github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1381] firefox: Yubico u2f token is not detected (private-dev) #943

New issue
Closed
opened 2026-05-05 07:12:04 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 07:12:04 -06:00
Owner
Copy link

Originally created by @BafDyce on GitHub (Jul 14, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1381

I have a u2f token from Yubico (https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/) and I have installed the U2F Support plugin for Firefox.

I'm running Arch and I have configured the necessary udev rules. When launching Firefox directly (without firejail), the U2F token works as expected, when I start firefox with firejail, it cannot communicate with the hardware token.

The plugin comes with a binary (u2f) which communicates with the token. However, this binary cannot communicate with the token. The token itself registers just as a Human Interface device (like keyboard, mouse, etc.) and can be seen from inside the jail:

$ lsusb -v -d 1050:0120

Bus 003 Device 005: ID 1050:0120 Yubico.com Yubikey Touch U2F Security Key
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0120 Yubikey Touch U2F Security Key
  bcdDevice            4.33
  iManufacturer           1 
  iProduct                2 
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           41
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower               30mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.10
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      34
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               2
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               2

(Note: This output is identical inside and outside of the jail)

It seems like there's a communication problem, however I don't know where/what exactly. I would be willing to (debug &) fix this myself, however I don't know where I should start. Even if I run firefox via firejail --debug firefox I don't get any helpful output from firejail's log. Debugging (strace for example) doesn't work in the jail either..
It also cannot be due to some blocked syscall since then the u2f would fail with something like "Bad syscall" or something similar.

Originally created by @BafDyce on GitHub (Jul 14, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1381 I have a u2f token from Yubico (https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/) and I have installed the U2F Support plugin for Firefox. I'm running Arch and I have configured the necessary udev rules. When launching Firefox directly (without firejail), the U2F token works as expected, when I start firefox with firejail, it cannot communicate with the hardware token. The plugin comes with a binary (`u2f`) which communicates with the token. However, this binary cannot communicate with the token. The token itself registers just as a Human Interface device (like keyboard, mouse, etc.) and can be seen from inside the jail: ``` $ lsusb -v -d 1050:0120 Bus 003 Device 005: ID 1050:0120 Yubico.com Yubikey Touch U2F Security Key Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0120 Yubikey Touch U2F Security Key bcdDevice 4.33 iManufacturer 1 iProduct 2 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 41 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 30mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 HID Device Descriptor: bLength 9 bDescriptorType 33 bcdHID 1.10 bCountryCode 0 Not supported bNumDescriptors 1 bDescriptorType 34 Report wDescriptorLength 34 Report Descriptors: ** UNAVAILABLE ** Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 2 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x84 EP 4 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 2 ``` (Note: This output is identical inside and outside of the jail) It seems like there's a communication problem, however I don't know where/what exactly. I would be willing to (debug &) fix this myself, however I don't know where I should start. Even if I run firefox via `firejail --debug firefox` I don't get any helpful output from firejail's log. Debugging (strace for example) doesn't work in the jail either.. It also cannot be due to some blocked syscall since then the u2f would fail with something like "Bad syscall" or something similar.
gitea-mirror 2026-05-05 07:12:04 -06:00
gitea-mirror commented 2026-05-05 07:12:09 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 14, 2017):

Can you try if it works with firejail --ignore=private-dev firefox?

2nd EDIT: Looking at it again, a noexec flag possibly prevents execution of u2f. You could try running findmnt ~/.mozilla from inside the Firefox jail, it will show you which mount flags are set for that folder (if the output has several lines, check only for the last one).

<!-- gh-comment-id:315365523 --> @smitsohu commented on GitHub (Jul 14, 2017): Can you try if it works with `firejail --ignore=private-dev firefox`? 2nd EDIT: Looking at it again, a noexec flag possibly prevents execution of `u2f`. You could try running `findmnt ~/.mozilla` from inside the Firefox jail, it will show you which mount flags are set for that folder (if the output has several lines, check only for the last one).
gitea-mirror commented 2026-05-05 07:12:10 -06:00
Author
Owner
Copy link

@BafDyce commented on GitHub (Jul 18, 2017):

firejail --ignore=private-dev firefox works!

