[GH-ISSUE #5975] nautilus: cannot connect through sftp

gitea-mirror commented

2026-05-05 09:46:38 -06:00

Owner

Originally created by @Alex-Farol on GitHub (Aug 26, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5975

Description

Nautilus can't connect to an sftp resource if firecfg is set.

Steps to Reproduce

Steps to reproduce the behavior

Run firecfg as root
Open Nautilus -> go "other locations"
Type sftp://[user]@[ip address]
Get "unable to access location" error message

Expected behavior

To connect to the sftp location.

Actual behavior

With firecfg set, can't connect through sftp.

Behavior without a profile

Running firecfg --clean everything goes as expected

Additional context

The problem doesn't occour with smb connections

Environment

Debian 12 (Bookworm)
Firejail 0.9.72.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Nautilus doesn't run with a profile

Output of LC_ALL=C firejail --debug /path/to/program

Nautilus doesn't run with a profile

Originally created by @Alex-Farol on GitHub (Aug 26, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5975  ### Description Nautilus can't connect to an sftp resource if firecfg is set. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run firecfg as root 2. Open Nautilus -> go "other locations" 3. Type sftp://[user]@[ip address] 4. Get "unable to access location" error message ### Expected behavior To connect to the sftp location. ### Actual behavior With firecfg set, can't connect through sftp. ### Behavior without a profile Running firecfg --clean everything goes as expected ### Additional context The problem doesn't occour with smb connections ### Environment - Debian 12 (Bookworm) - Firejail 0.9.72. ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Nautilus doesn't run with a profile ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Nautilus doesn't run with a profile ``` </p> </details>

gitea-mirror

2026-05-05 09:46:38 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:46:41 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 26, 2023):

Nautilus can't connect to an sftp resource if firecfg is set.

Run firecfg as root

Open Nautilus -> go "other locations"

Type sftp://[user]@[ip address]

Get "unable to access location" error message

That error message is not very informative.

If you open nautilus from a terminal and try using sftp in it, what is the
output in the terminal?

Does it work if you add the following to ~/.config/firejail/nautilus.local?

include allow-ssh.inc

@kmk3 commented on GitHub (Aug 26, 2023): > Nautilus can't connect to an sftp resource if firecfg is set. > 1. Run firecfg as root > 2. Open Nautilus -> go "other locations" > 3. Type sftp://[user]@[ip address] > 4. Get "unable to access location" error message That error message is not very informative. If you open `nautilus` from a terminal and try using sftp in it, what is the output in the terminal? Does it work if you add the following to ~/.config/firejail/nautilus.local? ``` include allow-ssh.inc ```

gitea-mirror commented

2026-05-05 09:46:41 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Aug 27, 2023):

If you open nautilus from a terminal and try using sftp in it, what is the
output in the terminal?

That's the output:

** Message: 21:55:34.552: Connecting to org.freedesktop.Tracker3.Miner.Files

(org.gnome.Nautilus:6147): Gtk-WARNING **: 21:55:43.834: GtkText - did not receive a focus-out event.
If you handle this event, you must return
GDK_EVENT_PROPAGATE so the default handler
gets the event as well

Does it work if you add the following to ~/.config/firejail/nautilus.local?

include allow-ssh.inc

Unfortunately, it didn't help.

Beyond that, looking for help on Gnome Discourse (before knowing the issue has been caused by firejail), it was suggested to take the output by using steps described on https://wiki.gnome.org/Projects/gvfs/debugging#Getting_debug_logs. That's what I get:

