Closed tomm87 closed 5 days ago
We have a robust troubleshooting guide that you should run through: https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide#3-check-if-keepassxc-proxy-is-launched-and-running
You'll need to figure out what rules are necessary for your specific location of the appimage.
Right, I did spend considerable time studying that document, which is why I knew to watch the path in the JSON file, but it doesn't address this problem. There have been numerous issues reported relating to the socket location and ensuring that it's accessible in a sandbox, but that's not my problem.
My problem is that keepassxc-proxy
is not running when I use the AppImage, and the underlying reason for that is because sandboxed Firefox can't mount the AppImage. The troubleshooting doc doesn't address this. I'm not trying to do anything very exotic, and I can't be the only person with this problem -- #6230 appears to be the same unresolved problem from 3 years ago.
Can I ask you to take a closer look?
I'm also continuing to look at this as I get occasional ideas. I've determined that most of my /dev directory is missing due to a Firejail private-dev
directive; disabling that has allowed /dev/fuse
to appear, which gets me a step closer to being able to use the AppImage.
This is now looking more squarely like a matter of tweaking the Firejail profile, so I withdraw my request for a closer look. If I find a full solution I'll post it here.
Fixing this properly is looking like it's going to take a deeper dive into Firejail profiles than I want to do for now, so instead I came up with workaround -- it's crufty but satisfactory for my purposes:
I extracted the KeePassXC AppImage with --appimage-extract
and found the keepassxc-proxy
binary, and copied this to /usr/local/bin
. Upon running it, it said it was missing libbotan, so I installed that, and fortunately that was the only missing dependency for it.
Then I created a wrapper script to launch the KeePassXC AppImage. First it launches it and puts it in the background with an ampersand. Then it sleeps for a few seconds to ensure KeePassXC had time to write the native messaging JSON file, and finally it rewrites that JSON file with a path pointing to /usr/local/bin/keepassxc-proxy
.
Then when I manually launch a sandboxed Firefox, it reads the correct path to a working keepassxc-proxy, and does not need to mount the AppImage.
Although ugly, this solution is at least convenient to use, has KeePassXC and keepassxc-proxy with matching versions, and did not require turning off Firejail security features. KeePassXC upgrades will take a little manual work.
Overview
Firefox with KeePassXC-Browser, running in a Firejail sandbox, works fine with distro-packaged KeePassXC, but fails with upstream AppImage -- "can't mount AppImage". I prefer the AppImage due to the great recent features.
This might be the same problem as #6230, but that issue is old, closed, and contains no solution.
Steps to Reproduce
keepassxc-proxy
binary to the AppImage file. Leave this change as-is.keepassxc-proxy
instead of the AppImage.Expected Behavior
My hope is that the web extension would be working at step 8 above, with the AppImage version of KeePassXC.
Actual Behavior
The web extension works only with the distro-supplied KeePassXC, not with the AppImage.
Context
It seems that when Firejailed, Firefox has a problem mounting the KeePassXC AppImage, as is needed to use KeePassXC-Browser. Removing either Firejail or the AppImage from the situation allows it to work.
Help -> About -> Debug Info:
Operating System: Linux Desktop Env: XFCE Windowing System: X11
Thanks for KeePassXC, and for any help with this problem!