keepassxc: cannot open URL links in firefox

[tinmanx]

After a Firefox update, i dont understand why but when trying to double click to open URL's in KeepassXC it errors out saying profile not accessible. Can you tell me why this happened all of a sudden? Nothing has changed in the profile, been using it as usual.

firejail version 0.9.58.2 Ubuntu 18.04 with xfce4

[chiraag-nataraj]

Things to try:

• Does anything get printed on the terminal if you run firejail keepassxc?
• Does firejail --noprofile keepassxc help?
• Does keeping firefox (firejailed) open before starting keepassxc (firejailed) help?

[tinmanx]

@chiraag-nataraj

• Yes, see below:

  Opening...!
  May 22 12:12:32 nohup: ignoring input
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/keepassxc.profile
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-common.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-devel.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-programs.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-xdg.inc
  May 22 12:12:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
  May 22 12:12:32 Mounting appimage type 2
  May 22 12:12:32 Parent pid 14245, child pid 14253
  May 22 12:12:32 
  May 22 12:12:32 **     Warning: dropping all Linux capabilities     **
  May 22 12:12:32 Private /etc installed in 7.10 ms
  May 22 12:12:32 ]0;firejail /home/user/KeePassXC-2.4.1-x86_64.AppImage Child process initialized in 198.01 ms
  May 22 12:12:34 Qt: Session management error: Could not open network socket
  May 22 12:12:34 QObject::startTimer: Timers cannot have negative intervals
  May 22 12:12:34 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
  May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
  May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
  May 22 12:13:09 
  May 22 12:13:09 (exo-open:25150): dbind-WARNING **: 10:13:09.089: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
  May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
  May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
  May 22 12:13:09 
  May 22 12:13:09 (exo-helper-1:25153): dbind-WARNING **: 10:13:09.099: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
  May 22 12:13:10 Error: Access was denied while trying to open files in your profile directory.
  May 22 12:13:23 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
  May 22 12:13:23 
  May 22 12:13:23 Parent is shutting down, bye...
  May 22 12:13:23 AppImage unmounted

• It works with: firejail --noprofile --appimage KeePassXC-2.4.1-x86_64.AppImage

• Firefox is not firejailed, but it is started before Keepassxc as usual.

[tinmanx]

The only difference between the output on the terminal now and before the Firefox update, is this error: Error: Access was denied while trying to open files in your profile directory.

Everything else is normal

[chiraag-nataraj]

When keepassxc is running, can you do a firejail --ls=<pid of keepassxc sandbox> ~/? Does .mozilla appear there?

Also, looks like you compiled from Git, since it's reading stuff in /usr/local/etc/firejail?

[chiraag-nataraj]

Also, is this the default firejail profile? Have you modified it?

[tinmanx]

@chiraag-nataraj yes .mozilla does appear in the list ! This is very weird..

And yes i compiled from Git. Like i said, this has been working fine for many months and suddenly this happened after Firefox update. Firefox updated from: firefox (67.0+build1-0ubuntu0.18.04.1) bionic to firefox (67.0+build2-0ubuntu0.18.04.1) bionic yes this is the default keepassxc.profile and no i didnt modify it.

[chiraag-nataraj]

What if you pass --ignore=private-bin, so firejail --ignore=private-bin --appimage KeePassXC-<whatever>?

[tinmanx]

no that doesnt work either. I figured out what the problem is... however i do not have a solution for this.

Please ignore the version numbers of firefox that i mentioned, this is what really happened after digging further.

When everything was working, i was on Firefox v66.0.5 (i reverted to this now and the URL openings work as expected) According to http://security.ubuntu.com/ubuntu/pool/main/f/firefox/ the next version in the list is Firefox 67.0Build2

After updating to Firefox 67.0Build2 today, the URL openings break, ie. gives the above error as explained.

Something has changed between Firefox v66.0.5 and v67.0 with KeepassXC 2.4.1

The only solution is to stay on a previous version of Firefox

Please try reproduce because i just did this now.

[chiraag-nataraj]

Can you try with the non-appimage version? I want to see if it's an appimage-specific problem or if it's an issue with the profile more generally.

Also, I'm currently on firefox 66.0.5 (I'm on Debian sid...).

[tinmanx]

There is only appimages for keepassxc and building it from source which i am not able to do. The rest is windows and mac binaries. Can you try with building from source on your side? It seems to me that the execution for opening firefox links has somehow changed

[chiraag-nataraj]

No? https://packages.ubuntu.com/bionic/keepassxc It's in the bionic repos.