trash: Added new job source 0x5604c8ba40e0 (GVfsBackendTrash)
trash: Queued new job 0x5604c8ba4880 (GVfsJobMount)
trash: send_reply(0x5604c8ba4880), failed=0 ()
trash: backend_dbus_handler org.gtk.vfs.Mount:CreateFileMonitor (pid=7316)
trash: Queued new job 0x5604c8ba4be0 (GVfsJobCreateMonitor)
trash: send_reply(0x5604c8ba4be0), failed=0 ()
recent: Added new job source 0x563d408780f0 (GVfsBackendRecent)
recent: Queued new job 0x563d40879020 (GVfsJobMount)
recent: reloading recent items
recent: send_reply(0x563d40879020), failed=0 ()
recent: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316)
recent: Queued new job 0x563d40860210 (GVfsJobQueryInfo)
recent: send_reply(0x563d40860210), failed=0 ()
trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316)
trash: Queued new job 0x5604c8b8cb50 (GVfsJobQueryInfo)
trash: send_reply(0x5604c8b8cb50), failed=0 ()
trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316)
trash: Queued new job 0x5604c8b8cbf0 (GVfsJobQueryInfo)
trash: send_reply(0x5604c8b8cbf0), failed=0 ()
network: Added new job source 0x556bba153080 (GVfsBackendNetwork)
network: Queued new job 0x556bba1689f0 (GVfsJobMount)
smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL'
smb-network: Added new job source 0x55e69ca8a080 (GVfsBackendSmbBrowse)
smb-network: Queued new job 0x55e69ca8f210 (GVfsJobMount)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Using netbios name DEBTT.
Using workgroup WORKGROUP.
smb-network: Erro ao resolver “WORKGROUP”: Nome ou serviço desconhecido
smb-network: Forcing NT1 protocol version
smb-network: do_mount - URI = smb://WORKGROUP
smb-network: do_mount - try #0 
parsed path: fname='smb://WORKGROUP' server='WORKGROUP' share='' path='' options=''
SMBC_check_options(): server='WORKGROUP' share='' path='' options=''
smb-network: looking up cached server 'WORKGROUP'\'IPC$', user 'WORKGROUP';'alex'
smb-network:   returning (nil)
smb-network: auth_callback - anonymous pass
smb-network: auth_callback - out: last_user = 'alex', last_domain = 'WORKGROUP'
smb-network: looking up cached server 'WORKGROUP'\'IPC$', user 'WORKGROUP';'alex'
smb-network:   returning (nil)
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permissão negada
gencache_init: Opening user cache file /home/alex/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up WORKGROUP#1d (sitename (null))
namecache_fetch: no entry for WORKGROUP#1D found.
resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1d>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente
resolve_hosts: not appropriate for name type <0x1d>
name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1d>
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up WORKGROUP#1b (sitename (null))
namecache_fetch: no entry for WORKGROUP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1b>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1b>
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up WORKGROUP#20 (sitename (null))
namecache_fetch: no entry for WORKGROUP#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name WORKGROUP<0x20>
resolve_hosts: getaddrinfo failed for name WORKGROUP [Nome ou serviço desconhecido]
name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x20>
smb-network: do_mount - [smb://WORKGROUP; 0] dir = (nil), cancelled = 0, errno = [111] 'Conexão recusada' 
smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking
smb-network: send_reply(0x55e69ca8f210), failed=1 (Falha ao recuperar a lista de compartilhamento do servidor: Conexão recusada)
Performing aggressive shutdown.
smb-network: purging server cache
Context 0x7f4d10007c20 successfully freed
Freeing parametrics:
network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: A localização especificada não está montada
dns-sd: Added new job source 0x563b986ab880 (GVfsBackendDnsSd)
dns-sd: Queued new job 0x563b986ac820 (GVfsJobMount)
dns-sd: send_reply(0x563b986ac820), failed=0 ()
dns-sd: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=7364)
dns-sd: Queued new job 0x563b986acca0 (GVfsJobCreateMonitor)
dns-sd: send_reply(0x563b986acca0), failed=0 ()
dns-sd: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7364)
dns-sd: Queued new job 0x563b986a8180 (GVfsJobEnumerate)
dns-sd: send_reply(0x563b986a8180), failed=0 ()
network: send_reply(0x556bba1689f0), failed=0 ()
network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316)
network: Queued new job 0x556bba150b00 (GVfsJobEnumerate)
network: send_reply(0x556bba150b00), failed=0 ()
network: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316)
network: Queued new job 0x556bba13b490 (GVfsJobQueryInfo)
network: send_reply(0x556bba13b490), failed=0 ()
network: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=7316)
network: Queued new job 0x556bba183180 (GVfsJobCreateMonitor)
network: send_reply(0x556bba183180), failed=0 ()
network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: A localização especificada não está montada
dns-sd: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7364)
dns-sd: Queued new job 0x563b986a8390 (GVfsJobEnumerate)
dns-sd: send_reply(0x563b986a8390), failed=0 ()
network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316)
network: Queued new job 0x556bba150bb0 (GVfsJobEnumerate)
network: send_reply(0x556bba150bb0), failed=0 ()
sftp: Added new job source 0x55cfc73f1080 (GVfsBackendSftp)
sftp: Queued new job 0x55cfc73d0f30 (GVfsJobMount)
sftp: spawn_ssh: ssh -oForwardX11 no -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -oProtocol 2 -oNoHostAuthenticationForLocalhost yes -oControlMaster auto -oControlPath=/run/user/1000/gvfsd-sftp/%C -s pi sftp 
sftp: handle_login #1 initial_connection = 1 - user: (null), host: pi, port: -1
sftp: handle_login #1 - password_save: 0
sftp: handle_login #1 - ret_val: 1
sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/d726d0bea0333ba4154b9c8f9d5629c9e1cfac02.1VxB0A1nSK2fhIt2: No such file or directory
sftp: send_reply(0x55cfc73d0f30), failed=1 (Conexão falhou)
network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316)
network: Queued new job 0x556bba150d10 (GVfsJobEnumerate)
network: send_reply(0x556bba150d10), failed=0 ()

