keepassxc: cannot open URL links in firefox

[tinmanx]

After a Firefox update, i dont understand why but when trying to double click to open URL's in KeepassXC it errors out saying profile not accessible. Can you tell me why this happened all of a sudden? Nothing has changed in the profile, been using it as usual.

firejail version 0.9.58.2 Ubuntu 18.04 with xfce4

[chiraag-nataraj]

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

Yes. If there are no blacklists or whitelists (and my profiles tend to take a whitelist approach), then all directories in ~ (your home directory) are able to be accessed.

If this is the case, how was it working before the firefox upgrade? was it less secure previously??

I never had a setup where clicking on a link worked without relaxing many settings on the sandbox. Looking at the keepassxc profile provided in this repository (not the one I posted above), it seems it allows keepassxc access to your .mozilla directory, which means it theoretically could access anything stored in your firefox profile. I suppose we decided it's an acceptable compromise to not break everyone's setup.

Personally, I find that whenever I need to allow a program to access configuration files that aren't its own, I should change my workflow. So in this case, if I took a look at the profile and realized that clicking on links only works because keepassxc has access to my firefox data, I would create a stricter profile in ~/.config/firejail without that and copy and paste the links.

I mean, in this case, you might deem it an acceptable risk as long as keepassxc doesn't have internet access (so net none or protocol unix or similar is enabled in the sandbox). Otherwise, it's not even a question in my mind.

[tinmanx]

@chiraag-nataraj i appreciate your input and you make great points, however this is not really a solution to the actual problem. Knowing that net none provides network block is enough for most users. This again shouldn't be an excuse to render the link-launcher useless and tedious.

Also, saying that xdg-open is somehow the cause of it being blocked wouldn't make sense, because this has to do with a Firefox update. i mean ive downgraded and upgraded the Firefox versions like 10 times and i get the same results.

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

[tinmanx]

@chiraag-nataraj i just found out i am having the same issue and not being able to click links on a jailed cherrytree.profile too. Never used to be like this. Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

[chiraag-nataraj]

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

I don't think opening a bug report on Firefox's bugzilla will be useful at all — they will just redirect you back here an close as NOTABUG.

As I've already mentioned, this functionality requires you to at the minimum whitelist your firefox folder (~/.mozilla) in all programs where you would like to click on links and have them open. This has not changed and is still the case. To me, that represents a lot more trust than I am willing to give random programs (especially internet-connected ones).

Given your input above, I think the thing that's broken is that firefox (or whatever is calling it) now requires additional directories to be whitelisted (in addition to ~/.mozilla) before it will work. This might have happened with a firefox update, but I don't think firefox broke it.

You will have to play around with whitelisting directories in your home directory (build off of the profile I sent you) and don't worry too much about the private-bin for now (you can comment it if you want, we can deal with that later) — just focus on getting the home directory whitelist to work.

You might be able to use the --debug and --trace arguments for firejail or run it from the terminal to hopefully get more output, which might give you a better idea of what's going on.

[rusty-snake]

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

As @SkewedZeppelin already said "67 changes how profiles are handled"

Profiles per installation to avoid conflicts

New Firefox installations will use a dedicated profile automatically starting with the release of Firefox 67. Firefox used existing profiles previously by default which led to two issues:

Profiles were shared between different Firefox installations, e.g. Nightly and Stable, which could lead to conflicts. You could not run multiple Firefox installations side by side by default.

Firefox supports options to run multiple profiles side-by-side and the new release does not take these away. It makes things easier for users of the browser who install different versions of Firefox on a single device.

(Source: https://www.ghacks.net/2019/05/21/firefox-67-0-release-information/)

[chiraag-nataraj]

@rusty-snake Yes, but I'm not quite sure if that's the issue here. In particular, it doesn't explain why the firejail profile that worked for me seems to not work for OP or why this broke in the first place.

The profile handling you're describing is more related to versioning firefox profiles such that each one is associated with a specific firefox channel (release, beta, nightly). It pretty much has nothing to do with this issue (afaik).

[rusty-snake]

@tinmanx @chiraag-nataraj I go ahead and close this for now.