Closed boltronics closed 9 years ago
But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support.
This is because firejail icedove disables SUID binaries, and "firejail iceweasel" will fail because it needs SUID. I'll mark it as a bug, it needs to be fixed. Thanks.
I think I have a fix, give it a try. When it starts, Firejail checks if it is running in a sandbox, and will start the program as is if a sandbox is detected. Works fine for me in icedove:
$ icedove
Reading profile /etc/firejail/icedove.profile
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc
Parent pid 3180, child pid 3181
Child process initialized
(icedove:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-0UXCvH5q8u: Connection refused
** (icedove:1): WARNING **: Could not connect: Connection refused
Warning: an existing sandbox was detected. /usr/bin/iceweasel https://lxer.com will run without any additional sandboxing features in a /bin/sh shell
You will get that warning from Firejail, "an existing sandbox was detected", and iceweasel will be started in the sandbox set by icedove.
I've got a nice setup with firejail for icedove and iceweasel, where my shortcuts and Xfce "preferred applications" settings all have the application commands prefixed with
firejail
. So far so good.But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open
firejail iceweasel
and fails - no suid support. I can't call iceweasel directly either, since the icedove profile is blocking .mozilla which iceweasel requires. I have to open iceweasel up manually first, and only then click on the link, which gets tiresome after a while.It would be nice to have a profile option (if it's technically possible) to have the suid /usr/bin/firejail binary available for execution to apps like icedove, but no other suid binary. That should make the software more usable in situations like the one described.