github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #497] Using Firejail with HTML5 xpra client #351

New issue

Closed

opened 2026-05-05 05:39:12 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 05:39:12 -06:00

Owner

Originally created by @aashidham on GitHub (May 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/497

I'm curious how firejail's sandboxing over X11 (https://firejail.wordpress.com/documentation-2/x11-guide/) would work with the HTML5 xpra client (https://www.xpra.org/trac/wiki/Clients/HTML5). If so, how do I tell firejail to use the HTML xpra client? Would something like

 firejail --x11="xpra start :1000 --bind-tcp=0.0.0.0:5555 --html=on" --net=eth0 firefox

work?

I want to build a web application where I share sandboxed versions of an application to many people. Each person would be able to interact with their own sandbox, and because of firejail's protections, they couldn't bring down the server through some exploit in the application. So each web client would get their own TCP port over which they can view their sandbox (in this case, port 5555), but the sandboxes would all run on the same X11 server (in this case, DISPLAY port 1000).

Originally created by @aashidham on GitHub (May 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/497 I'm curious how firejail's sandboxing over X11 (https://firejail.wordpress.com/documentation-2/x11-guide/) would work with the HTML5 xpra client (https://www.xpra.org/trac/wiki/Clients/HTML5). If so, how do I tell firejail to use the HTML xpra client? Would something like <pre> firejail --x11="xpra start :1000 --bind-tcp=0.0.0.0:5555 --html=on" --net=eth0 firefox </pre> work? I want to build a web application where I share sandboxed versions of an application to many people. Each person would be able to interact with their own sandbox, and because of firejail's protections, they couldn't bring down the server through some exploit in the application. So each web client would get their own TCP port over which they can view their sandbox (in this case, port 5555), but the sandboxes would all run on the same X11 server (in this case, DISPLAY port 1000).

gitea-mirror closed this issue

2026-05-05 05:39:13 -06:00

gitea-mirror commented

2026-05-05 05:39:16 -06:00

Author

Owner

@reinerh commented on GitHub (May 3, 2016):

Even with firejail, this sounds like a really dangerous idea.
Does each client really need access to the same X server? If not, why not using a virtual X server like Xvfb (one for each client), which would be better isolated.

@reinerh commented on GitHub (May 3, 2016): Even with firejail, this sounds like a really dangerous idea. Does each client really need access to the same X server? If not, why not using a virtual X server like Xvfb (one for each client), which would be better isolated.

gitea-mirror commented

2026-05-05 05:39:19 -06:00

Author

Owner

@aashidham commented on GitHub (May 3, 2016):

Xpra already uses Xvfb. The memory footprint for each X server when I use xpra is on the order of 100 MB for each one, which is unsustainable if I had to spin one up for each user. This is why I want to have multiple client sessions shared across one X server.

Can you explain what makes this dangerous? Also can you explain how to do this with firejail technically, regardless of its level of danger?

On May 3, 2016, at 10:48 AM, Reiner Herrmann notifications@github.com wrote:

Even with firejail, this sounds like a really dangerous idea.
Does each client really need access to the same X server? If not, why not using a virtual X server like Xvfb (one for each client), which would be better isolated.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub

@aashidham commented on GitHub (May 3, 2016): Xpra already uses Xvfb. The memory footprint for each X server when I use xpra is on the order of 100 MB for each one, which is unsustainable if I had to spin one up for each user. This is why I want to have multiple client sessions shared across one X server. Can you explain what makes this dangerous? Also can you explain how to do this with firejail technically, regardless of its level of danger? > On May 3, 2016, at 10:48 AM, Reiner Herrmann notifications@github.com wrote: > > Even with firejail, this sounds like a really dangerous idea. > Does each client really need access to the same X server? If not, why not using a virtual X server like Xvfb (one for each client), which would be better isolated. > > — > You are receiving this because you authored the thread. > Reply to this email directly or view it on GitHub

gitea-mirror commented

2026-05-05 05:39:22 -06:00

Author

Owner

@netblue30 commented on GitHub (May 6, 2016):

Basically, they open a x11 socket on the network. This is incredibly bad, and securing this network socket is serious work.

If you intend to move data inside your box, a regular unix socket is much better than a network socket. Use a network socket only if you need to talk to a remote box. In this last case, your best x11 solution seems to be ssh (ssh -X). Or you can go with vnc over ssh.

@netblue30 commented on GitHub (May 6, 2016): Basically, they open a x11 socket on the network. This is incredibly bad, and securing this network socket is serious work. If you intend to move data inside your box, a regular unix socket is much better than a network socket. Use a network socket only if you need to talk to a remote box. In this last case, your best x11 solution seems to be ssh (ssh -X). Or you can go with vnc over ssh.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#351

No description provided.

Rows
Columns