[GH-ISSUE #6080] file-roller: cannot use "open with" (dbus/noroot) #3173

New issue

Closed

opened 2026-05-05 09:47:56 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented 2026-05-05 09:47:56 -06:00

Owner

Copy link

Originally created by @oknyshuk on GitHub (Nov 8, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6080

Description

can't use "open with..." in file-roller because dbus is broker. without firejail it works

Steps to Reproduce

1. run file-roller <some archive>
2. rmb on any file within the archive, click on 'open with...'
3. see error GDBUS error ... org.freedesktop.DBus.Error.ServiceUnknown

Expected behavior

app picker should appear

Actual behavior

error popup appears

Behavior without a profile

$ firejail --noprofile /usr/bin/file-roller downloads/archive.rar
firejail version 0.9.73

Parent pid 110214, child pid 110215
Base filesystem installed in 0.06 ms
Child process initialized in 5.70 ms

Parent is shutting down, bye...

Environment

• Linux distribution and version: Arch Linux
• Firejail version: 0.9.73 (git commit: 37e40e0206)

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

output of firejail /usr/bin/file-roller ~/downloads/archive.rar

Reading profile /etc/firejail/file-roller.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.73

Parent pid 109495, child pid 109499
29 programs installed in 48.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 29.27 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/olk/.ssh/config
Base filesystem installed in 106.15 ms
Child process initialized in 233.40 ms

(file-roller:54): dbind-WARNING **: 02:39:34.636: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown

Parent is shutting down, bye...

output of LC_ALL=C firejail --debug /usr/bin/file-roller ~/downloads/archive.rar

https://gist.github.com/k1gen/fed7cfcde23c02e6107aa261a2ac7c04

Originally created by @oknyshuk on GitHub (Nov 8, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6080 ### Description can't use "open with..." in file-roller because dbus is broker. without firejail it works ### Steps to Reproduce 1. run `file-roller <some archive>` 2. rmb on any file within the archive, click on 'open with...' 3. see error `GDBUS error ... org.freedesktop.DBus.Error.ServiceUnknown` ### Expected behavior app picker should appear ### Actual behavior error popup appears ### Behavior without a profile ``` $ firejail --noprofile /usr/bin/file-roller downloads/archive.rar firejail version 0.9.73 Parent pid 110214, child pid 110215 Base filesystem installed in 0.06 ms Child process initialized in 5.70 ms Parent is shutting down, bye... ``` ### Environment - Linux distribution and version: Arch Linux - Firejail version: 0.9.73 (git commit: 37e40e020636741bfb61658df180fe7bdd2df7e8) ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>output of <code>firejail /usr/bin/file-roller ~/downloads/archive.rar</code></summary> <p> ``` Reading profile /etc/firejail/file-roller.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.73 Parent pid 109495, child pid 109499 29 programs installed in 48.25 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 29.27 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/olk/.ssh/config Base filesystem installed in 106.15 ms Child process initialized in 233.40 ms (file-roller:54): dbind-WARNING **: 02:39:34.636: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown Parent is shutting down, bye... ``` </p> </details> <details> <summary>output of <code>LC_ALL=C firejail --debug /usr/bin/file-roller ~/downloads/archive.rar</code></summary> <p> ``` https://gist.github.com/k1gen/fed7cfcde23c02e6107aa261a2ac7c04 ``` </p> </details>

gitea-mirror 2026-05-05 09:47:56 -06:00

• closed this issue
• added the
  notabug
  label

gitea-mirror commented 2026-05-05 09:47:59 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 8, 2023):

If you want to use open-with, start with

ignore include disable-programs.inc
ignore private-bin
ignore dbus-user filter

<!-- gh-comment-id:1802312159 --> @rusty-snake commented on GitHub (Nov 8, 2023): If you want to use open-with, start with ``` ignore include disable-programs.inc ignore private-bin ignore dbus-user filter ```

gitea-mirror commented 2026-05-05 09:47:59 -06:00

Author

Owner

Copy link

@oknyshuk commented on GitHub (Nov 9, 2023):

@rusty-snake:

$ bat -p /etc/firejail/file-roller.local
ignore include disable-programs.inc
ignore private-bin
ignore dbus-user filter
$ file-roller downloads/virt-v2v-2.2.0-3-x86_64.pkg.tar.xz
Reading profile /etc/firejail/file-roller.profile
Reading profile /etc/firejail/file-roller.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.73

Ignoring "dbus-user.own org.gnome.ArchiveManager1" and 2 other dbus-user filter rules.
Parent pid 32313, child pid 32314
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 29.17 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/olk/.ssh/config
Base filesystem installed in 386.76 ms
Child process initialized in 450.34 ms

(file-roller:25): dbind-WARNING **: 22:04:05.452: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: No such file or directory

(file-roller:25): Handy-CRITICAL **: 22:04:05.481: Couldn't read the color-scheme setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root

(file-roller:25): Handy-CRITICAL **: 22:04:05.482: Couldn't read the color-scheme setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root

(file-roller:25): Handy-CRITICAL **: 22:04:05.482: Couldn't read the high-contrast setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root

(file-roller:25): GVFS-WARNING **: 22:04:17.839: can't init metadata tree /home/olk/.local/share/gvfs-metadata/home: open: Permission denied

(file-roller:25): GVFS-WARNING **: 22:04:17.839: can't init metadata tree /home/olk/.local/share/gvfs-metadata/home: open: Permission denied

Parent is shutting down, bye...