About your 2nd edit:
This was my first assumption too, however I was able to execute the u2f executable (by joining into the jail and executing it). Also since it works with your suggested command, it seems like the noexec flag is not enforced correctly? -> Is this another bug? (when I copy the u2f executable to /home/user, I am not allowed to execute it (bash: /home/user/u2f: Permission denied))

Ouput of findmnt ~/.mozilla

$ findmnt ~/.mozilla
TARGET                SOURCE                                FSTYPE OPTIONS
/home/user/.mozilla /dev/mapper/vg-home[/user/.mozilla] ext4   rw,relatime,data=ordered
/home/user/.mozilla /dev/mapper/vg-home[/user/.mozilla] ext4   rw,relatime,data=ordered

Which looks correct, as the hosts' /home is mounted on /dev/mapper/vg-home.

<!-- gh-comment-id:316024786 --> @BafDyce commented on GitHub (Jul 18, 2017): `firejail --ignore=private-dev firefox` works! About your 2nd edit: This was my first assumption too, however I was able to execute the u2f executable (by joining into the jail and executing it). Also since it works with your suggested command, it seems like the noexec flag is not enforced correctly? -> **Is this another bug?** (when I copy the u2f executable to /home/user, I am not allowed to execute it (`bash: /home/user/u2f: Permission denied`)) Ouput of `findmnt ~/.mozilla` ``` $ findmnt ~/.mozilla TARGET SOURCE FSTYPE OPTIONS /home/user/.mozilla /dev/mapper/vg-home[/user/.mozilla] ext4 rw,relatime,data=ordered /home/user/.mozilla /dev/mapper/vg-home[/user/.mozilla] ext4 rw,relatime,data=ordered ``` Which looks correct, as the hosts' /home is mounted on /dev/mapper/vg-home.
gitea-mirror commented 2026-05-05 07:12:11 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 18, 2017):

@BafDyce In the moment whitelisted files and folders inherit their mount flags only from the underlying file system, and the Firejail noexec is indeed without effect for whitelisted locations. noexec works as expected in your /home/user because that folder is probably not whitelisted/has no whitelisted parent.

There are many pitfalls with the noexec option currently, and the manual is very right to advise caution:

... Always check if the change took effect inside the sandbox.

<!-- gh-comment-id:316062221 --> @smitsohu commented on GitHub (Jul 18, 2017): @BafDyce In the moment whitelisted files and folders inherit their mount flags only from the underlying file system, and the Firejail `noexec` is indeed without effect for whitelisted locations. `noexec` works as expected in your /home/user because that folder is probably not whitelisted/has no whitelisted parent. There are many pitfalls with the `noexec` option currently, and the manual is very right to advise caution: > ... Always check if the change took effect inside the sandbox.
gitea-mirror commented 2026-05-05 07:12:12 -06:00
Author
Owner
Copy link

@jvican commented on GitHub (Jul 29, 2017):

Hello. I had this problem too. Would like to confirm that --ignore=private-dev fixed it for me.

<!-- gh-comment-id:318816287 --> @jvican commented on GitHub (Jul 29, 2017): Hello. I had this problem too. Would like to confirm that `--ignore=private-dev` fixed it for me.
gitea-mirror commented 2026-05-05 07:12:13 -06:00
Author
Owner
Copy link

@ibahnasy commented on GitHub (Jul 10, 2021):

On Ubuntu 21.04 --ignore=private-dev doesn't solve the issue. Any other suggestion?

<!-- gh-comment-id:877602025 --> @ibahnasy commented on GitHub (Jul 10, 2021): On Ubuntu 21.04 `--ignore=private-dev` doesn't solve the issue. Any other suggestion?
gitea-mirror commented 2026-05-05 07:12:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 10, 2021):

See:

And so on.