After that, someone said that everything's fine until:

sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/d726d0bea0333ba4154b9c8f9d5629c9e1cfac02.1VxB0A1nSK2fhIt2: No such file or directory

@Alex-Farol commented on GitHub (Aug 27, 2023): > If you open nautilus from a terminal and try using sftp in it, what is the > output in the terminal? That's the output: ``` ** Message: 21:55:34.552: Connecting to org.freedesktop.Tracker3.Miner.Files (org.gnome.Nautilus:6147): Gtk-WARNING **: 21:55:43.834: GtkText - did not receive a focus-out event. If you handle this event, you must return GDK_EVENT_PROPAGATE so the default handler gets the event as well ``` > Does it work if you add the following to ~/.config/firejail/nautilus.local? > > include allow-ssh.inc > Unfortunately, it didn't help. Beyond that, looking for help on Gnome Discourse (before knowing the issue has been caused by firejail), it was suggested to take the output by using steps described on https://wiki.gnome.org/Projects/gvfs/debugging#Getting_debug_logs. That's what I get: ``` trash: Added new job source 0x5604c8ba40e0 (GVfsBackendTrash) trash: Queued new job 0x5604c8ba4880 (GVfsJobMount) trash: send_reply(0x5604c8ba4880), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:CreateFileMonitor (pid=7316) trash: Queued new job 0x5604c8ba4be0 (GVfsJobCreateMonitor) trash: send_reply(0x5604c8ba4be0), failed=0 () recent: Added new job source 0x563d408780f0 (GVfsBackendRecent) recent: Queued new job 0x563d40879020 (GVfsJobMount) recent: reloading recent items recent: send_reply(0x563d40879020), failed=0 () recent: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316) recent: Queued new job 0x563d40860210 (GVfsJobQueryInfo) recent: send_reply(0x563d40860210), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316) trash: Queued new job 0x5604c8b8cb50 (GVfsJobQueryInfo) trash: send_reply(0x5604c8b8cb50), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316) trash: Queued new job 0x5604c8b8cbf0 (GVfsJobQueryInfo) trash: send_reply(0x5604c8b8cbf0), failed=0 () network: Added new job source 0x556bba153080 (GVfsBackendNetwork) network: Queued new job 0x556bba1689f0 (GVfsJobMount) smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL' smb-network: Added new job source 0x55e69ca8a080 (GVfsBackendSmbBrowse) smb-network: Queued new job 0x55e69ca8f210 (GVfsJobMount) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 Using netbios name DEBTT. Using workgroup WORKGROUP. smb-network: Erro ao resolver “WORKGROUP”: Nome ou serviço desconhecido smb-network: Forcing NT1 protocol version smb-network: do_mount - URI = smb://WORKGROUP smb-network: do_mount - try #0 parsed path: fname='smb://WORKGROUP' server='WORKGROUP' share='' path='' options='' SMBC_check_options(): server='WORKGROUP' share='' path='' options='' smb-network: looking up cached server 'WORKGROUP'\'IPC$', user 'WORKGROUP';'alex' smb-network: returning (nil) smb-network: auth_callback - anonymous pass smb-network: auth_callback - out: last_user = 'alex', last_domain = 'WORKGROUP' smb-network: looking up cached server 'WORKGROUP'\'IPC$', user 'WORKGROUP';'alex' smb-network: returning (nil) Opening cache file at /run/samba/gencache.tdb tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permissão negada gencache_init: Opening user cache file /home/alex/.cache/samba/gencache.tdb. sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up WORKGROUP#1d (sitename (null)) namecache_fetch: no entry for WORKGROUP#1D found. resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1d> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente resolve_hosts: not appropriate for name type <0x1d> name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1d> sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up WORKGROUP#1b (sitename (null)) namecache_fetch: no entry for