github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #7] Option to disable suid calls, except to firejail #8

New issue

Closed

opened 2026-05-05 04:43:32 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 04:43:32 -06:00

Owner

Originally created by @boltronics on GitHub (Aug 10, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7

I've got a nice setup with firejail for icedove and iceweasel, where my shortcuts and Xfce "preferred applications" settings all have the application commands prefixed with firejail. So far so good.

But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support. I can't call iceweasel directly either, since the icedove profile is blocking .mozilla which iceweasel requires. I have to open iceweasel up manually first, and only then click on the link, which gets tiresome after a while.

It would be nice to have a profile option (if it's technically possible) to have the suid /usr/bin/firejail binary available for execution to apps like icedove, but no other suid binary. That should make the software more usable in situations like the one described.

Originally created by @boltronics on GitHub (Aug 10, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/7 I've got a nice setup with firejail for icedove and iceweasel, where my shortcuts and Xfce "preferred applications" settings all have the application commands prefixed with `firejail`. So far so good. But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open `firejail iceweasel` and fails - no suid support. I can't call iceweasel directly either, since the icedove profile is blocking .mozilla which iceweasel requires. I have to open iceweasel up manually first, and only then click on the link, which gets tiresome after a while. It would be nice to have a profile option (if it's technically possible) to have the suid /usr/bin/firejail binary available for execution to apps like icedove, but no other suid binary. That should make the software more usable in situations like the one described.

gitea-mirror

2026-05-05 04:43:32 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 04:43:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2015):

But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support.

This is because firejail icedove disables SUID binaries, and "firejail iceweasel" will fail because it needs SUID. I'll mark it as a bug, it needs to be fixed. Thanks.

@netblue30 commented on GitHub (Aug 10, 2015): > But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support. This is because firejail icedove disables SUID binaries, and "firejail iceweasel" will fail because it needs SUID. I'll mark it as a bug, it needs to be fixed. Thanks.

gitea-mirror commented

2026-05-05 04:43:41 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 23, 2015):

I think I have a fix, give it a try. When it starts, Firejail checks if it is running in a sandbox, and will start the program as is if a sandbox is detected. Works fine for me in icedove:

$ icedove
Reading profile /etc/firejail/icedove.profile
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc
Parent pid 3180, child pid 3181

Child process initialized

(icedove:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-0UXCvH5q8u: Connection refused

** (icedove:1): WARNING **: Could not connect: Connection refused
Warning: an existing sandbox was detected. /usr/bin/iceweasel https://lxer.com will run without any additional sandboxing features in a /bin/sh shell

You will get that warning from Firejail, "an existing sandbox was detected", and iceweasel will be started in the sandbox set by icedove.

@netblue30 commented on GitHub (Aug 23, 2015): I think I have a fix, give it a try. When it starts, Firejail checks if it is running in a sandbox, and will start the program as is if a sandbox is detected. Works fine for me in icedove: ``` $ icedove Reading profile /etc/firejail/icedove.profile Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-history.inc Parent pid 3180, child pid 3181 Child process initialized (icedove:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon: Failed to connect to socket /tmp/dbus-0UXCvH5q8u: Connection refused ** (icedove:1): WARNING **: Could not connect: Connection refused Warning: an existing sandbox was detected. /usr/bin/iceweasel https://lxer.com will run without any additional sandboxing features in a /bin/sh shell ``` You will get that warning from Firejail, "an existing sandbox was detected", and iceweasel will be started in the sandbox set by icedove.

gitea-mirror referenced this issue

2026-05-05 05:06:26 -06:00

[GH-ISSUE #175] using links in sandboxed firefox #121

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#8

No description provided.

Rows
Columns