[GH-ISSUE #750] NFS support: firejail --private issue "cannot transfer .Xauthority"

gitea-mirror commented

2026-05-05 06:00:41 -06:00

Owner

Originally created by @sebastianst on GitHub (Aug 29, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/750

Hi,
I cannot start any application in firejail private mode. E.g. running firejail --private gedit gives me

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: user namespaces not available in the current kernel.

** Note: you can use --noprofile to disable default.profile **

Parent pid 12498, child pid 12499
Warning: failed to clean up /etc/passwd
Warning: failed to clean up /etc/group
Warning: cannot open /home/stammler/.Xauthority, file not copied
Warning: cannot transfer .Xauthority in private home directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Child process initialized
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:2): Gtk-WARNING **: cannot open display: :0

Parent is shutting down, bye...

I think the important lines are (as the other ones are also shown when running gedit without the private flag):

Warning: cannot open /home/stammler/.Xauthority, file not copied
Warning: cannot transfer .Xauthority in private home directory
...
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:2): Gtk-WARNING **: cannot open display: :0

Running gedit without the --private option works.
Specifying a private home directory with the same flag or custom configuration in ~/.config/firejail/ produces the same error.

My .Xauthority file has mode 600 (u=rw) and I am running i3wm, which I start from the login console with startx. My home directory is a mounted NFSv4 share, if that's of any interest.

Originally created by @sebastianst on GitHub (Aug 29, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/750 Hi, I cannot start any application in firejail private mode. E.g. running `firejail --private gedit` gives me ``` Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: user namespaces not available in the current kernel. ** Note: you can use --noprofile to disable default.profile ** Parent pid 12498, child pid 12499 Warning: failed to clean up /etc/passwd Warning: failed to clean up /etc/group Warning: cannot open /home/stammler/.Xauthority, file not copied Warning: cannot transfer .Xauthority in private home directory Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized No protocol specified Unable to init server: Could not connect: Connection refused (gedit:2): Gtk-WARNING **: cannot open display: :0 Parent is shutting down, bye... ``` I think the important lines are (as the other ones are also shown when running gedit without the private flag): ``` Warning: cannot open /home/stammler/.Xauthority, file not copied Warning: cannot transfer .Xauthority in private home directory ... No protocol specified Unable to init server: Could not connect: Connection refused (gedit:2): Gtk-WARNING **: cannot open display: :0 ``` Running `gedit` without the `--private` option works. Specifying a private home directory with the same flag or custom configuration in `~/.config/firejail/` produces the same error. My `.Xauthority` file has mode `600` (u=rw) and I am running i3wm, which I start from the login console with `startx`. My home directory is a mounted NFSv4 share, if that's of any interest.

gitea-mirror

2026-05-05 06:00:41 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:00:52 -06:00

Author

Owner

@sebastianst commented on GitHub (Aug 30, 2016):

I fixed it by adding my local user to the authorized client list:

$ xhost +si:localuser:<user>

But that still doesn't fix the actual problem of firejail not being able to copy the .Xauthority file.

Now I can start a private gedit... However, starting a private firefox with firejail --private firefox doesn't work, it just starts a new window of my already running firefox. But that's something else I have to figure out now.

@sebastianst commented on GitHub (Aug 30, 2016): I fixed it by adding my local user to the authorized client list: ``` $ xhost +si:localuser:<user> ``` But that still doesn't fix the actual problem of firejail not being able to copy the `.Xauthority` file. Now I can start a private `gedit`... However, starting a private firefox with `firejail --private firefox` doesn't work, it just starts a new window of my already running firefox. But that's something else I have to figure out now.

gitea-mirror commented

2026-05-05 06:00:56 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 30, 2016):

This is easy, Firefox runs as a single process, and instead of opening a new instance, it opens a new tab or a new window in the already running instance. You'll have to use -no-remote flag:

$ man firefox
[...]
      -no-remote
              Don't connect to a running Firefox ESR instance. This option can
              be necessary in conjunction to several  of  the  options  above,
              that  won't have any effect when an Firefox ESR instance is run‐
              ning unless -no-remote is used at the same time.
[...]

@netblue30 commented on GitHub (Aug 30, 2016): This is easy, Firefox runs as a single process, and instead of opening a new instance, it opens a new tab or a new window in the already running instance. You'll have to use -no-remote flag: ``` $ man firefox [...] -no-remote Don't connect to a running Firefox ESR instance. This option can be necessary in conjunction to several of the options above, that won't have any effect when an Firefox ESR instance is run‐ ning unless -no-remote is used at the same time. [...] ```

gitea-mirror commented

2026-05-05 06:01:00 -06:00

Author

Owner

@sebastianst commented on GitHub (Aug 30, 2016):

Thanks, I figured that out after posting. I used --new-instance to open a new firefox, which works as well.
Now I experience a new bug, which I will post soon :)

@sebastianst commented on GitHub (Aug 30, 2016): Thanks, I figured that out after posting. I used `--new-instance` to open a new firefox, which works as well. Now I experience a new bug, which I will post soon :)

gitea-mirror commented

2026-05-05 06:01:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 1, 2016):

What distro are you using? Usually, you wouldn't have to do "xhost +si:localuser:".

