github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #937] Whitelisted keepassx in web browser profiles #639

New issue

Closed

opened 2026-05-05 06:19:47 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 06:19:47 -06:00

Owner

Originally created by @derekyerger on GitHub (Nov 25, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/937

In commit c3b3390017 all web browser profiles had noblacklist and whitelist lines for keepassx entries appended, like so:

noblacklist ~/keepassx.kdbx

...

# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

These are appended to 15 browser profiles without a clear explanation.

Does this need to be in browser profiles? If anything, these locations should be blacklisted. There is no info about why this was added in the commit message, nor the release notes since 0.9.40.

Originally created by @derekyerger on GitHub (Nov 25, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/937 In commit c3b33900177a67d052bd4451d54f78994e25131a all web browser profiles had `noblacklist` and `whitelist` lines for keepassx entries appended, like so: ``` noblacklist ~/keepassx.kdbx ``` ... ``` # lastpass, keepassx whitelist ~/.keepassx whitelist ~/.config/keepassx whitelist ~/keepassx.kdbx whitelist ~/.lastpass whitelist ~/.config/lastpass ``` These are appended to 15 browser profiles without a clear explanation. Does this need to be in browser profiles? If anything, these locations should be blacklisted. There is no info about why this was added in the commit message, nor the release notes since 0.9.40.

gitea-mirror

2026-05-05 06:19:47 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:19:52 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 27, 2016):

Lots of people are using keypass/lastpass with Firefox, so we had to enable them. You can easily build a custom profile with all these lines commented out. Copy /etc/firejail/firefox.profile in ~/.config/firejail/ directory and modify it.

@netblue30 commented on GitHub (Nov 27, 2016): Lots of people are using keypass/lastpass with Firefox, so we had to enable them. You can easily build a custom profile with all these lines commented out. Copy /etc/firejail/firefox.profile in ~/.config/firejail/ directory and modify it.

gitea-mirror commented

2026-05-05 06:19:55 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Nov 27, 2016):

@derekyerger : I don't understand why this should be a problem. If you don't use those password managers, those directories don't exist. So whitelisting them doesn't do any harm. And if you're using any of them your browser needs access to those directories. It's that easy, IMHO.

@curiosity-seeker commented on GitHub (Nov 27, 2016): @derekyerger : I don't understand why this should be a problem. If you don't use those password managers, those directories don't exist. So whitelisting them doesn't do any harm. And if you're using any of them your browser needs access to those directories. It's that easy, IMHO.

gitea-mirror commented

2026-05-05 06:19:57 -06:00

Author

Owner

@derekyerger commented on GitHub (Nov 27, 2016):

Still not understanding it, I've only ever used KeePassX to auto-type login credentials into my browser. This only requires that KeePassX has access to its own data, as it handles the user-initiated hand-off of data to the browser through sending keystrokes.

Isn't this the point, over using password managers that are built into almost every major web browser?

@derekyerger commented on GitHub (Nov 27, 2016): Still not understanding it, I've only ever used KeePassX to auto-type login credentials into my browser. This only requires that KeePassX has access to its own data, as it handles the user-initiated hand-off of data to the browser through sending keystrokes. Isn't this the point, over using password managers that are built into almost every major web browser?

gitea-mirror commented

2026-05-05 06:20:00 -06:00

Author

Owner

@SYN-cook commented on GitHub (Dec 11, 2016):

@derekyerger It is possible to use KeePass/KeePassX together with browser extensions, and if .kdbx files were blacklisted or not whitelisted for the browser, the extensions obviously wouldn't work any more.

On the other hand, ~~I wonder how many people are actually doing this, because e.g. the KeeFox browser extension on Linux still requires a KeePass Windows binary. Also~~ I don't know of any extension that asks for access to KeePassX config files.

In your case it probably makes more sense to comment out all these lines, as netblue30 has already suggested, in order to isolate browser and password manager as good as possible from each other. I might add that KeePassX with auto-type works great for me with all these lines commented out.

@SYN-cook commented on GitHub (Dec 11, 2016): @derekyerger It is possible to use KeePass/KeePassX together with browser extensions, and if .kdbx files were blacklisted or not whitelisted for the browser, the extensions obviously wouldn't work any more. On the other hand, ~~I wonder how many people are actually doing this, because e.g. the KeeFox browser extension on Linux still requires a KeePass Windows binary. Also~~ I don't know of any extension that asks for access to KeePassX config files. In your case it probably makes more sense to comment out all these lines, as netblue30 has already suggested, in order to isolate browser and password manager as good as possible from each other. I might add that KeePassX with auto-type works great for me with all these lines commented out.

gitea-mirror commented

2026-05-05 06:20:01 -06:00

Author

Owner

@SYN-cook commented on GitHub (Dec 11, 2016):

Is there any extension that needs these files? As far as I can see all extensions expect KeePass and not KeePassX to handle the password database. So IMHO these lines are save to remove.

whitelist ~/.keepassx
whitelist ~/.config/keepassx

@SYN-cook commented on GitHub (Dec 11, 2016): Is there any extension that needs these files? As far as I can see all extensions expect KeePass and not KeePassX to handle the password database. So IMHO these lines are save to remove. `whitelist ~/.keepassx` `whitelist ~/.config/keepassx`

gitea-mirror commented

2026-05-05 06:20:03 -06:00

Author

Owner

@SYN-cook commented on GitHub (Dec 20, 2016):

#993

@SYN-cook commented on GitHub (Dec 20, 2016): #993

gitea-mirror referenced this issue

2026-05-05 10:42:11 -06:00

[PR #5735] [MERGED] profiles: streamline seccomp socket comment #5641