WORKGROUP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1b> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1b> sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up WORKGROUP#20 (sitename (null)) namecache_fetch: no entry for WORKGROUP#20 found. resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Arquivo ou diretório inexistente resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name WORKGROUP<0x20> resolve_hosts: getaddrinfo failed for name WORKGROUP [Nome ou serviço desconhecido] name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x20> smb-network: do_mount - [smb://WORKGROUP; 0] dir = (nil), cancelled = 0, errno = [111] 'Conexão recusada' smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking smb-network: send_reply(0x55e69ca8f210), failed=1 (Falha ao recuperar a lista de compartilhamento do servidor: Conexão recusada) Performing aggressive shutdown. smb-network: purging server cache Context 0x7f4d10007c20 successfully freed Freeing parametrics: network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: A localização especificada não está montada dns-sd: Added new job source 0x563b986ab880 (GVfsBackendDnsSd) dns-sd: Queued new job 0x563b986ac820 (GVfsJobMount) dns-sd: send_reply(0x563b986ac820), failed=0 () dns-sd: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=7364) dns-sd: Queued new job 0x563b986acca0 (GVfsJobCreateMonitor) dns-sd: send_reply(0x563b986acca0), failed=0 () dns-sd: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7364) dns-sd: Queued new job 0x563b986a8180 (GVfsJobEnumerate) dns-sd: send_reply(0x563b986a8180), failed=0 () network: send_reply(0x556bba1689f0), failed=0 () network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316) network: Queued new job 0x556bba150b00 (GVfsJobEnumerate) network: send_reply(0x556bba150b00), failed=0 () network: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=7316) network: Queued new job 0x556bba13b490 (GVfsJobQueryInfo) network: send_reply(0x556bba13b490), failed=0 () network: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=7316) network: Queued new job 0x556bba183180 (GVfsJobCreateMonitor) network: send_reply(0x556bba183180), failed=0 () network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: A localização especificada não está montada dns-sd: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7364) dns-sd: Queued new job 0x563b986a8390 (GVfsJobEnumerate) dns-sd: send_reply(0x563b986a8390), failed=0 () network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316) network: Queued new job 0x556bba150bb0 (GVfsJobEnumerate) network: send_reply(0x556bba150bb0), failed=0 () sftp: Added new job source 0x55cfc73f1080 (GVfsBackendSftp) sftp: Queued new job 0x55cfc73d0f30 (GVfsJobMount) sftp: spawn_ssh: ssh -oForwardX11 no -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -oProtocol 2 -oNoHostAuthenticationForLocalhost yes -oControlMaster auto -oControlPath=/run/user/1000/gvfsd-sftp/%C -s pi sftp sftp: handle_login #1 initial_connection = 1 - user: (null), host: pi, port: -1 sftp: handle_login #1 - password_save: 0 sftp: handle_login #1 - ret_val: 1 sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/d726d0bea0333ba4154b9c8f9d5629c9e1cfac02.1VxB0A1nSK2fhIt2: No such file or directory sftp: send_reply(0x55cfc73d0f30), failed=1 (Conexão falhou) network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=7316) network: Queued new job 0x556bba150d10 (GVfsJobEnumerate) network: send_reply(0x556bba150d10), failed=0 () ``` After that, someone said that everything's fine until: `sftp: stderr: unix_listener: cannot bind to path /run/user/1000/gvfsd-sftp/d726d0bea0333ba4154b9c8f9d5629c9e1cfac02.1VxB0A1nSK2fhIt2: No such file or directory`

gitea-mirror commented

2026-05-05 09:46:42 -06:00

Author

Owner

@ghost commented on GitHub (Aug 28, 2023):

We still await your reply to @kmk3's suggestion to try include allow-ssh.inc. Might also try with ignore noexec ${RUNUSER} to see if that helps nautilus + gvfs(d)...