@netblue30 commented on GitHub (Sep 1, 2016): What distro are you using? Usually, you wouldn't have to do "xhost +si:localuser:<user>".

gitea-mirror commented

2026-05-05 06:01:05 -06:00

Author

Owner

@sebastianst commented on GitHub (Sep 1, 2016):

I use Arch Linux, running i3 after logging into the console via startx.
I don't see why you closed this bug. The problem remains that firejail cannot copy the .Xauthority file. If that succeeded, I guess you wouldn't even need to have the permission xhost +si:localuser:$USER set and firejail would still be able to connect to the X Server.

@sebastianst commented on GitHub (Sep 1, 2016): I use Arch Linux, running i3 after logging into the console via `startx`. I don't see why you closed this bug. The problem remains that firejail cannot copy the `.Xauthority` file. If that succeeded, I guess you wouldn't even need to have the permission `xhost +si:localuser:$USER` set and firejail would still be able to connect to the X Server.

gitea-mirror commented

2026-05-05 06:01:07 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 1, 2016):

Sorry, I thought xhost fixed it! How do you have your home directory mounted?

@netblue30 commented on GitHub (Sep 1, 2016): Sorry, I thought xhost fixed it! How do you have your home directory mounted?

gitea-mirror commented

2026-05-05 06:01:09 -06:00

Author

Owner

@sebastianst commented on GitHub (Sep 1, 2016):

My home directory is mounted via NFSv4 (and autofs):

auto_home on /home type autofs (rw,relatime,fd=19,pgrp=538,timeout=60,minproto=5,maxproto=5,indirect)
nfs-server:/srv/nfs4/home/user on /home/user type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.6,local_lock=none,addr=x.x.x.54)

(names and ips changed)

@sebastianst commented on GitHub (Sep 1, 2016): My home directory is mounted via NFSv4 (and autofs): ``` auto_home on /home type autofs (rw,relatime,fd=19,pgrp=538,timeout=60,minproto=5,maxproto=5,indirect) nfs-server:/srv/nfs4/home/user on /home/user type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.6,local_lock=none,addr=x.x.x.54) ``` (names and ips changed)

gitea-mirror commented

2026-05-05 06:01:11 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 3, 2016):

NFS is not supported in this moment. I'll mark it as an enhancement.

@netblue30 commented on GitHub (Sep 3, 2016): NFS is not supported in this moment. I'll mark it as an enhancement.

gitea-mirror commented

2026-05-05 06:01:13 -06:00

Author

Owner

@sebastianst commented on GitHub (Sep 6, 2016):

Glad we finally found the root of the problem :) Thanks

@sebastianst commented on GitHub (Sep 6, 2016): Glad we finally found the root of the problem :) Thanks

gitea-mirror commented

2026-05-05 06:01:15 -06:00

Author

Owner

@sebastianst commented on GitHub (Sep 6, 2016):

I moved my .Xauthority file to a directory on a local partition by setting the XAUTHORITY environment variable. That made me realize that firejail doesn't respect this environment variable and the path is hardcoded to $HOME/.Xauthority. It would be great to have firejail respect the env. var. XAUTHORITY. I think changes would need to go into src/firejail/fs_home.c.

@sebastianst commented on GitHub (Sep 6, 2016): I moved my `.Xauthority` file to a directory on a local partition by setting the `XAUTHORITY` environment variable. That made me realize that firejail doesn't respect this environment variable and the path is hardcoded to `$HOME/.Xauthority`. It would be great to have firejail respect the env. var. `XAUTHORITY`. I think changes would need to go into `src/firejail/fs_home.c`.

gitea-mirror commented

2026-05-05 06:01:17 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 6, 2016):

This becomes a bug!

@netblue30 commented on GitHub (Sep 6, 2016): This becomes a bug!

gitea-mirror commented

2026-05-05 06:01:18 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 6, 2018):

I think this was fixed a while ago (fs.c uses getenv("XAUTHORITY") to get the location). If it's not fixed, feel free to re-open @sebastianst.

@chiraag-nataraj commented on GitHub (Aug 6, 2018): I think this was fixed a while ago (`fs.c` uses `getenv("XAUTHORITY")` to get the location). If it's not fixed, feel free to re-open @sebastianst.

Rows
Columns

[GH-ISSUE #750] NFS support: firejail --private issue "cannot transfer .Xauthority" #509