[GH-ISSUE #6275] telegram: cannot open links in browser #3231

New issue

Open

opened 2026-05-05 09:50:24 -06:00 by gitea-mirror · 14 comments

gitea-mirror commented 2026-05-05 09:50:24 -06:00

Owner

Copy link

Originally created by @reagentoo on GitHub (Mar 15, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6275

Hello :) fresh install of Gentoo with Firejail and noticed that clicking links in Telegram with Firejail does not open them in default browser.

Linux:

Gentoo Linux ~amd64

Configuration:

firejail-0.9.72
firefox-123.0.1
telegram-desktop-4.15.2

Console output on clicking links:

/usr/local/bin/xdg-open: line 665: grep: command not found
/usr/local/bin/xdg-open: line 659: grep: command not found
/usr/local/bin/xdg-open: line 688: grep: command not found
xdg-open: file 'https://some.link' does not exist

This is reopen https://github.com/netblue30/firejail/issues/3031

Originally created by @reagentoo on GitHub (Mar 15, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6275 Hello :) fresh install of Gentoo with Firejail and noticed that clicking links in Telegram with Firejail does not open them in default browser. Linux: ``` Gentoo Linux ~amd64 ``` Configuration: ``` firejail-0.9.72 firefox-123.0.1 telegram-desktop-4.15.2 ``` Console output on clicking links: ``` /usr/local/bin/xdg-open: line 665: grep: command not found /usr/local/bin/xdg-open: line 659: grep: command not found /usr/local/bin/xdg-open: line 688: grep: command not found xdg-open: file 'https://some.link' does not exist ``` This is reopen https://github.com/netblue30/firejail/issues/3031

gitea-mirror added the

sandbox-ipc

label 2026-05-05 09:50:24 -06:00

gitea-mirror commented 2026-05-05 09:50:25 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 15, 2024):

Hello :) fresh install of Gentoo with Firejail and noticed that clicking
links in Telegram with Firejail does not open them in default browser.

/usr/local/bin/xdg-open: line 665: grep: command not found
/usr/local/bin/xdg-open: line 659: grep: command not found
/usr/local/bin/xdg-open: line 688: grep: command not found
xdg-open: file 'https://some.link' does not exist

Hello, what happens with the following in ~/.config/firejail/telegram.local:

private-bin grep,sed,tr

If there are more similar errors try adding the commands to private-bin.

<!-- gh-comment-id:2000228720 --> @kmk3 commented on GitHub (Mar 15, 2024): > Hello :) fresh install of Gentoo with Firejail and noticed that clicking > links in Telegram with Firejail does not open them in default browser. > ``` > /usr/local/bin/xdg-open: line 665: grep: command not found > /usr/local/bin/xdg-open: line 659: grep: command not found > /usr/local/bin/xdg-open: line 688: grep: command not found > xdg-open: file 'https://some.link' does not exist > ``` Hello, what happens with the following in ~/.config/firejail/telegram.local: ```sh private-bin grep,sed,tr ``` If there are more similar errors try adding the commands to `private-bin`.

gitea-mirror commented 2026-05-05 09:50:26 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Mar 15, 2024):

Hello, what happens with the following in ~/.config/firejail/telegram.local:

private-bin grep,sed,tr

If there are more similar errors try adding the commands to private-bin.

xdg-open: no method available for opening 'https://link'

<!-- gh-comment-id:2000324343 --> @reagentoo commented on GitHub (Mar 15, 2024): > Hello, what happens with the following in ~/.config/firejail/telegram.local: > > ```shell > private-bin grep,sed,tr > ``` > > If there are more similar errors try adding the commands to `private-bin`. ``` xdg-open: no method available for opening 'https://link' ```

gitea-mirror commented 2026-05-05 09:50:27 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 15, 2024):

If there are more similar errors try adding the commands to private-bin.

xdg-open: no method available for opening 'https://link'

What happens with just ignore private-bin?

Note that you can probably debug this with xdg-open directly:

firejail --profile=telegram /usr/bin/xdg-open 'https://link'

<!-- gh-comment-id:2000419223 --> @kmk3 commented on GitHub (Mar 15, 2024): > > If there are more similar errors try adding the commands to `private-bin`. > > ``` > xdg-open: no method available for opening 'https://link' > ``` What happens with just `ignore private-bin`? Note that you can probably debug this with xdg-open directly: ```sh firejail --profile=telegram /usr/bin/xdg-open 'https://link' ```

gitea-mirror commented 2026-05-05 09:50:28 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Mar 15, 2024):

What happens with just ignore private-bin?