@ghost commented on GitHub (Aug 28, 2023): We still await your reply to @kmk3's [suggestion](https://github.com/netblue30/firejail/issues/5975#issuecomment-1694349879) to try `include allow-ssh.inc`. Might also try with `ignore noexec ${RUNUSER}` to see if that helps nautilus + gvfs(d)...

gitea-mirror commented

2026-05-05 09:46:43 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Aug 31, 2023):

Hi again!

We still await your reply to @kmk3's https://github.com/netblue30/firejail/issues/5975#issuecomment-1694349879 to try include allow-ssh.inc. Might also try with ignore noexec ${RUNUSER} to see if that helps nautilus + gvfs(d)...

I'd already replied to @kmk3's suggestion. Unfortunately, it didn't work. Trying the ignore noexec ${RUNUSER} also didn't help.

Forgive-me for any typos, I'm not a native english speaker. :/

@Alex-Farol commented on GitHub (Aug 31, 2023): Hi again! > We still await your reply to @kmk3's https://github.com/netblue30/firejail/issues/5975#issuecomment-1694349879 to try include allow-ssh.inc. Might also try with ignore noexec ${RUNUSER} to see if that helps nautilus + gvfs(d)... I'd already replied to @kmk3's suggestion. Unfortunately, it didn't work. Trying the `ignore noexec ${RUNUSER}` also didn't help. Forgive-me for any typos, I'm not a native english speaker. :/

gitea-mirror commented

2026-05-05 09:46:43 -06:00

Author

Owner

@ghost commented on GitHub (Sep 2, 2023):

Still clueless as to why nautilus borks on sftp. Personally I don't sandbox file managers and don't know Nautilus very well. Is your sftp/ssh firejailing working outside of Nautilus?

@ghost commented on GitHub (Sep 2, 2023): Still clueless as to why nautilus borks on sftp. Personally I don't sandbox file managers and don't know Nautilus very well. Is your sftp/ssh firejailing working outside of Nautilus?

gitea-mirror commented

2026-05-05 09:46:44 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Sep 2, 2023):

Is your sftp/ssh firejailing working outside of Nautilus?

Yes, it is!

@Alex-Farol commented on GitHub (Sep 2, 2023): > Is your sftp/ssh firejailing working outside of Nautilus? Yes, it is!

gitea-mirror commented

2026-05-05 09:46:45 -06:00

Author

Owner

@ghost commented on GitHub (Sep 2, 2023):

In that case I'm afraid I can only advise to take the slightly painfull road and try to comment out each line in file-manager-common.profile to find the culprit...

@ghost commented on GitHub (Sep 2, 2023): In that case I'm afraid I can only advise to take the slightly painfull road and try to comment out each line in `file-manager-common.profile` to find the culprit...

gitea-mirror commented

2026-05-05 09:46:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 3, 2023):

Step 1: Verify that nautilus is not run inside firejail. I.e. a process started by nautilus has the problem.
Step 2: Watch firemon while reproducing to find the program that get's startet.

@rusty-snake commented on GitHub (Sep 3, 2023): - Step 1: Verify that nautilus is not run inside firejail. I.e. a process started by nautilus has the problem. - Step 2: Watch `firemon` while reproducing to find the program that get's startet.

gitea-mirror commented

2026-05-05 09:46:46 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Sep 9, 2023):

Step 1: Verify that nautilus is not run inside firejail. I.e. a process started by nautilus has the problem.

No, it doesn't.

@Alex-Farol commented on GitHub (Sep 9, 2023): `Step 1: Verify that nautilus is not run inside firejail. I.e. a process started by nautilus has the problem.` No, it doesn't.

gitea-mirror commented

2026-05-05 09:46:46 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Sep 9, 2023):

In that case I'm afraid I can only advise to take the slightly painfull road and try to comment out each line in file-manager-common.profile to find the culprit...

I commented everything inside the file, but it didn't work.

@Alex-Farol commented on GitHub (Sep 9, 2023): `In that case I'm afraid I can only advise to take the slightly painfull road and try to comment out each line in file-manager-common.profile to find the culprit...` I commented everything inside the file, but it didn't work.

gitea-mirror commented

2026-05-05 09:46:47 -06:00

Author

Owner

@ghost commented on GitHub (Sep 10, 2023):

I commented everything inside the file, but it didn't work.

