github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1481] Claws-mail doesn't open external links in Vivaldi browser #996

New issue

Closed

opened 2026-05-05 07:16:40 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 07:16:40 -06:00

Owner

Originally created by @kanyck on GitHub (Aug 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1481

Clicking on the link does nothing, but right-click -> "Open link" opens the link in place.
Here is the output:

$ claws-mail &
Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 23323, child pid 23324
Child process initialized in 40.27 ms
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (IcedTea 3.4.0) (Gentoo icedtea-3.4.0)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. /usr/bin/vivaldi will run without any additional sandboxing features
/usr/bin/vivaldi: line 72: /dev/fd/62: Нет такого файла или каталога
/usr/bin/vivaldi: line 73: /dev/fd/62: Нет такого файла или каталога
[0819/144659.008899:ERROR:nss_util.cc(94)] Failed to create /home/kanyck/.pki/nssdb directory.
[0819/144659.041978:ERROR:nss_util.cc(94)] Failed to create /home/kanyck/.pki/nssdb directory.

Disabling private-dev in claws-mail and adding vivaldi.local as follows

noblacklist ~/.pki
mkdir ~/.pki
whitelist ~/.pki

seem to avoid the error messages but lint still does not open:

Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/claws-mail.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 9701, child pid 9702
Child process initialized in 57.68 ms
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (IcedTea 3.4.0) (Gentoo icedtea-3.4.0)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features

Meanwhile, running claws-mail directily as /usr/bin/claws-mail & works ok.

Originally created by @kanyck on GitHub (Aug 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1481 Clicking on the link does nothing, but right-click -> "Open link" opens the link in place. Here is the output: ``` $ claws-mail & Reading profile /etc/firejail/claws-mail.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 23323, child pid 23324 Child process initialized in 40.27 ms openjdk version "1.8.0_131" OpenJDK Runtime Environment (IcedTea 3.4.0) (Gentoo icedtea-3.4.0) OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode) Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: an existing sandbox was detected. /usr/bin/vivaldi will run without any additional sandboxing features /usr/bin/vivaldi: line 72: /dev/fd/62: Нет такого файла или каталога /usr/bin/vivaldi: line 73: /dev/fd/62: Нет такого файла или каталога [0819/144659.008899:ERROR:nss_util.cc(94)] Failed to create /home/kanyck/.pki/nssdb directory. [0819/144659.041978:ERROR:nss_util.cc(94)] Failed to create /home/kanyck/.pki/nssdb directory. ``` Disabling private-dev in claws-mail and adding vivaldi.local as follows ``` noblacklist ~/.pki mkdir ~/.pki whitelist ~/.pki ``` seem to avoid the error messages but lint still does not open: ``` Reading profile /etc/firejail/claws-mail.profile Reading profile /etc/firejail/claws-mail.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 9701, child pid 9702 Child process initialized in 57.68 ms openjdk version "1.8.0_131" OpenJDK Runtime Environment (IcedTea 3.4.0) (Gentoo icedtea-3.4.0) OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode) Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: cannot switch euid to root Warning: cannot switch egid to root Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features ``` Meanwhile, running claws-mail directily as /usr/bin/claws-mail & works ok.

gitea-mirror

2026-05-05 07:16:40 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:16:43 -06:00

Author

Owner

@valoq commented on GitHub (Aug 20, 2017):

The claws-mail profile restricts access to the minimal environment that claws needs to operate normally.
However if you try to open a link using a browser, that browser will be opened within the context of the claws process and therefore from inside the sandboxed environment.

If you wanted to open hyperlinks to websites without manually copying the address, you would need to allow access to all resources the browser would require within the claws profile.
The attack surface of common internet browsers is huge so that is not really something I would recommend.

Also the error message "Warning: cannot switch euid to root" indicates that the target browser is started by firejail as well, but using a secondary firejail process is not supported as far as I know. Not sure there is a workaround for this, even if you allowed all the resources required by the browser.

@valoq commented on GitHub (Aug 20, 2017): The claws-mail profile restricts access to the minimal environment that claws needs to operate normally. However if you try to open a link using a browser, that browser will be opened within the context of the claws process and therefore from inside the sandboxed environment. If you wanted to open hyperlinks to websites without manually copying the address, you would need to allow access to all resources the browser would require within the claws profile. The attack surface of common internet browsers is huge so that is not really something I would recommend. Also the error message "Warning: cannot switch euid to root" indicates that the target browser is started by firejail as well, but using a secondary firejail process is not supported as far as I know. Not sure there is a workaround for this, even if you allowed all the resources required by the browser.

gitea-mirror commented

2026-05-05 07:16:46 -06:00

Author

Owner

@kanyck commented on GitHub (Aug 21, 2017):

Unfortunately I don't fully (foolly?) understand the logic behind this. Unjailed claws-mail communicates with jailed vivaldi just fine. From the other hand I noticed that when I click to a torrent link it opens in an empty transmission client if the client isn't running. If it is, it receives the torrent file from the browser and fully operable with it. If I click mailto: link in the browser, it opens claws-mail that doesn't see the setup and therefore tries to set up the new profile to send a mail. Either firejail profiles are to be customized somehow or some important interoperability part is missing...