[tinmanx]

apologies, will check now.

[tinmanx]

When testing on a new PC, im getting a different error now when opening URL: Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

[chiraag-nataraj]

Can you try with --ignore=private-bin? I suspect it's looking for browsers, but none are whitelisted in the default profile.

[tinmanx]

Ok i tried with: $ firejail --ignore=private-bin keepassxc and it tries to open, with the same error popup as it does on the appimage.

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 5642, child pid 5643
Private /etc installed in 4.12 ms
Child process initialized in 73.98 ms

(keepassxc:7): dbind-WARNING **: 14:16:15.037: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Qt: Session management error: Could not open network socket

(exo-open:32017): dbind-WARNING **: 14:16:47.063: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused

(exo-helper-1:32020): dbind-WARNING **: 14:16:47.079: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Error: Access was denied while trying to open files in your profile directory.

[chiraag-nataraj]

Hmm...I wonder if exo-helper or exo-open is throwing the error rather than firefox...

[chiraag-nataraj]

Or do you get the firefox popup saying "Your profile is missing" or something similar?

[tinmanx]

The popup i get is this: in addition to the terminal error: Error: Access was denied while trying to open files in your profile directory.

[tinmanx]

this is the same for appimage and the repo version

[chiraag-nataraj]

Okay yeah, that is a Firefox error. It doesn't make sense, though, since ~/.mozilla should exist. Can you make sure ~/.mozilla/firefox/ exists within the sandbox?

[tinmanx]

yes it exists drwx------ 1000 1004 4096 .mozilla Yeah it does not make sense. This is also a new fresh VM, so, i dont know what the issue could be.

Did you try this on debian?

[chiraag-nataraj]

Yes, and it actually worked. My firefox is tightly sandboxed though...

[tinmanx]

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

[chiraag-nataraj]

When testing on a new PC, im getting a different error now when opening URL: Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

So are you saying that once you did --ignore=private-bin, the error disappeared for 66.0.4?

[chiraag-nataraj]

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

[chiraag-nataraj]

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

[SkewedZeppelin]

iirc 67 changes how profiles are handled and --no-remote is default now?

[chiraag-nataraj]

Hmm, I thought it was just that they automatically set up a new profile for release, nightly, dev, beta, etc? I don't think they do --no-remote by default, since I was able to open a link just fine (once I put --private-bin=firefox to add firefox to the sandbox).

[chiraag-nataraj]

@tinmanx, can you download firefox from mozilla's website, close all open firefox windows, and do the following?

1. cd to the directory where you extracted firefox (from the tar.bz2 file).
2. ff=$(mktemp -d)
3. ./firefox --profile "$ff"
4. Now, in a separate terminal: firejail --private-bin=firefox keepassxc
5. Click on the link.

This should: (a) make sure you're running with a clean profile and (b) ensure you're opening it in the mozilla version rather than the bionic version.

[edit] Hopefully Xfce won't mess with this...

[tinmanx]

@chiraag-nataraj i take it this is the portable version of firefox and you putting a profile into memory to test? I tried this as you said, but i get the below error: Launch failed (/usr/local/bin/firefox https://www.google.com/)

[tinmanx]

Just note that, by default usually in my own situation Firefox is not jailed at all.

[rusty-snake]

@tinmanx -no-remote is an firefox arg. firefox --help:

--no-remote Do not accept or send remote commands; implies --new-instance. --new-instance Open new instance, not a new window in running instance.

remote commands means something like "open a new window" or "open URL XY in a new tab".

[chiraag-nataraj]

Just note that, by default usually in my own situation Firefox is not jailed at all.

Yes. For this test, I didn't jail firefox (even though I normally do).

[tinmanx]

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

What do you mean from git master? im using the following: firejail 0.9.58.2 keepassxc 2.4.1

Did you use Firefox 67.0 tar.bz2 or did you install from your debian repo?

Guys this is very strange, im telling you something was changed in Firefox 67.0. We need to find out what it is. Firefox v66.0.5 works perfectly as it always did, even in previous versions.

[chiraag-nataraj]

I used firejail from git master (so 0.9.60~rc2), not 0.9.58.2, keepassxc2.3.4(latest version in Debian), andfirefoxdownloaded from Mozilla (so67.0`).

I didn't attempt to install firefox at all — just ran it from the directory I extracted to (happened to be in my Downloads folder).