Tough nut to crack. Let's try something else.

032aa1ff1b/etc/profile-m-z/nautilus.profile (L9-L10)

I think the above is what @rusty-snake was refering at in Step 1. To make absolutely sure D-Bus activation isn't interfering/causing this somehow, place both of the below files in ~/.local/share/dbus1/services. They are drop-ins for the same files your OS should have under /usr/share/dbus-1/services, designed to intercept calls and help debugging. At the same time we run nautilus with the weakest possible firejail sandbox (noprofile.profile) to hopefully gain some details of what's happening.

$ cat ~/.local/share/dbus-1/services/org.freedesktop.FileManager1.service
[D-BUS Service]
Name=org.freedesktop.FileManager1
Exec=sh -c 'firejail --ignore=quiet --profile=noprofile /usr/bin/nautilus --gapplication-service > $HOME/Downloads/nautilus-ofm1.log 2>&1'

$ cat ~/.local/share/dbus-1/services/org.gnome.Nautilus.service
[D-BUS Service]
Name=org.gnome.Nautilus
Exec=sh -c 'firejail --ignore=quiet --profile=noprofile /usr/bin/nautilus --gapplication-service > $HOME/Downloads/nautilus-ogn.log 2>&1'

After a re-login, repeat what you always do nautilus-wise and if you get logs in your ~/Downloads directory, please post them here.

@ghost commented on GitHub (Sep 10, 2023): > I commented everything inside the file, but it didn't work. Tough nut to crack. Let's try something else. https://github.com/netblue30/firejail/blob/032aa1ff1b992c5c1395ae1ee23c52fde41fbcd1/etc/profile-m-z/nautilus.profile#L9-L10 I think the above is what @rusty-snake was refering at in `Step 1`. To make absolutely sure D-Bus activation isn't interfering/causing this somehow, place both of the below files in ~/.local/share/dbus1/services. They are drop-ins for the same files your OS should have under /usr/share/dbus-1/services, designed to intercept calls and help debugging. At the same time we run nautilus with the weakest possible firejail sandbox (noprofile.profile) to hopefully gain some details of what's happening. ```sh $ cat ~/.local/share/dbus-1/services/org.freedesktop.FileManager1.service [D-BUS Service] Name=org.freedesktop.FileManager1 Exec=sh -c 'firejail --ignore=quiet --profile=noprofile /usr/bin/nautilus --gapplication-service > $HOME/Downloads/nautilus-ofm1.log 2>&1' ``` ```sh $ cat ~/.local/share/dbus-1/services/org.gnome.Nautilus.service [D-BUS Service] Name=org.gnome.Nautilus Exec=sh -c 'firejail --ignore=quiet --profile=noprofile /usr/bin/nautilus --gapplication-service > $HOME/Downloads/nautilus-ogn.log 2>&1' ``` After a re-login, repeat what you always do nautilus-wise and if you get logs in your ~/Downloads directory, please post them here.

gitea-mirror commented

2026-05-05 09:46:47 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Sep 24, 2023):

Hi, @glitsj16!

I appreciate your help. Unfortunately, I did exactly as you suggested but the problem persists and no log file was created.

@Alex-Farol commented on GitHub (Sep 24, 2023): Hi, @glitsj16! I appreciate your help. Unfortunately, I did exactly as you suggested but the problem persists and no log file was created.

gitea-mirror commented

2026-05-05 09:46:47 -06:00

Author

Owner

@phoenix-advance commented on GitHub (Sep 27, 2023):

Hello. What happens if you remove ssh from being firejailed? A bit crude but something like...
sudo rm /usr/local/bin/ssh
... and then logout and then back in to test.

@phoenix-advance commented on GitHub (Sep 27, 2023): Hello. What happens if you remove ssh from being firejailed? A bit crude but something like... `sudo rm /usr/local/bin/ssh` ... and then logout and then back in to test.

gitea-mirror commented

2026-05-05 09:46:48 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Oct 1, 2023):

@phoenix-advance, removing /usr/local/bin/ssh did the trick. Thanks for the fix!
Now I just would like to know if there can be any security implication after that.

