[GH-ISSUE #1116] Failing to get X11 sandboxing working on Arch

gitea-mirror commented

2026-05-05 06:36:55 -06:00

Owner

Originally created by @rieje on GitHub (Feb 28, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1116

I'm having trouble with X11 sandboxing on Arch with both xpra and xephyr. On xpra, I installed xpra-winswitch then added “allowed_users=anybody” to /etc/X11/Xwrapper.config as stated in the guide. Then, I open up the terminal (I'm already in an X session) run firejail --x11=xpra termite and I get "Disconnecting client ... server error (erro accepting new connection)". I switched to the virtual console and then run firejail --x11=xpra i3 (I use i3 window manager) and it freezes, requiring a hard reboot.

So I installed xephyr and edited firejail.config to use the resolution of my monitor. Then, I run firejail --x11=xephyr termite and the window opens fullscreen, but the termite terminal isn't maximized and I don't see any way to maximize it. Then, I tried firejail --x11=xephyr i3 and it seems to open i3 successfully, but none of my key commands apply to that window--they apply to the X session I'm already in. I tried the same command on the virtual console and it says the display cannot be opened, asking me to set the DISPLAY, but the guide doesn't say this is necessary.

I searched github issues and it seems people are able to get it working, so this is definitely due to my incompetence. How should I be using xpra/xephyr for sandboxing X11?

Any help is much appreciated.

Originally created by @rieje on GitHub (Feb 28, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1116 I'm having trouble with X11 sandboxing on Arch with both xpra and xephyr. On xpra, I installed xpra-winswitch then added “allowed_users=anybody” to /etc/X11/Xwrapper.config as stated in the guide. Then, I open up the terminal (I'm already in an X session) run `firejail --x11=xpra termite` and I get "Disconnecting client ... server error (erro accepting new connection)". I switched to the virtual console and then run `firejail --x11=xpra i3` (I use i3 window manager) and it freezes, requiring a hard reboot. So I installed xephyr and edited firejail.config to use the resolution of my monitor. Then, I run `firejail --x11=xephyr termite` and the window opens fullscreen, but the termite terminal isn't maximized and I don't see any way to maximize it. Then, I tried `firejail --x11=xephyr i3` and it seems to open i3 successfully, but none of my key commands apply to that window--they apply to the X session I'm already in. I tried the same command on the virtual console and it says the display cannot be opened, asking me to set the DISPLAY, but the guide doesn't say this is necessary. I searched github issues and it seems people are able to get it working, so this is definitely due to my incompetence. How should I be using xpra/xephyr for sandboxing X11? Any help is much appreciated.

gitea-mirror

2026-05-05 06:36:55 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:37:02 -06:00

Author

Owner

@testbird commented on GitHub (Feb 28, 2017):

Just an idea, maybe try also using --net=eth0 as the man page suggests.

@testbird commented on GitHub (Feb 28, 2017): Just an idea, maybe try also using --net=eth0 as the man page suggests.

gitea-mirror commented

2026-05-05 06:37:06 -06:00

Author

Owner

@rieje commented on GitHub (Feb 28, 2017):

I tried that before on the laptop--Just tried again on my desktop, same issues.

@rieje commented on GitHub (Feb 28, 2017): I tried that before on the laptop--Just tried again on my desktop, same issues.

gitea-mirror commented

2026-05-05 06:37:08 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 28, 2017):

xpra is totally broken on Arch. It's been this way from the beginning, although some people manage to get it working with “allowed_users=anybody”.

i3 should be working fine on xephyr. Use the profile for openbox, the default profile disables all kind of configuration files, maybe i3 config files are also blocked. Try:

$ firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3

I would suggest use a in firejail.config a screen smaller than your display. This way you know when you are in i3 sandbox or i3 system (there are two of them running in that moment). It will be very confusing with both of them with the same dimensions.

firejail --x11=xephyr termite and the window opens fullscreen, but the termite terminal isn't maximized and I don't see any way to maximize it.

There is no way to maximize it, you need to run a window manager and to start the terminal under the window manager control. Also, do some tests on a different terminal such as xterm, just in case termite has some problems of his own.

