github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

firefox exists at thunderbird launch. Discord also had trouble opening links but its usage of private-bin works around this issue #3443

New issue

Closed

opened 2026-05-05 10:00:16 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 10:00:16 -06:00

Owner

Originally created by @ipaqmaster on GitHub (Dec 4, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6981

Description

due to firejail-in-firejail with Thunderbird's default profile - clicking URLs fails to open in the existing Firefox session, running in its own separate jail profile.

When /usr/local/bin/firefox exists as a symlink to firejail, thunderbird attempts to launch firefox using that -Causing firejail-in-firejail and a "missing configuration" complaint instead of opening the link.

This can be demonstrated by launching firefox which will hit the /usr/local/bin/firefox path (Symlink to /usr/bin/firejail) launching it in firejail, then removing that symlink and starting thunderbird also with a firejail symlink in /usr/local/bin and with its default thunderbird.profile it can open links in firefox now (At the cost of now having to re-create the firefox symlink to firejail immediately after.

Discord also can't seem to open links out of the box but uses a private-bin which actually works around this issue.

By adding the below, firejailed Discord can open links in a firejailed firefox:

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
dbus-user.talk org.mozilla.*
include allow-bin-sh.inc

private-bin Discord,discord,firefox,xdg-open,xdg-mime

It seems private-bin is capable of grabbing the real Firefox path instead of falling for /usr/local/bin/firefox (/usr/bin/firejail)

Using the above on thunderbird does not work. I suspect this is because of its silly launcher design on Archlinux. /usr/bin/thunderbird is a shell script with the content:

#!/bin/sh
exec /usr/lib/thunderbird/thunderbird "$@"

I tried for a few minutes to include the real thunderbird path, but failed to get it to execute and moved on. Probably a noexec line somewhere in the defualt profile or its includes.

Steps to Reproduce

Steps to reproduce the behavior

Have two symlinks to /usr/bin/firejail: /usr/local/bin/firefox and /usr/local/bin/thunderbird
Launch firefox which will start in its own firejail
Launch Thunderbird which will start in its own firejail too. Both separate but with dbus privileges in the default profile to communicate.
Try opening a link in Thunderbird
An error is logged in the terminal (If launched that way to make it visible) about /etc/firejail/firejail.config being absent, an indication that thunderbird hasn't launched firefox, it has fallen for the /usr/local/bin/firefox symlink to firejail and attempted to launch firejail inside its own running jail.

Expected behavior

Open the link in the Firefox window on the same screen.

Actual behavior

Does not do that.

Behavior without a profile

Works

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

No difference

Additional context

There needs to be some kind of new flag to tell firejail to ignore anything in PATH which is just a symlink to itself. I think that would solve most of the issues I've experienced with it day to day - and after each update, when it restores its /usr/local/bin symlinks preventing the launching of a number of programs.

Any other detail that may help to understand/debug the problem

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.58-1-lts x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): Mozilla Firefox 145.0.1 Mozilla Thunderbird 145.0
Version of Firejail (firejail --version): firejail version 0.9.76
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD):

Checklist

I am using a supported version of firejail
I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

There ARE some similar issues, some from 2021 which sound relevant but the discussion being held has been since fixed for a long time. Despite the title sounding the same as this one.