@Alex-Farol commented on GitHub (Oct 1, 2023): @phoenix-advance, removing /usr/local/bin/ssh did the trick. Thanks for the fix! Now I just would like to know if there can be any security implication after that.

gitea-mirror commented

2026-05-05 09:46:48 -06:00

Author

Owner

@phoenix-advance commented on GitHub (Oct 2, 2023):

This definitely needs a proper fix. But I personally don't think removing ssh from doing sudo firecfg would be a big issue. If there's a security vulnerability with ssh, then there would be bigger fish to fry.

@phoenix-advance commented on GitHub (Oct 2, 2023): This definitely needs a proper fix. But I personally don't think removing ssh from doing `sudo firecfg` would be a big issue. If there's a security vulnerability with ssh, then there would be bigger fish to fry.

gitea-mirror commented

2026-05-05 09:46:49 -06:00

Author

Owner

@ghost commented on GitHub (Oct 2, 2023):

[...] removing /usr/local/bin/ssh did the trick. [...]
[...] But I personally don't think removing ssh from doing sudo firecfg would be a big issue. [...]

Depending on threat model and work-flow habits/preferences one can opt to disable SSH sandboxing. Far from ideal though. After going over this thread once again I wonder if deterministic-shutdown in the ssh.profile is involved.

References:

@Alex-Farol Can you test this? So ressurect the /usr/local/bin/ssh symlink and add ignore deterministic-shutdown to your ssh.local.

@ghost commented on GitHub (Oct 2, 2023): > [...] removing /usr/local/bin/ssh did the trick. [...] > [...] But I personally don't think removing ssh from doing sudo firecfg would be a big issue. [...] Depending on threat model and work-flow habits/preferences one can opt to disable SSH sandboxing. Far from ideal though. After going over this thread once again I wonder if `deterministic-shutdown` in the ssh.profile is involved. References: - https://github.com/netblue30/firejail/pull/4870 - #3491 @Alex-Farol Can you test this? So ressurect the /usr/local/bin/ssh symlink and add `ignore deterministic-shutdown` to your ssh.local.

gitea-mirror commented

2026-05-05 09:46:49 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Oct 2, 2023):

@Alex-Farol Can you test this? So ressurect the /usr/local/bin/ssh symlink and add ignore deterministic-shutdown to your ssh.local.

My system didn't have a ssh.local file, so I created one and put that statement inside it. After bringing back the /usr/local/bin/ssh and testing Nautilus, the problem took place one more time.

@Alex-Farol commented on GitHub (Oct 2, 2023): > @Alex-Farol Can you test this? So ressurect the /usr/local/bin/ssh symlink and add `ignore deterministic-shutdown` to your ssh.local. My system didn't have a ssh.local file, so I created one and put that statement inside it. After bringing back the /usr/local/bin/ssh and testing Nautilus, the problem took place one more time.

gitea-mirror commented

2026-05-05 09:46:50 -06:00

Author

Owner

@ghost commented on GitHub (Oct 3, 2023):

@Alex-Farol Thanks for testing. I have only one idea left:

$ cat ~/.config/firejail/ssh.local
ignore memory-deny-write-execute
ignore restrict-namespaces

HTH

@ghost commented on GitHub (Oct 3, 2023): @Alex-Farol Thanks for testing. I have only one idea left: ```sh $ cat ~/.config/firejail/ssh.local ignore memory-deny-write-execute ignore restrict-namespaces ``` HTH

gitea-mirror commented

2026-05-05 09:46:50 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Oct 4, 2023):

$ cat ~/.config/firejail/ssh.local
ignore memory-deny-write-execute
ignore restrict-namespaces

I tried with and without "ignore deterministic-shutdown", but none of them worked.

@Alex-Farol commented on GitHub (Oct 4, 2023): > ```shell > $ cat ~/.config/firejail/ssh.local > ignore memory-deny-write-execute > ignore restrict-namespaces > ``` I tried with and without "ignore deterministic-shutdown", but none of them worked.

gitea-mirror commented

2026-05-05 09:46:50 -06:00

Author

Owner

@ghost commented on GitHub (Oct 4, 2023):

@Alex-Farol Thanks a lot for testing. Sadly this all seems to confirm that the nautilus SFTP functionality can't be properly sandboxed (as @phoenix-advance indicated). Personally I wouldn't feel comfortable disabling SSH sandboxing (by removing the /usr/local/bin/ssh symlink). Instead I would suggest using a dedicated app like FileZilla via firejail. It's always a pain to re-train muscle memory, but sometimes that's simply unavoidable...

