firejail users - dnscrypt and other custom users?

[Utini2000]

I just installed firejail and I have followed the advice to make firejail only to be executable by users added to the firejail group.
See: https://wiki.archlinux.org/title/Firejail#Hardening_Firejail

Now this would mean, that any program that is configured to run by a custom user (e.g. dnscrypt-proxy, emby-server, syncthing,...) will not be run by firejail anymore unless added to the firejail group?
This also means, that the firejail default of "run anything that does not have a custom.profile file with a standard.profile file" will not be working anymore for such programs which run not as my own user?

This actually opens another security hole by potentially letting some programs run without firejail?

Thanks!

[rusty-snake]

Now this would mean, that any program that is configured to run by a custom user (e.g. dnscrypt-proxy, emby-server, syncthing,...) will not be run by firejail anymore unless added to the firejail group?

It depends whether there is a User= directive in their systemd service unit or the service itself drops to the other user. In the first case, it will fail to start with an error and in the later case everything should work fine.

This also means, that the firejail default of "run anything that does not have a custom.profile file with a standard.profile file" will not be working anymore for such programs which run not as my own user?

These programs that do not run as your user can not use firejail. Therefore it does not matter what the profile behaviour is.

This actually opens another security hole by potentially letting some programs run without firejail?

• It's another attack model you try to protect.
• You can always run a program without firejail.

[Utini2000]

For me there are several applications that do not run as my user (dnscrypt, emby-server). There are profiles for those in firejail and yet they started without errors but of course also not sandboxed in firejail.

It means that the default protection behaviour of firejail failed?

As a workaround I will have to add those users to the firejail group but any new user/app will have to be added again or it basically bypasses firejail.

[glitsj16]

FWIW, man firejail-users details the steps mentioned by OP.

[Utini2000]

Additionally, I can't seem to now execute anything in firejail at all.

$ firejail kate  
Reading profile /etc/firejail/kate.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 8528, child pid 8529
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Child process initialized in 96.92 ms
Error: execute permission denied for /usr/local/bin/kate
Error: no suitable kate executable found

Parent is shutting down, bye...

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 9577, child pid 9581
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 230.16 ms
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

firejail kcalc works though.

$ ls -al /usr/local/bin/ 
total 20
drwxr-xr-x  2 root root 4096 19. Aug 07:09 .
drwxr-xr-x 11 root root 4096 17. Mär 2023  ..
-rw-r--r--  1 root root  175 25. Mai 2023  {}
lrwxrwxrwx  1 root root   17 19. Aug 07:09 akonadi_control -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ark -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 audacity -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 baloo_filemetadata_temp_extractor -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 bleachbit -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 chromium -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 clipgrab -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 conplay -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 cvlc -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 desktopeditors -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 digikam -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 discord -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 display -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 dnscrypt-proxy -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 dnsmasq -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 enchant-2 -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 enchant-lsmod-2 -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 exiftool -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ffplay -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ffprobe -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 firefox -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 gapplication -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ghb -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 gimp -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 gimp-2.10 -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 img2txt -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 kate -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 kcalc -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 kdenlive -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 keepassxc -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 keepassxc-cli -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 keepassxc-proxy -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 kmail -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 kwrite -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 mediainfo -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 meld -> /usr/bin/firejail
-rwxr-xr-x  1 root root 1380 16. Feb 2024  mine_ac.sh
-rwxr-xr-x  1 root root 1373 16. Feb 2024  mine_battery.sh
lrwxrwxrwx  1 root root   17 19. Aug 07:09 mpg123 -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 mpg123-id3dump -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 mpg123-strip -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 mpv -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 obs -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 okular -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 out123 -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 patch -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 pavucontrol-qt -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 pdftotext -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ping -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 qbittorrent -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 qt-faststart -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 secret-tool -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 skanlite -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 soundconverter -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 spectacle -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 ssh -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 strawberry -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 strings -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 teams -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 telegram-desktop -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 tshark -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 viewnior -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 vlc -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 wget -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 wireshark -> /usr/bin/firejail
lrwxrwxrwx  1 root root   17 19. Aug 07:09 yt-dlp -> /usr/bin/firejail

$ groups
libvirt realtime video storage render audio wheel usernamehere firejail

$ ls -l /usr/bin/firejail:
-rwsr-x--- 1 root firejail 450224  1. Mai 17:09 /usr/bin/firejail

[rusty-snake]

1. Did you started them after you run sudo firecfg?
2. If yes, how did you started them?
3. dolphin is not firejailed by default, you can manually firejail it
4. freerdp, syncthing and konsole do not have a profile and are not firejailed by default.

[Utini2000]

1. Yes
2. Via Start menu in KDE (Open Start Menü and use icon or search for app)

Firefox was still an old .desktop file in the favorites of the start menu.
I removed it, added it again, now it starts fine.
Telegram still doesn't start in firejail.
I run telegram also via the start menu of KDE (open start menu, type telegram, hit enter).

