Firejail: Thunderbird folder whitelisted in Chrome and Firefox
I noticed the default file access whitelist for Firefox and Chrome includes the /.Thunderbird/ folder.
The Thunderbird folder holds emails as well as passwords to those accounts. Chrome is well known to routinely spy/upload the entire accessible file system.
Is there a particular reason the filesystem for Thunderbird is exposed to vulnerable browsers?
For the time being I blacklist them via command line argument --blacklist=/.thunderbird/
Futureknows
All 5 comments
Neither chromium-common or firefox-common allow access to Thunderbird's directories in 0.9.54.
Do you have any local files? What is the output of the following?
$ ls -lha ~/.config/firejail
$ ls -lha /etc/firejail/*.local
$ ls -lha /usr/local/etc/*.local
SkewedZeppelin
on 8 Jun 2018
I'm running latest 9.5.5 I compiled. No local files. The firefox-common hasn't been touched. Thunderbird folder is located in root. When I blacklist thunderbird on the command line it becomes invisible. After digging a little I noticed even qbittorrent exposes /.thunderbird/ using the Firetools file manager. Something is globally whitelisting /.thunderbird/.
I did a full recursive text content search of /etc/firejail/ and don't see any instances of "/.thunderbird" except in the thunderbird profiles.
[user@localhost ~]$ ls -lha ~/.config/firejail
ls: cannot access '/home/user/.config/firejail': No such file or directory
[user@localhost ~]$ ls -lha /etc/firejail/*.local
-rw-r--r--. 1 root root 2 May 26 01:29 /etc/firejail/firefox.local
[user@localhost ~]$ ls -lha /usr/local/etc/*.local
ls: cannot access '/usr/local/etc/*.local': No such file or directory
Futureknows
on 9 Jun 2018
For the time being I blacklist them via command line argument --blacklist=/.thunderbird/
Thunderbird folder is located in root.
The profiles only limit access to default installation paths. If you install it somewhere else, you will need to adjust the profiles yourself.
Do the following: Add blacklist /.thunderbird to /etc/firejail/disable-programs.local and noblacklist /.thunderbird to /etc/firejail/thunderbird.local.
Alternatively consider moving the thunderbird folder to the default location, which is /home/user/.thunderbird
smitsohu
on 9 Jun 2018
Thanks. I noticed on a Mint machine I have an exposed Timeshift in root (whole system backup visible to browsers). I don't recall modifying the default installation path on either install, pretty certain they were default locations from the repos, perhaps I installed them as root user. I'll see about moving them.
So the default file access is restrictive rather than permissive? If I hadn't happened to browse the exposed filesystems these would have gone unnoticed.
Futureknows
on 9 Jun 2018
Whitelisting works per top directory. /.thunderbird is very extraordinary path. If it was blocked then you would complain why your thunderbird isn't working :smile: . There are unlimited ways users can configure their systems and firejail tries to be compatible with most configs but some of them are quite unimaginable.
Vincent43
on 9 Jun 2018
Related issues
kmotoko
路
3Comments
thiswillbeyourgithub
路
3Comments
Fincer
路
4Comments
reinerh
路
3Comments
reinerh
路
3Comments
Most helpful comment
Whitelisting works per top directory.
/.thunderbirdis very extraordinary path. If it was blocked then you would complain why your thunderbird isn't working :smile: . There are unlimited ways users can configure their systems and firejail tries to be compatible with most configs but some of them are quite unimaginable.