@ghost commented on GitHub (Oct 4, 2023): @Alex-Farol Thanks a lot for testing. Sadly this all seems to confirm that the `nautilus` SFTP functionality can't be properly sandboxed (as @phoenix-advance indicated). Personally I wouldn't feel comfortable disabling SSH sandboxing (by removing the /usr/local/bin/ssh symlink). Instead I would suggest using a dedicated app like [FileZilla](https://filezilla-project.org/) via firejail. It's always a pain to re-train muscle memory, but sometimes that's simply unavoidable...

gitea-mirror commented

2026-05-05 09:46:51 -06:00

Author

Owner

@phoenix-advance commented on GitHub (Oct 4, 2023):

@Alex-Farol Just one more test if you're keen...

$ vim ~/.config/firejail/ssh.local
ignore whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
ignore whitelist ${RUNUSER}/keyring/ssh
ignore include whitelist-runuser-common.inc

@phoenix-advance commented on GitHub (Oct 4, 2023): @Alex-Farol Just one more test if you're keen... ``` $ vim ~/.config/firejail/ssh.local ignore whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh ignore whitelist ${RUNUSER}/keyring/ssh ignore include whitelist-runuser-common.inc ```

gitea-mirror commented

2026-05-05 09:46:51 -06:00

Author

Owner

@Alex-Farol commented on GitHub (Oct 19, 2023):

$ vim ~/.config/firejail/ssh.local
ignore whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
ignore whitelist ${RUNUSER}/keyring/ssh
ignore include whitelist-runuser-common.inc

@phoenix-advance, it works!

@Alex-Farol commented on GitHub (Oct 19, 2023): > $ vim ~/.config/firejail/ssh.local > ignore whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh > ignore whitelist ${RUNUSER}/keyring/ssh > ignore include whitelist-runuser-common.inc @phoenix-advance, it works!

gitea-mirror commented

2026-05-05 09:46:52 -06:00

Author

Owner

@mirko commented on GitHub (Sep 14, 2024):

Changes which made it work for me:

include allow-ssh.inc in include allow-ssh.inc (changes Error from "Timeout" to "Connection failed")
whitelist ${RUNUSER}/gvfsd-sftp in ssh.local

@mirko commented on GitHub (Sep 14, 2024): Changes which made it work for me: `include allow-ssh.inc` in `include allow-ssh.inc` (changes Error from "Timeout" to "Connection failed") `whitelist ${RUNUSER}/gvfsd-sftp` in `ssh.local`

gitea-mirror commented

2026-05-05 09:46:52 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 16, 2024):

Changes which made it work for me:

include allow-ssh.inc in include allow-ssh.inc (changes Error from
"Timeout" to "Connection failed") whitelist ${RUNUSER}/gvfsd-sftp in
ssh.local

Do you mean include allow-ssh.inc in nautilus.profile?

@kmk3 commented on GitHub (Sep 16, 2024): > Changes which made it work for me: > > `include allow-ssh.inc` in `include allow-ssh.inc` (changes Error from > "Timeout" to "Connection failed") `whitelist ${RUNUSER}/gvfsd-sftp` in > `ssh.local` Do you mean `include allow-ssh.inc` in `nautilus.profile`?

gitea-mirror commented

2026-05-05 09:46:52 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 16, 2024):

Changes which made it work for me:

include allow-ssh.inc in include allow-ssh.inc (changes Error from
"Timeout" to "Connection failed") whitelist ${RUNUSER}/gvfsd-sftp in
ssh.local

If the fix is the same as for #5816, then this is probably a duplicate.

Good catch.

@kmk3 commented on GitHub (Sep 16, 2024): > Changes which made it work for me: > > `include allow-ssh.inc` in `include allow-ssh.inc` (changes Error from > "Timeout" to "Connection failed") `whitelist ${RUNUSER}/gvfsd-sftp` in > `ssh.local` If the fix is the same as for #5816, then this is probably a duplicate. Good catch.

gitea-mirror commented

2026-05-05 09:46:53 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 16, 2024):

Duplicate of #5816

@kmk3 commented on GitHub (Sep 16, 2024): Duplicate of #5816

Rows
Columns

[GH-ISSUE #5975] nautilus: cannot connect through sftp #3147

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log