@netblue30 commented on GitHub (Feb 28, 2017): xpra is totally broken on Arch. It's been this way from the beginning, although some people manage to get it working with “allowed_users=anybody”. i3 should be working fine on xephyr. Use the profile for openbox, the default profile disables all kind of configuration files, maybe i3 config files are also blocked. Try: ````` $ firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3 ````` I would suggest use a in firejail.config a screen smaller than your display. This way you know when you are in i3 sandbox or i3 system (there are two of them running in that moment). It will be very confusing with both of them with the same dimensions. > firejail --x11=xephyr termite and the window opens fullscreen, but the termite terminal isn't maximized and I don't see any way to maximize it. There is no way to maximize it, you need to run a window manager and to start the terminal under the window manager control. Also, do some tests on a different terminal such as xterm, just in case termite has some problems of his own.

gitea-mirror commented

2026-05-05 06:37:10 -06:00

Author

Owner

@rieje commented on GitHub (Feb 28, 2017):

Hmm, I'm still unable to get keyboard actions to work in the i3 sandbox--it applies to my existing X session instead (mouse works). Also, I was under the impression that X11 sandboxing should replace the existing X session, right? That's why I have it as fullscreen. Or do you run the sandbox within the X session and simply do everything in the sandbox? Should firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3 be added to ~/.xinitrc?

Maybe I'm misunderstanding the usage of X11 sandboxing.

Also, i3 fills up the entire screen, and termite still doesn't so it's a problem with termite I guess.

@rieje commented on GitHub (Feb 28, 2017): Hmm, I'm still unable to get keyboard actions to work in the i3 sandbox--it applies to my existing X session instead (mouse works). Also, I was under the impression that X11 sandboxing should replace the existing X session, right? That's why I have it as fullscreen. Or do you run the sandbox within the X session and simply do everything in the sandbox? Should `firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3` be added to ~/.xinitrc? Maybe I'm misunderstanding the usage of X11 sandboxing. Also, i3 fills up the entire screen, and termite still doesn't so it's a problem with termite I guess.

gitea-mirror commented

2026-05-05 06:37:11 -06:00

Author

Owner

@testbird commented on GitHub (Mar 2, 2017):

Useage depends on what you intend to do.

Sandboxing a login or xsession, you can confine what a user is allowed to do (with different programs).
Sandboxing individual applications, you can confine these more thightly and specifically.

For the latter case, xpra allows sandboxed applications to open resizable windows that appear on the host xserver just like regular non-sandboxed windows. Whearas the older xephyr provides a fixed-size sandbox root window that contains all application windows. (And you need to start a window manager instance within the sandbox, to be able to be resize the windows within xephyr's sandbox root window.)

@testbird commented on GitHub (Mar 2, 2017): Useage depends on what you intend to do. Sandboxing a login or xsession, you can confine what a user is allowed to do (with different programs). Sandboxing individual applications, you can confine these more thightly and specifically. For the latter case, xpra allows sandboxed applications to open resizable windows that appear on the host xserver just like regular non-sandboxed windows. Whearas the older xephyr provides a fixed-size sandbox root window that contains all application windows. (And you need to start a window manager instance within the sandbox, to be able to be resize the windows *within* xephyr's sandbox root window.)

gitea-mirror commented

2026-05-05 06:37:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 3, 2017):

I was under the impression that X11 sandboxing should replace the existing X session, right?

No, you end up with two sessions working in parallel. It all depends how i3 is implemented, the first i3 session will grab the keyboard listening for keyboard shortcuts.

Should firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3 be added to ~/.xinitrc

Try it, but you won't be able to su to root inside the session.

@netblue30 commented on GitHub (Mar 3, 2017): > I was under the impression that X11 sandboxing should replace the existing X session, right? No, you end up with two sessions working in parallel. It all depends how i3 is implemented, the first i3 session will grab the keyboard listening for keyboard shortcuts. > Should firejail --profile=/etc/firejail/openbox.profile --x11=xephyr i3 be added to ~/.xinitrc Try it, but you won't be able to su to root inside the session.

gitea-mirror referenced this issue

2026-05-05 10:07:12 -06:00

[PR #766] [MERGED] fix read_pid #3748

Rows
Columns

[GH-ISSUE #1116] Failing to get X11 sandboxing working on Arch #766