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @ipaqmaster on GitHub (Dec 4, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6981  ### Description due to firejail-in-firejail with Thunderbird's default profile - clicking URLs fails to open in the existing Firefox session, running in its own separate jail profile. When /usr/local/bin/firefox exists as a symlink to firejail, thunderbird attempts to launch firefox using that -Causing firejail-in-firejail and a "missing configuration" complaint instead of opening the link. This can be demonstrated by launching firefox which will hit the /usr/local/bin/firefox path (Symlink to /usr/bin/firejail) launching it in firejail, then removing that symlink and starting thunderbird also with a firejail symlink in /usr/local/bin and with its default thunderbird.profile it can open links in firefox now (At the cost of now having to re-create the firefox symlink to firejail immediately after. Discord also can't seem to open links out of the box but uses a `private-bin` which actually works around this issue. By adding the below, firejailed Discord can open links in a firejailed firefox: ``` noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.mozilla/firefox/profiles.ini dbus-user.talk org.mozilla.* include allow-bin-sh.inc private-bin Discord,discord,firefox,xdg-open,xdg-mime ``` It seems `private-bin` is capable of grabbing the _real_ Firefox path instead of falling for /usr/local/bin/firefox (/usr/bin/firejail) Using the above on thunderbird does not work. I suspect this is because of its silly launcher design on Archlinux. `/usr/bin/thunderbird` is a shell script with the content: ``` #!/bin/sh exec /usr/lib/thunderbird/thunderbird "$@" ``` I tried for a few minutes to include the _real_ thunderbird path, but failed to get it to execute and moved on. Probably a noexec line somewhere in the defualt profile or its includes. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Have two symlinks to /usr/bin/firejail: `/usr/local/bin/firefox` and `/usr/local/bin/thunderbird` 2. Launch firefox which will start in its own firejail 3. Launch Thunderbird which will start in its own firejail too. Both separate but with dbus privileges in the default profile to communicate. 4. Try opening a link in Thunderbird 5. An error is logged in the terminal (If launched that way to make it visible) about /etc/firejail/firejail.config being absent, an indication that thunderbird hasn't launched firefox, it has fallen for the /usr/local/bin/firefox symlink to firejail and attempted to launch firejail inside its own running jail. ### Expected behavior Open the link in the Firefox window on the same screen. ### Actual behavior Does not do that. ### Behavior without a profile Works _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ No difference ### Additional context There needs to be some kind of new flag to tell firejail to ignore anything in PATH which is just a symlink to itself. I think that would solve most of the issues I've experienced with it day to day - and after each update, when it restores its /usr/local/bin symlinks preventing the launching of a number of programs. _Any other detail that may help to understand/debug the problem_ ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.12.58-1-lts x86_64` - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): `Arch Linux` - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): `Mozilla Firefox 145.0.1` `Mozilla Thunderbird 145.0` - Version of Firejail (`firejail --version`): `firejail version 0.9.76` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist  - [x] I am using a [supported version](https://github.com/netblue30/firejail/tree/master/SECURITY.md) of firejail - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) There ARE some similar issues, some from 2021 which sound relevant but the discussion being held has been since fixed for a long time. Despite the title sounding the same as this one. ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` output goes here ``` </p> </details>

gitea-mirror closed this issue

2026-05-05 10:00:18 -06:00

gitea-mirror commented

2026-05-05 10:00:20 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Dec 4, 2025):

Ugh that was stupid... yeah it's a script starting with #!/bin/sh so obviously private-bin needs to include sh.... the discord fix works on thunderbird if I add sh to its private-bin.

All thunderbird needs to open links in Firefox in each their own jail while /usr/bin/firejail is symlinked to path /usr/local/bin/firefox, is the below:

private-bin sh,/usr/bin/thunderbird,firefox,xdg-open,xdg-mime

Because the use of private-bin avoids hitting /usr/local/bin/firefox (> /usr/bin/firejail) and breaking Thunderbird's ability to launch it. Not clean... but if it make this work for me then that's alright.

That said... it's very sluggish now with that thunderbird.local file I've just created. I wonder what's caused that.

@ipaqmaster commented on GitHub (Dec 4, 2025): Ugh that was stupid... yeah it's a script starting with `#!/bin/sh` so obviously private-bin needs to include `sh`.... the discord fix works on thunderbird if I add `sh` to its private-bin. All thunderbird needs to open links in Firefox in each their own jail while /usr/bin/firejail is symlinked to path /usr/local/bin/firefox, is the below: ``` private-bin sh,/usr/bin/thunderbird,firefox,xdg-open,xdg-mime ``` Because the use of `private-bin` avoids hitting /usr/local/bin/firefox (> /usr/bin/firejail) and breaking Thunderbird's ability to launch it. Not clean... but if it make this work for me then that's alright. That said... it's very sluggish now with that thunderbird.local file I've just created. I wonder what's caused that.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3443

No description provided.

Rows
Columns