[chiraag-nataraj]

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

[openffchrome]

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

[tinmanx]

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

No it doesnt, i tried that now.

I also found this: https://www.reddit.com/r/firefox/comments/brh3s7/firefox_67_forces_a_new_profile_is_there_any_way/ not sure if this might be of any help to you that you can maybe figure out if its using an incorrect profile.

[Edit] check this: https://www.reddit.com/r/firefox/comments/broebr/just_updated_to_firefox_67_and_have_a_new_profile/ and this: https://bugzilla.mozilla.org/show_bug.cgi?id=1553526

[tinmanx]

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

[chiraag-nataraj]

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

Something's very weird because that is not the behavior I experienced. When I had firefox 67.0 running (although it wasn't officially installed), keepassxc opened links in the running instance.

[tinmanx]

@chiraag-nataraj i dont know what to tell you. I also tried this on a fresh Ubuntu 18.04 no xfce4 or anything like that. just plain Ubuntu 18.04 Desktop. Same issue after installed firefox from repo.

Can you try installing firefox from Debian repo, delete ~/.mozilla and open firefox for it to create new profile. Then run keepassxc with firejail so you can tell me

[chiraag-nataraj]

Interesting, once I installed it system-wide, I had the same issue. Can you try this profile for keepassxc and report back? (NB: It assumes your database is stored in ~/.config/keepassxc for simplicity...you can add other whitelist paths if you want). ~/.config/firejail/keepassxc.profile:

ignore memory-deny-write-execute

include ${HOME}/.config/firejail/common.inc

whitelist ${HOME}/.config/keepassxc

private-bin keepassxc,firefox
private-etc alternatives,fonts
protocol netlink,unix
join-or-start keepassxc

~/.config/firejail/common.inc:

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

[chiraag-nataraj]

@tinmanx, any luck with the keepassxc profile I posted above?

[chiraag-nataraj]

@tinmanx, I'm not sure how to proceed from here. If the profile I sent you works, then we can figure out which directive is causing the issue in the stock profile and we can fix it. But I can't do that unless someone else tests the profile...

[tinmanx]

@chiraag-nataraj sorry for the late response - i havent been able to log on for a while.

I did the tests right now. Please see findings below:

I tried to run it with: firejail keepassxc but when clicking the link, it gave an error in terminal: Launch failed (/usr/sbin/firefox https://www.site.com/) and it didnt open.

So i tried with: firejail --ignore=private-bin keepassxc and the following happened: I already had firefox open..so when clicking the link it prompted with this screenshot so i chose it and it opened a brand new instance of firefox, so it didnt open a new tab in the existing firefox profile.

On another note: I still dont know why I have to run firejail --ignore=private-bin keepassxc and if i run firejail keepassxc it wont launch the site.

[tinmanx]

Is it possible you could also do these tests on your side?

[chiraag-nataraj]

The profile I posted worked fine when firefox was already open. I suspect you have to tweak the profile a bit. I really don't know what it might take, since I've been on a highly-customized Debian sid/experimental setup for quite some time now (AwesomeWM and manual mimetype configuration if required).

From the looks of it, it's probably something to do with xdg-open not having access to its config files (and xdg-open not being whitelisted in private-bin).

Honestly, the safest (and most secure) option is to manually copy the URLs and paste them. I've been doing this for a long time now since it allows for much stricter sandboxes.

If someone else is out there running Ubuntu and wants to help @tinmanx troubleshoot, please have at it! I'm at my wit's end at this point, since the profile above worked for me.

@tinmanx, one more thing you can try is commenting whitelist ${HOME}/.config/keepassxc in the profile and seeing if it works then. If so, that points to additional directories you need to whitelist in your home directory.

[tinmanx]

@chiraag-nataraj running firejail --ignore=private-bin keepassxc now while having commented out whitelist ${HOME}/.config/keepassxc it worked and opened up the link in the same firefox instance.

So knowing this.. what can you do to actually fix this? Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

[chiraag-nataraj]

Okay, this means you need to figure out which other directories need to be whitelisted for xdg-open to work. I can't help you there since I don't use that mechanism for opening programs (as I mentioned earlier).

Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

Not as secure as whitelisting just the specific directories it needs to function. Again, if you care about security, keep the profile as-is and just copy-paste the URL.

[tinmanx]

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

if you care about security, keep the profile as-is and just copy-paste the URL.

if this is the case, how was it working before the firefox upgrade? was it less secure previously??