Note that you can probably debug this with xdg-open directly:

firejail --profile=telegram /usr/bin/xdg-open 'https://link'

I've added the next lines:

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
ignore private-bin

And got the next result:

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

<!-- gh-comment-id:2000449660 --> @reagentoo commented on GitHub (Mar 15, 2024): > What happens with just `ignore private-bin`? > > Note that you can probably debug this with xdg-open directly: > > ```shell > firejail --profile=telegram /usr/bin/xdg-open 'https://link' > ``` I've added the next lines: ``` noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla ignore private-bin ``` And got the next result: ``` Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ``` 

gitea-mirror commented 2026-05-05 09:50:30 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Mar 15, 2024):

Fixed by adding dbus related lines and all xdg-open dependencies:

dbus-user.own org.chromium.*
dbus-user.own org.mozilla.firefox.*
private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime
private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser

(not tested with chromium)

Related issues:
https://github.com/netblue30/firejail/issues/3290

<!-- gh-comment-id:2000577631 --> @reagentoo commented on GitHub (Mar 15, 2024): Fixed by adding dbus related lines and all xdg-open dependencies: ``` dbus-user.own org.chromium.* dbus-user.own org.mozilla.firefox.* private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser ``` (not tested with chromium) Related issues: https://github.com/netblue30/firejail/issues/3290

gitea-mirror commented 2026-05-05 09:50:30 -06:00

Author

Owner

Copy link

@glu8716 commented on GitHub (Apr 2, 2024):

I just came across this thread and I have a similar problem. By using the default profile what I get is xdg-open: no method available for opening 'https://link'

Adding ignore private-bin opens a new Firefox instance and not the one that is already running:

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

<!-- gh-comment-id:2031644269 --> @glu8716 commented on GitHub (Apr 2, 2024): I just came across this thread and I have a similar problem. By using the default profile what I get is `xdg-open: no method available for opening 'https://link'` Adding `ignore private-bin` opens a new Firefox instance and not the one that is already running: ``` Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ```

gitea-mirror commented 2026-05-05 09:50:31 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Apr 2, 2024):

I just came across this thread and I have a similar problem.

Try this (~/.config/firejail/telegram.local):

noblacklist ${HOME}/Documents
noblacklist ${HOME}/Pictures
noblacklist ${HOME}/Public
noblacklist ${HOME}/Videos

whitelist ${HOME}/Documents
whitelist ${HOME}/Pictures
whitelist ${HOME}/Public
whitelist ${HOME}/Videos

# Fix video calls
# https://github.com/netblue30/firejail/issues/3872
dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
whitelist /usr/share/pipewire/client.conf

# Fix xdg-open
# https://github.com/netblue30/firejail/issues/6275
dbus-user.own org.chromium.*
dbus-user.own org.mozilla.firefox.*
private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime
private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser

<!-- gh-comment-id:2031661702 --> @reagentoo commented on GitHub (Apr 2, 2024): > I just came across this thread and I have a similar problem. Try this (`~/.config/firejail/telegram.local`): ``` noblacklist ${HOME}/Documents noblacklist ${HOME}/Pictures noblacklist ${HOME}/Public noblacklist ${HOME}/Videos whitelist ${HOME}/Documents whitelist ${HOME}/Pictures whitelist ${HOME}/Public whitelist ${HOME}/Videos # Fix video calls # https://github.com/netblue30/firejail/issues/3872 dbus-user.talk org.freedesktop.portal.Desktop ignore noroot whitelist /usr/share/pipewire/client.conf # Fix xdg-open # https://github.com/netblue30/firejail/issues/6275 dbus-user.own org.chromium.* dbus-user.own org.mozilla.firefox.* private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser ```

gitea-mirror commented 2026-05-05 09:50:32 -06:00

Author

Owner

Copy link

@glu8716 commented on GitHub (Apr 2, 2024):

@reagentoo I've already tried the options in your last post, but unfortunately it doesn't work

<!-- gh-comment-id:2032196875 --> @glu8716 commented on GitHub (Apr 2, 2024): @reagentoo I've already tried the options in your last post, but unfortunately it doesn't work

gitea-mirror commented 2026-05-05 09:50:32 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 2, 2024):

