[GH-ISSUE #544] make it clear that `--x11` does not block child processes from communicating with parent X server #381

New issue

Closed

opened 2026-05-05 05:43:55 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 05:43:55 -06:00

Owner

Originally created by @vn971 on GitHub (May 28, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/544

The current implementation of firejail --x11 does not forbid sandboxed processes from communicating with the parent (main) X.
The documentation, however, could be read as if --x11 does some kind of protection. A suggest to make a warning on this option that it's only a convenience separation, not a security one.

Example on how to break out of firejail --x11:

on host system start firejail --x11=xephyr --private --noprofile xterm
observe Xephyr window is being opened with an xterm window inside
type DISPLAY=:0 xterm in this child xterm
observe the last xterm being opened inside your main X system, with access to the cursor, keyboard etc.

Originally created by @vn971 on GitHub (May 28, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/544 The current implementation of `firejail --x11` does not forbid sandboxed processes from communicating with the parent (main) X. The documentation, however, could be read as if --x11 does some kind of protection. A suggest to make a **warning** on this option that it's only a convenience separation, not a security one. Example on how to break out of `firejail --x11`: - on host system start `firejail --x11=xephyr --private --noprofile xterm` - observe Xephyr window is being opened with an xterm window inside - type `DISPLAY=:0 xterm` in this child xterm - observe the last `xterm` being opened inside your main X system, with access to the cursor, keyboard etc.

gitea-mirror closed this issue

2026-05-05 05:43:57 -06:00

gitea-mirror commented

2026-05-05 05:44:01 -06:00

Author

Owner

@nick75e commented on GitHub (May 28, 2016):

As indicated here, you have to create a network namespace, e.g.: firejail --x11=xephyr --net=eth0 --private --noprofile xterm

/tmp/.X11-unix/X0 is disabled using a temporary filesystem mounted on /tmp/.X11-unix
directory. The only way to disable the abstract socket @/tmp/.X11-unix/X0 is by using a
network namespace. If for any reasons you cannot use a network namespace, the ab-
stract socket will still be visible inside the sandbox. Hackers can attach keylogger and
screenshot programs to this socket.

@nick75e commented on GitHub (May 28, 2016): As indicated [here](https://firejail.wordpress.com/documentation-2/x11-guide/), you have to create a network namespace, e.g.: `firejail --x11=xephyr --net=eth0 --private --noprofile xterm` ``` /tmp/.X11-unix/X0 is disabled using a temporary filesystem mounted on /tmp/.X11-unix directory. The only way to disable the abstract socket @/tmp/.X11-unix/X0 is by using a network namespace. If for any reasons you cannot use a network namespace, the ab- stract socket will still be visible inside the sandbox. Hackers can attach keylogger and screenshot programs to this socket. ```

gitea-mirror commented

2026-05-05 05:44:05 -06:00

Author

Owner

@vn971 commented on GitHub (May 28, 2016):

@nick75e Oops, sorry, I guess I've been a poor documentation reader.
I'm OK with deleting the ticket. (Sorry again..)

@vn971 commented on GitHub (May 28, 2016): @nick75e Oops, sorry, I guess I've been a poor documentation reader. I'm OK with deleting the ticket. (Sorry again..)

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#381

No description provided.

Rows
Columns

[GH-ISSUE #544] make it clear that --x11 does not block child processes from communicating with parent X server #381

[GH-ISSUE #544] make it clear that `--x11` does not block child processes from communicating with parent X server #381