  • ignore private-dev + ignore nou2f
  • Set browser-disable-u2f no in /etc/firejail/firejail.config
    • sudo sh -c "echo 'browser-disable-u2f no' >> /etc/firejail/firejail.config"
    • sudo sed -i 's/# browser-disable-u2f yes/browser-disable-u2f no/' /etc/firejail/firejail.config
    • firejail-welcome.sh
<!-- gh-comment-id:877603650 --> @rusty-snake commented on GitHub (Jul 10, 2021): See: - #3170 - #3940 - #3939 - #3413 - #2531 - #3796 - #3092 - #1990 - #1553 And so on. - `ignore private-dev` + `ignore nou2f` - Set `browser-disable-u2f no` in `/etc/firejail/firejail.config` - `sudo sh -c "echo 'browser-disable-u2f no' >> /etc/firejail/firejail.config"` - `sudo sed -i 's/# browser-disable-u2f yes/browser-disable-u2f no/' /etc/firejail/firejail.config` - [firejail-welcome.sh](https://github.com/netblue30/firejail/blob/master/contrib/firejail-welcome.sh)
gitea-mirror commented 2026-05-05 07:12:15 -06:00
Author
Owner
Copy link

@ibahnasy commented on GitHub (Jul 10, 2021):

Actually ignore nou2f only made it works, thanks!

<!-- gh-comment-id:877617575 --> @ibahnasy commented on GitHub (Jul 10, 2021): Actually `ignore nou2f` only made it works, thanks!
gitea-mirror commented 2026-05-05 07:12:16 -06:00
Author
Owner
Copy link

@RubenGarcia commented on GitHub (Jul 29, 2021):

I also have the problem on
ubuntu 18.04.5 with firefox 90.0

<!-- gh-comment-id:888878133 --> @RubenGarcia commented on GitHub (Jul 29, 2021): I also have the problem on ubuntu 18.04.5 with firefox 90.0
gitea-mirror commented 2026-05-05 07:12:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

The firejail version is relevant to fix the problem (the firefox version is irrelevant). Since Ubu18.04 has 0.9.52 I guess you use this. Actually everything is already explained or linked here but that's your command: ignore private-dev.

<!-- gh-comment-id:888884435 --> @rusty-snake commented on GitHub (Jul 29, 2021): The firejail version is relevant to fix the problem (the firefox version is irrelevant). Since Ubu18.04 has 0.9.52 I guess you use this. Actually everything is already explained or linked [here](https://github.com/netblue30/firejail/issues/1381#issuecomment-877603650) but that's your command: `ignore private-dev`.
gitea-mirror commented 2026-05-05 07:12:17 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Nov 25, 2021):

Adding ignore nou2f to firefox.local works.

What's the reason for disabling U2F keys for Firefox by default? I can't image a scenario where someone would want them to NOT work, especially since they require physical interaction to operate anyway.

<!-- gh-comment-id:979510090 --> @WhyNotHugo commented on GitHub (Nov 25, 2021): Adding `ignore nou2f` to `firefox.local` works. What's the reason for disabling U2F keys for Firefox by default? I can't image a scenario where someone would want them to NOT work, especially since they require physical interaction to operate anyway.
gitea-mirror commented 2026-05-05 07:12:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 26, 2021):

What's the reason for disabling U2F keys for Firefox by default? I can't image a scenario where someone would want them to NOT work, especially since they require physical interaction to operate anyway.

My guess is that this is because /dev/hidraw? is more then just u2f.

<!-- gh-comment-id:979778357 --> @rusty-snake commented on GitHub (Nov 26, 2021): > What's the reason for disabling U2F keys for Firefox by default? I can't image a scenario where someone would want them to NOT work, especially since they require physical interaction to operate anyway. My guess is that this is because `/dev/hidraw?` is more then just u2f.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#943
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?