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716
This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

<!-- gh-comment-id:2032419269 --> @ghost commented on GitHub (Apr 2, 2024): > Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default @glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in `private-etc` [refactoring](https://github.com/netblue30/firejail/discussions/5610). For 0.9.72 you can add `login.defs` to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

gitea-mirror commented 2026-05-05 09:50:33 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Apr 2, 2024):

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

@glitsj16 Hi. Can you please give some comment for the telegram.local in https://github.com/netblue30/firejail/issues/6275#issuecomment-2031661702 (in the context of the refactoring)? Are there any extra or missing rules to fix xdg-open? This config works for me with 0.9.72.

<!-- gh-comment-id:2032438600 --> @reagentoo commented on GitHub (Apr 2, 2024): > > Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default > > @glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in `private-etc` [refactoring](https://github.com/netblue30/firejail/discussions/5610). For 0.9.72 you can add `login.defs` to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI. @glitsj16 Hi. Can you please give some comment for the `telegram.local` in https://github.com/netblue30/firejail/issues/6275#issuecomment-2031661702 (in the context of the refactoring)? Are there any extra or missing rules to fix xdg-open? This config works for me with 0.9.72.

gitea-mirror commented 2026-05-05 09:50:34 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 2, 2024):

@reagentoo Hi. Your fix from https://github.com/netblue30/firejail/issues/6275#issuecomment-2031661702 looks fine. The mentioned private-etc refactoring doesn't affect it. That being said, there are (socket) alternatives being considered for using D-Bus to support URL handling. See #5364 and #5582 for context.

HTH

<!-- gh-comment-id:2032509678 --> @ghost commented on GitHub (Apr 2, 2024): @reagentoo Hi. Your fix from https://github.com/netblue30/firejail/issues/6275#issuecomment-2031661702 looks fine. The mentioned private-etc refactoring doesn't affect it. That being said, there are (socket) alternatives being considered for using D-Bus to support URL handling. See #5364 and #5582 for context. HTH

gitea-mirror commented 2026-05-05 09:50:35 -06:00

Author

Owner

Copy link

@glu8716 commented on GitHub (Apr 2, 2024):

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

Can confirm that the error is fixed with the git version. However I'm still getting Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features and the link is opened in a new instance of Firefox instead of the already running one.

<!-- gh-comment-id:2033149697 --> @glu8716 commented on GitHub (Apr 2, 2024): > > Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default > > @glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in `private-etc` [refactoring](https://github.com/netblue30/firejail/discussions/5610). For 0.9.72 you can add `login.defs` to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI. Can confirm that the error is fixed with the git version. However I'm still getting `Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features` and the link is opened in a new instance of Firefox instead of the already running one.

gitea-mirror commented 2026-05-05 09:50:36 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 3, 2024):

However I'm still getting Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features and the link is opened in a new instance of Firefox instead of the already running one.

@glu8716
Have you tried exporting MOZ_DBUS_REMOTE=1 in your ~/.bashrc (or similar if you happen to use a different shell)? It's a known environment variable that avoids the infamous Firefox is already running dialog and should force opening the link in a running Firefox instance. You've got to close all running FF instances, export the env var and start using FF again afterwards.

<!-- gh-comment-id:2033515890 --> @ghost commented on GitHub (Apr 3, 2024): > However I'm still getting Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features and the link is opened in a new instance of Firefox instead of the already running one. @glu8716 Have you tried exporting `MOZ_DBUS_REMOTE=1` in your `~/.bashrc` (or similar if you happen to use a different shell)? It's a known environment variable that avoids the infamous `Firefox is already running` dialog and should force opening the link in a running Firefox instance. You've got to close all running FF instances, export the env var and start using FF again afterwards.

gitea-mirror commented 2026-05-05 09:50:36 -06:00

Author

Owner

Copy link

@glu8716 commented on GitHub (Apr 3, 2024):

@glitsj16 It doesn't work, unfortunately

<!-- gh-comment-id:2034631279 --> @glu8716 commented on GitHub (Apr 3, 2024): @glitsj16 It doesn't work, unfortunately

gitea-mirror referenced this issue 2026-05-05 10:24:46 -06:00

[PR #3231] [MERGED] Add support for SELinux labeling #4689

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3231

No description provided.