github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6100] keepassxc: cannot save database #3180

New issue

Closed

opened 2026-05-05 09:48:08 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:48:08 -06:00

Owner

Originally created by @oknyshuk on GitHub (Nov 23, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6100

Description

Hardened and sandboxed KeePassXC can't save the password database.

Steps to Reproduce

Add a keepassxc.local (you should modify the path to db)
Run firejail keepassxc
Add a new entry/delete one, so KeePassXC tries to save the database
See error

Writing the database failed: Destination file exists
Backup database located at /tmp/KeePassXC...

Expected behavior

I expected KeePassXC to save the file without troble, especially since I have ignore private-tmp in my keepassxc.local

Actual behavior

I have an error.

Behavior without a profile

Everything works fine.

Additional context

~/.config/firejail/keepassxc.local:

ignore private-tmp
noblacklist ${HOME}/gdrive/passwords.kdbx
whitelist ${HOME}/gdrive/passwords.kdbx
noblacklist ${HOME}/documents/passwords.kdbx
whitelist ${HOME}/documents/passwords.kdbx

dbus-user.talk org.freedesktop.portal.Desktop

noblacklist ${RUNUSER}/app
mkdir ${HOME}/.mozilla/native-messaging-hosts
mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
mkdir ${HOME}/.cache/keepassxc
mkdir ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc
whitelist ${HOME}/.config/keepassxc
whitelist ${HOME}/.config/KeePassXCrc
include whitelist-common.inc

Screenshot:

Related KeePassXC settings:

Environment

Linux distribution and version: Arch Linux
Firejail version: 0.9.73 (git commit 3c303ab1dc)

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of firejail keepassxc

Reading profile /etc/firejail/keepassxc.profile
Reading profile /home/olk/.config/firejail/keepassxc.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.73

Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 3283, child pid 3287
3 programs installed in 97.62 ms
Private /etc installed in 47.53 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Base filesystem installed in 539.50 ms
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Child process initialized in 998.63 ms
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.

(keepassxc:21): dbind-WARNING **: 14:47:46.185: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
^C
Parent received signal 2, shutting down the child process...
QFSFileEngine::open: No file name specified

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Output of firejail --debug keepassxc

https://gist.github.com/k1gen/bc4feee5e5e3a8eba74eee64909e626e

Originally created by @oknyshuk on GitHub (Nov 23, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6100 ### Description Hardened and sandboxed KeePassXC can't save the password database. ### Steps to Reproduce 1. Add a keepassxc.local (you should modify the path to db) 1. Run `firejail keepassxc` 2. Add a new entry/delete one, so KeePassXC tries to save the database 4. See error ``` Writing the database failed: Destination file exists Backup database located at /tmp/KeePassXC... ``` ### Expected behavior I expected KeePassXC to save the file without troble, especially since I have `ignore private-tmp` in my keepassxc.local ### Actual behavior I have an error. ### Behavior without a profile Everything works fine. ### Additional context ~/.config/firejail/keepassxc.local: ``` ignore private-tmp noblacklist ${HOME}/gdrive/passwords.kdbx whitelist ${HOME}/gdrive/passwords.kdbx noblacklist ${HOME}/documents/passwords.kdbx whitelist ${HOME}/documents/passwords.kdbx dbus-user.talk org.freedesktop.portal.Desktop noblacklist ${RUNUSER}/app mkdir ${HOME}/.mozilla/native-messaging-hosts mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json mkdir ${HOME}/.cache/keepassxc mkdir ${HOME}/.config/keepassxc whitelist ${HOME}/.cache/keepassxc whitelist ${HOME}/.config/keepassxc whitelist ${HOME}/.config/KeePassXCrc include whitelist-common.inc ``` Screenshot: ![image](https://github.com/netblue30/firejail/assets/62500387/4410215e-352b-46fd-95af-8d14229933db) Related KeePassXC settings: ![image](https://github.com/netblue30/firejail/assets/62500387/ad315483-2422-48f5-8969-a7b2622f47b2) ### Environment - Linux distribution and version: Arch Linux - Firejail version: 0.9.73 (git commit 3c303ab1dc172835559b0798df04b9b625bd1093) ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>firejail keepassxc</code></summary> <p> ``` Reading profile /etc/firejail/keepassxc.profile Reading profile /home/olk/.config/firejail/keepassxc.local Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.73 Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Parent pid 3283, child pid 3287 3 programs installed in 97.62 ms Private /etc installed in 47.53 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Base filesystem installed in 539.50 ms Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Child process initialized in 998.63 ms Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway. (keepassxc:21): dbind-WARNING **: 14:47:46.185: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory) qt.qpa.wayland: Wayland does not support QWindow::requestActivate() qt.qpa.wayland: Wayland does not support QWindow::requestActivate() libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile ^C Parent received signal 2, shutting down the child process... QFSFileEngine::open: No file name specified Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>firejail --debug keepassxc</code></summary> <p> https://gist.github.com/k1gen/bc4feee5e5e3a8eba74eee64909e626e </p> </details>

gitea-mirror

2026-05-05 09:48:08 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:48:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 23, 2023):

Play with "Use alternative saving method" OR whitelist the folder containing your kdbx.

@rusty-snake commented on GitHub (Nov 23, 2023): Play with "Use alternative saving method" OR whitelist the folder containing your kdbx.

gitea-mirror commented

2026-05-05 09:48:11 -06:00

Author

Owner

@oknyshuk commented on GitHub (Nov 23, 2023):

I get this after disabling "Use alternative saving method":

The "Directly write to database file (dangerous)" option works, but if we can work out this bug and not use - I'd like to do that.

@oknyshuk commented on GitHub (Nov 23, 2023): I get this after disabling "Use alternative saving method": ![image](https://github.com/netblue30/firejail/assets/62500387/100cfedc-d30d-4158-8f12-964691312c8f) The "Directly write to database file (dangerous)" option works, but if we can work out this bug and not use - I'd like to do that.

gitea-mirror commented

2026-05-05 09:48:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 24, 2023):

If you do not want direct writes, you have to whitelist the directory in which your kdbx resides rather than the kdbx file itself.

@rusty-snake commented on GitHub (Nov 24, 2023): If you do not want direct writes, you have to whitelist the directory in which your kdbx resides rather than the kdbx file itself.

gitea-mirror commented

2026-05-05 09:48:12 -06:00

Author

Owner

@oknyshuk commented on GitHub (Nov 24, 2023):

thanks, that works!

@oknyshuk commented on GitHub (Nov 24, 2023): thanks, that works!

gitea-mirror referenced this issue

2026-05-05 10:24:30 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3180

No description provided.

Rows
Columns