@kanyck commented on GitHub (Aug 21, 2017): Unfortunately I don't fully (foolly?) understand the logic behind this. Unjailed claws-mail communicates with jailed vivaldi just fine. From the other hand I noticed that when I click to a torrent link it opens in an empty transmission client if the client isn't running. If it is, it receives the torrent file from the browser and fully operable with it. If I click mailto: link in the browser, it opens claws-mail that doesn't see the setup and therefore tries to set up the new profile to send a mail. Either firejail profiles are to be customized somehow or some important interoperability part is missing...

gitea-mirror commented

2026-05-05 07:16:47 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Aug 22, 2017):

@kanyck : I'm not using claws-mail so what I suggest may be nonsense. But you can try to change its settings in such a way that xdg-open is used. This is what I've done in Thunderbird for all my applications with the result that in all cases the firejailed default applications are opened whenever I click a link or an attachment.

@curiosity-seeker commented on GitHub (Aug 22, 2017): @kanyck : I'm not using claws-mail so what I suggest may be nonsense. But you can try to change its [settings](http://www.claws-mail.org/faq/index.php/Using_Claws_Mail_with_other_programs#How_can_I_use_Claws_Mail_with_Firefox.3F) in such a way that `xdg-open` is used. This is what I've done in Thunderbird for all my applications with the result that in all cases the firejailed default applications are opened whenever I click a link or an attachment.

gitea-mirror commented

2026-05-05 07:16:49 -06:00

Author

Owner

@kanyck commented on GitHub (Aug 23, 2017):

@curiosity-seeker Thank you but it does use xdg-open.

@kanyck commented on GitHub (Aug 23, 2017): @curiosity-seeker Thank you but it does use` xdg-open`.

gitea-mirror commented

2026-05-05 07:16:51 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 13, 2017):

A speculation: From above we can see that clicking on a link makes Vivaldi run inside the Claws-Mail Firejail sandbox:

Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features

However, this Claws-Mail Firejail sandbox prevents Vivaldi from setting up its own Chromium-style sandbox (which I think it tries to do). You could try disabling some options in claws-mail.profile, like caps.drop, nonewprivs, seccomp (implies nonewprivs) or noroot, to make everything work, but you will end up with a Claws-Mail sandbox that is watered down significantly.
EDIT: Just noted that this is a simple rephrasing of what @valoq has said before.

The other way round, fixing

If I click mailto: link in the browser, it opens claws-mail that doesn't see the setup and therefore tries to set up the new profile to send a mail.

should be easier. You could try adding the following to vivaldi.local:

noblacklist ~/.claws-mail
whitelist ~/.claws-mail

But take all of this with a grain of salt, as I couldn't properly reproduce your problem on Debian, and I don't have a Gentoo setup running.

Finally: To better address issues like this or possibly this #1341, it might make sense to rewrite claws-mail.profile such that it matches the current thunderbird.profile, i.e. without options but with include /etc/firejail/browser.profile at the end.

@smitsohu commented on GitHub (Sep 13, 2017): A speculation: From above we can see that clicking on a link makes Vivaldi run inside the Claws-Mail Firejail sandbox: > Warning: an existing sandbox was detected. vivaldi will run without any additional sandboxing features However, this Claws-Mail Firejail sandbox prevents Vivaldi from setting up its own Chromium-style sandbox (which I think it tries to do). You could try disabling some options in claws-mail.profile, like caps.drop, nonewprivs, seccomp (implies nonewprivs) or noroot, to make everything work, but you will end up with a Claws-Mail sandbox that is watered down significantly. EDIT: Just noted that this is a simple rephrasing of what @valoq has said before. The other way round, fixing > If I click mailto: link in the browser, it opens claws-mail that doesn't see the setup and therefore tries to set up the new profile to send a mail. should be easier. You could try adding the following to vivaldi.local: ``` noblacklist ~/.claws-mail whitelist ~/.claws-mail ``` But take all of this with a grain of salt, as I couldn't properly reproduce your problem on Debian, and I don't have a Gentoo setup running. Finally: To better address issues like this or possibly this #1341, it might make sense to rewrite claws-mail.profile such that it matches the current thunderbird.profile, i.e. without options but with `include /etc/firejail/browser.profile` at the end.

gitea-mirror commented

2026-05-05 07:16:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 26, 2019):

@kanyck
I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

@rusty-snake commented on GitHub (Jun 26, 2019): @kanyck I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#996

No description provided.

Rows
Columns