firejailed thunderbird fails to open links in firejailed chromium

Created on 24 May 2018 · 11Comments · Source: netblue30/firejail

Possibly related with issue #555. I'm on Linux Mint 18.3 Sylvia 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I ran the following commands as requested on #555:

user@Host ~ $ firemon --list
4230:user:firejail chromium-browser 
4297:user:firejail remmina 
4305:user:firejail mumble 
12808:user:firejail thunderbird 
24638:user:firejail spotify 
user@Host ~ $ firejail --join=12808
Switching to pid 12809, the first child process inside the sandbox
Child process initialized in 23.38 ms
user@Host ~ $ chromium-browser www.google.com
/usr/bin/chromium-browser: line 85: /dev/fd/62: No such file or directory
Trace/breakpoint trap (core dumped)
user@Host ~ $

I am assuming that I need to allow access to /dev/fd? Not sure why it would be needed in order to open the link though in an existing browser. I cannot cd into the /dev/fd dir btw.

Cheers!

information workaround

Source

Tritonio

👍1

Most helpful comment

See https://github.com/netblue30/firejail/issues/1770#issuecomment-364498100
tl;dr you basically just need to copy and paste links for Chromium based browsers, or use a Firefox based browser and keep a Firefox window open externally

SkewedZeppelin on 24 May 2018

👍3

All 11 comments

SkewedZeppelin on 24 May 2018

👍3

@SkewedZeppelin : I doubt that this fully explains the problem. Yes - I was also affected by this issue when I set Google Chrome as default browser in Fedora for test purposes (normally I'm using Firefox). However, my wife uses Kubuntu with Chrome as default browser - and links clicked in firejailed Thunderbird open in firejailed Chrome without any problem. So there are obviously other aspects to consider. I haven't found the time yet to find out why both systems behave differently.

curiosity-seeker on 25 May 2018

@curiosity-seeker If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content:

ignore nodbus
# following line is not necessary on some distributions
ignore apparmor

Probably won't help @Tritonio though, as this trick doesn't work with desktop environments other than KDE.

smitsohu on 26 May 2018

👍1

I tried the instructions here (http://kb.mozillazine.org/Changing_the_web_browser_invoked_by_Thunderbird) to set xdg-open (which exists and works on my system) to open the http(s) links but it still fails to open them...

Tritonio on 27 May 2018

If you're on KDE, you can tell Thunderbird to open links with xdg-open.

@smitsohu : Thanks for reminding me - that's exactly what I'm doing. I had just forgotten to test Chrome as default browser again since I changed to xdg-open. I've done that now - and you are right: it works!

curiosity-seeker on 28 May 2018

👍1

@Tritonio regarding xdg-open, that's usually just a shell script, the magic is taken care of by the KDE backend.

smitsohu on 29 May 2018

Looks like this is resolved, so I'll close it.
[edit] Never mind. It looks like the OP never resolved their issue.

chiraag-nataraj on 26 Jul 2018

@Tritonio I think this seems to be an issue with the way chromium (and related browsers) operate. I'm not entirely sure how chromium checks for a running instance (I know how firefox checks - it looks for a .lock file in the profile directory). If we can figure out how chromium checks for running instances, we can solve this (as well as related) issues. Regardless, though, I would recommend just copy-pasting links - it's a bit of a change in workflow, but it does end up being more secure. The whole point of sandboxing is isolation, and programs trying to call other programs necessitates breaking that isolation. In some cases, it _may_ be acceptable, but I would argue it shouldn't be the default. Yes, it will "break" programs, but those programs are doing unsafe things and crossing security boundaries. Until we have a _safe_, cross-platform way to call out to other programs, I think the default should be having people copy and pasting links.

chiraag-nataraj on 26 Jul 2018

Even with e.g. xdg-open, since xdg-open will be run _within_ the profile you're using for thunderbird, I suspect you'd have to whitelist more files and directories (possibly ~/.local/share?) - in other words, you'd have to poke more holes in your profile. Again, I understand that this is acceptable for some people, but I don't think this should be done by default. If enough people want or need this feature, we could introduce a new profile option and command-line argument.

chiraag-nataraj on 26 Jul 2018

If you're on KDE, you can tell Thunderbird to open links with xdg-open. When Firejail version is the most recent (0.9.54), you additionally need to create /etc/firejail/thunderbird.local with this content:
ignore nodbus

FYI, I've been using my own Thunderbird profile for a long time which does not contain nodbus. But recently opening links in Firefox form Thunderbird broke after a KDE update on Fedora 28. After adding

ignore nodbus

to the Firefox profile it works again. I'm mentioning this as the default thunderbird.profile includes firefox.profile. With an individual profile nodbus has to be ignored in _both_ profiles.

curiosity-seeker on 4 Aug 2018

This has been inactive for a while and we know what the culprit is. Marking it workaround and closing for now. @Tritonio, please feel free to re-open if you have more questions.

chiraag-nataraj on 29 May 2019

Was this page helpful?

0 / 5 - 0 ratings