github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

Bitwarden #3273

New issue

Closed

opened 2026-05-05 09:52:45 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:52:45 -06:00

Owner

Originally created by @tmstn on GitHub (Aug 23, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6442

Description

I can run bitwarden-desktop on Manjaro once but the second time it will not start because the .config/Bitwarden directory has had its ownership changed to root:root

Steps to Reproduce

run mkdir /home/$USER/bitwarden-temp
run firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop
run firejail --list to get the process id
run firejail --join=[id]
run ls -la ~/.config and you will see that the Bitwarden is owned by $USER:$USER
exit the sandbox shell session
run firejail --shutdown=[id]
run firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop again
The server will not start and there will be permission errors relating to the /home/$USER/.config/Bitwarden directory
run firejail --list to get the process id
run firejail --join=[id]
run ls -la ~/.config and you will see that the Bitwarden directory is owned by root:root

Expected behavior

The /home/$USER/.config/Bitwarden directory should always be owned by $USER:$USER. It is a user directory in the home folder.

Actual behavior

The /home/$USER/.config/Bitwarden directory is owned by root:root.

Behavior without a profile

When running LC_ALL=C firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --noprofile bitwarden-desktop it opened without issue multiple times.

Environment

Linux 6.6.46-1-MANJARO x86_64
Firejail version 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of

LC_ALL=C firejail --name=bitwarden --private=/home/tom/down/bitwarden --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop

link to gist

Output of

LC_ALL=C firejail --debug --name=bitwarden --private=/home/tom/down/bitwarden --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop

link to gist

Originally created by @tmstn on GitHub (Aug 23, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6442 ### Description I can run bitwarden-desktop on Manjaro once but the second time it will not start because the .config/Bitwarden directory has had its ownership changed to root:root ### Steps to Reproduce 1. run `mkdir /home/$USER/bitwarden-temp` 2. run `firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop` 3. run `firejail --list` to get the process id 4. run `firejail --join=[id]` 5. run `ls -la ~/.config` and you will see that the `Bitwarden` is owned by `$USER:$USER` 6. `exit` the sandbox shell session 7. run `firejail --shutdown=[id]` 8. run `firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop` again 9. The server will not start and there will be permission errors relating to the `/home/$USER/.config/Bitwarden` directory 10. run `firejail --list` to get the process id 11. run `firejail --join=[id]` 12. run `ls -la ~/.config` and you will see that the `Bitwarden` directory is owned by `root:root` ### Expected behavior The `/home/$USER/.config/Bitwarden` directory should always be owned by `$USER:$USER`. It is a user directory in the home folder. ### Actual behavior The `/home/$USER/.config/Bitwarden` directory is owned by `root:root`. ### Behavior without a profile When running `LC_ALL=C firejail --name=bitwarden --private=/home/$USER/bitwarden-temp --x11=xpra --noprofile bitwarden-desktop` it opened without issue multiple times. ### Environment - Linux 6.6.46-1-MANJARO x86_64 - Firejail version 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail --name=bitwarden --private=/home/tom/down/bitwarden --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop</code></summary> <p> [link to gist](https://gist.github.com/tmstn/9f04b0824b1d87fd4a48970fdef527fe) </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug --name=bitwarden --private=/home/tom/down/bitwarden --x11=xpra --profile=/etc/firejail/electron.profile bitwarden-desktop</code></summary> <p> [link to gist](https://gist.github.com/tmstn/852d72522651db11055f44e785aafaa6) </p> </details>

gitea-mirror

2026-05-05 09:52:45 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:52:47 -06:00

Author

Owner

@ghost commented on GitHub (Aug 23, 2024):

Hi, thanks for reporting this. I've installed bitwarden-desktop on my Arch Linux box to reproduce. Coincidentally the package just got updated, so I probably have different versions here, but AFAICT that shouldn't affect things.

We indeed have a bug here: /usr/bin/bitwarden-desktop is a shell script, and the include disable-shell.inc option breaks that. I'll be fixing that in git shortly. Not sure if that's why you used the electron.profile, but this needs your attention regardless.

The procedure you kindly supplied above can be simplified a bit, so instead of using the longish CLI commands I've opted to create a simple override you can use (until a new release containing a fix reaches the Manjaro repo's) with firejail /usr/bin/bitwarden-desktop:

$ cat ~/.config/firejail/bitwarden-desktop.profile
include allow-bin-sh.inc
private ${HOME}/bitwarden-temp
x11 xpra
include bitwarden.profile
name bitwarden

On my machine things seem to work just fine with the above profile changes. No ownership/permission changes on ~/.config/Bitwarden and the app starts and runs as expected AFAICT.

Please integrate the above override file on your side and retest.

HTH

@ghost commented on GitHub (Aug 23, 2024): Hi, thanks for reporting this. I've installed bitwarden-desktop on my Arch Linux box to reproduce. Coincidentally the package just got updated, so I probably have different versions here, but AFAICT that shouldn't affect things. We indeed have a bug here: `/usr/bin/bitwarden-desktop` is a `shell` script, and the `include disable-shell.inc` option breaks that. I'll be fixing that in git shortly. Not sure if that's why you used the `electron.profile`, but this needs your attention regardless. The procedure you kindly supplied above can be simplified a bit, so instead of using the longish CLI commands I've opted to create a simple override you can use (until a new release containing a fix reaches the Manjaro repo's) with `firejail /usr/bin/bitwarden-desktop`: ```sh $ cat ~/.config/firejail/bitwarden-desktop.profile include allow-bin-sh.inc private ${HOME}/bitwarden-temp x11 xpra include bitwarden.profile name bitwarden ``` On my machine things seem to work just fine with the above profile changes. No ownership/permission changes on ~/.config/Bitwarden and the app starts and runs as expected AFAICT. Please integrate the above override file on your side and retest. HTH

gitea-mirror commented

2026-05-05 09:52:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 23, 2024):

Steps to Reproduce

Please use minimal STR whenever possible.

firejail [...] --profile=/etc/firejail/electron.profile bitwarden-desktop

You're running bitwarden with a profile that was not written to be used with bitwarden-desktop.
It includes commands that blacklist ${HOME}/.config/Bitwarden.
This is expected behaviour.

@rusty-snake commented on GitHub (Aug 23, 2024): > Steps to Reproduce Please use minimal STR whenever possible. > firejail [...] --profile=/etc/firejail/electron.profile bitwarden-desktop You're running bitwarden with a profile that was not written to be used with bitwarden-desktop. It includes commands that `blacklist ${HOME}/.config/Bitwarden`. **This is expected behaviour.**

gitea-mirror commented

2026-05-05 09:52:49 -06:00

Author

Owner

@tmstn commented on GitHub (Aug 23, 2024):

Thanks, that works!.

The reason I was using the electron.profile was because bitwarden wouldn't start at all without it and was reporting the error: The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/electron29/chrome-sandbox is owned by root and has mode 4755

@tmstn commented on GitHub (Aug 23, 2024): Thanks, that works!. The reason I was using the `electron.profile` was because bitwarden wouldn't start at all without it and was reporting the error: `The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/electron29/chrome-sandbox is owned by root and has mode 4755`

gitea-mirror referenced this issue

2026-05-05 10:25:04 -06:00

[PR #3273] [MERGED] zoom.profile: fix zoom SSO workflow #4703

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3273

No description provided.

Rows
Columns