<!-- gh-comment-id:1804684068 --> @oknyshuk commented on GitHub (Nov 9, 2023): @rusty-snake: ``` $ bat -p /etc/firejail/file-roller.local ignore include disable-programs.inc ignore private-bin ignore dbus-user filter $ file-roller downloads/virt-v2v-2.2.0-3-x86_64.pkg.tar.xz Reading profile /etc/firejail/file-roller.profile Reading profile /etc/firejail/file-roller.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.73 Ignoring "dbus-user.own org.gnome.ArchiveManager1" and 2 other dbus-user filter rules. Parent pid 32313, child pid 32314 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 29.17 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/olk/.ssh/config Base filesystem installed in 386.76 ms Child process initialized in 450.34 ms (file-roller:25): dbind-WARNING **: 22:04:05.452: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: No such file or directory (file-roller:25): Handy-CRITICAL **: 22:04:05.481: Couldn't read the color-scheme setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root (file-roller:25): Handy-CRITICAL **: 22:04:05.482: Couldn't read the color-scheme setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root (file-roller:25): Handy-CRITICAL **: 22:04:05.482: Couldn't read the high-contrast setting: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/32339/root (file-roller:25): GVFS-WARNING **: 22:04:17.839: can't init metadata tree /home/olk/.local/share/gvfs-metadata/home: open: Permission denied (file-roller:25): GVFS-WARNING **: 22:04:17.839: can't init metadata tree /home/olk/.local/share/gvfs-metadata/home: open: Permission denied Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 09:47:59 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 13, 2023):

[...] Portal operation not allowed: Unable to open /proc/32339/root

This might be due to noroot, cfr. https://github.com/netblue30/firejail/issues/2506#issuecomment-469047491. Try again adding ignore noroot.

/home/olk/.local/share/gvfs-metadata/home: open: Permission denied

disable-common.inc blocks that path. Try again adding noblacklist ${HOME}/.local/share/gvfs-metadata.

Please note that all these ignores do loosen the file-roller sandbox. If you really need the "open with..." functionality you'll have to do that. Alternatively you could keep the sandbox as tight as possible, extract the file(s) you need and open those separately from file-roller. Such a workflow has the added benefit of opening them with a dedicated, fully sandboxed app (when the mimetype is supported obviously). Always up to user discretion/personal preferences to determine the balance between security/ease-of-use...

<!-- gh-comment-id:1807569636 --> @ghost commented on GitHub (Nov 13, 2023): > [...] Portal operation not allowed: Unable to open /proc/32339/root This _might_ be due to `noroot`, cfr. https://github.com/netblue30/firejail/issues/2506#issuecomment-469047491. Try again adding `ignore noroot`. > /home/olk/.local/share/gvfs-metadata/home: open: Permission denied disable-common.inc blocks that path. Try again adding `noblacklist ${HOME}/.local/share/gvfs-metadata`. Please note that all these ignores do loosen the file-roller sandbox. If you really need the "open with..." functionality you'll have to do that. Alternatively you could keep the sandbox as tight as possible, extract the file(s) you need and open those separately from file-roller. Such a workflow has the added benefit of opening them with a dedicated, fully sandboxed app (when the mimetype is supported obviously). Always up to user discretion/personal preferences to determine the balance between security/ease-of-use...

gitea-mirror commented 2026-05-05 09:48:00 -06:00

Author

Owner

Copy link

@oknyshuk commented on GitHub (Nov 13, 2023):

thanks, that works:

$ bat -p /etc/firejail/file-roller.local
ignore include disable-programs.inc
ignore private-bin
ignore dbus-user filter
ignore noroot
noblacklist ${HOME}/.local/share/gvfs-metadata

<!-- gh-comment-id:1808484845 --> @oknyshuk commented on GitHub (Nov 13, 2023): thanks, that works: ``` $ bat -p /etc/firejail/file-roller.local ignore include disable-programs.inc ignore private-bin ignore dbus-user filter ignore noroot noblacklist ${HOME}/.local/share/gvfs-metadata ```

gitea-mirror commented 2026-05-05 09:48:00 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 13, 2023):

thanks, that works:

@k1gen Now you've got the portal working by using ignore noroot it might be possible to keep dbus-user filtering. Try exchanging ignore dbus-user filter with dbus-user.talk org.freedesktop.portal.Desktop.

<!-- gh-comment-id:1808622372 --> @ghost commented on GitHub (Nov 13, 2023): > thanks, that works: @k1gen Now you've got the portal working by using `ignore noroot` it might be possible to keep dbus-user filtering. Try exchanging `ignore dbus-user filter` with `dbus-user.talk org.freedesktop.portal.Desktop`.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3173

No description provided.