME}/.TelegramDesktop noblacklist ${HOME}/.local/share/TelegramDesktop include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc caps.drop all netfilter nodvd nonewprivs noroot notv protocol unix,inet,inet6,netlink seccomp disable-mnt private-cache private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg # private-tmp ```

gitea-mirror

2026-05-05 09:45:52 -06:00

closed this issue
added the
notourbug
label

gitea-mirror commented

2026-05-05 09:45:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 18, 2023):

Launch with one of the following commands if you want to share /tmp{,/tg1}.

firejail --ignore=private-tmp --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1
# or
firejail --whitelist=/tmp/tg1 --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1

@rusty-snake commented on GitHub (Jul 18, 2023): Launch with one of the following commands if you want to share `/tmp{,/tg1}`. ``` firejail --ignore=private-tmp --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1 # or firejail --whitelist=/tmp/tg1 --profile=/etc/firejail/telegram.profile /opt/Telegram/Telegram -many -workdir /tmp/tg1 ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3127

No description provided.

Rows
Columns