Edit:
Also noticed that dolphin isn't run by firejail although a profile exists.
Same for nano

[Utini2000]

1. Did you started them after you run sudo firecfg?

   2. If yes, how did you started them?

   3. dolphin is not firejailed by default, you can manually firejail it

   4. freerdp, syncthing and konsole do not have a profile and are not firejailed by default.

firejail telegram-desktop works fine.
The telegram-desktop shortcut from the start menu does not run it in firejail though.
This happens on two of my machines (both on Arch+KDE).

[kmk3]

firejail telegram-desktop works fine. The telegram-desktop shortcut from the
start menu does not run it in firejail though. This happens on two of my
machines (both on Arch+KDE).

What is in the .desktop file for the shortcut?

Where is it located?

[Utini2000]

firejail telegram-desktop works fine. The telegram-desktop shortcut from the
start menu does not run it in firejail though. This happens on two of my
machines (both on Arch+KDE).

What is in the .desktop file for the shortcut?

Where is it located?

Location:

/usr/share/applications/org.telegram.desktop

Content:

[Desktop Entry]
Name=Telegram Desktop
Comment=Official desktop version of Telegram messaging app
TryExec=telegram-desktop
Exec=telegram-desktop -- %u
Icon=telegram
Terminal=false
StartupWMClass=TelegramDesktop
Type=Application
Categories=Chat;Network;InstantMessaging;Qt;
MimeType=x-scheme-handler/tg;
Keywords=tg;chat;im;messaging;messenger;sms;tdesktop;
Actions=quit;
DBusActivatable=true
SingleMainWindow=true
X-GNOME-UsesNotifications=true
X-GNOME-SingleWindow=true

[Desktop Action quit]
Exec=telegram-desktop -quit
Name=Quit Telegram
Icon=application-exit

For nano I guess I will have to create an alias in my .zshrc config since I run nano from terminal and not any shortcut?

dnscrypt-proxy is run by user dnscrypt.. so I guess I need to add that user to firejail group?
Emby-server is also run by its own user, so this one needs to be in firejail group as well?
Or is the problem here that those are started by a service instead of a shortcut?

Thanks!

[Utini2000]

Running telegram-desktop via konsole will automatically firejail it.
The shortcut still starts telegram without firejail.

[Utini2000]

/home/sneida/.local/share/applications/org.telegram\ .desktop.desktop:

Woopsie that was just a typo here on github.
It is saved as "org.telegram.desktop.desktop".

[kmk3]

@Utini2000 on Sep 4:

[Desktop Entry]
Name=Telegram Desktop
Comment=Official desktop version of Telegram messaging app
TryExec=telegram-desktop
Exec=telegram-desktop -- %u
Icon=telegram
Terminal=false
StartupWMClass=TelegramDesktop
Type=Application
Categories=Chat;Network;InstantMessaging;Qt;
MimeType=x-scheme-handler/tg;
Keywords=tg;chat;im;messaging;messenger;sms;tdesktop;
Actions=quit;
DBusActivatable=true
SingleMainWindow=true
X-GNOME-UsesNotifications=true
X-GNOME-SingleWindow=true
Path=/usr/bin

[Desktop Action quit]
Exec=telegram-desktop -quit
Name=Quit Telegram
Icon=application-exit

Does it work with the following changes?

--- a/org.telegram.desktop.desktop
+++ b/org.telegram.desktop.desktop
@@ -1,8 +1,8 @@
 [Desktop Entry]
 Name=Telegram Desktop
 Comment=Official desktop version of Telegram messaging app
-TryExec=telegram-desktop
-Exec=telegram-desktop -- %u
+TryExec=firejail /usr/bin/telegram-desktop
+Exec=firejail /usr/bin/telegram-desktop -- %u
 Icon=telegram
 Terminal=false
 StartupWMClass=TelegramDesktop
@@ -18,6 +18,6 @@ X-GNOME-SingleWindow=true
 Path=/usr/bin
 
 [Desktop Action quit]
-Exec=telegram-desktop -quit
+Exec=firejail /usr/bin/telegram-desktop -quit
 Name=Quit Telegram
 Icon=application-exit

[Utini2000]

@Utini2000 on Sep 4:

[Desktop Entry]
Name=Telegram Desktop
Comment=Official desktop version of Telegram messaging app
TryExec=telegram-desktop
Exec=telegram-desktop -- %u
Icon=telegram
Terminal=false
StartupWMClass=TelegramDesktop
Type=Application
Categories=Chat;Network;InstantMessaging;Qt;
MimeType=x-scheme-handler/tg;
Keywords=tg;chat;im;messaging;messenger;sms;tdesktop;
Actions=quit;
DBusActivatable=true
SingleMainWindow=true
X-GNOME-UsesNotifications=true
X-GNOME-SingleWindow=true
Path=/usr/bin

[Desktop Action quit]
Exec=telegram-desktop -quit
Name=Quit Telegram
Icon=application-exit

Does it work with the following changes?

--- a/org.telegram.desktop.desktop
+++ b/org.telegram.desktop.desktop
@@ -1,8 +1,8 @@
 [Desktop Entry]
 Name=Telegram Desktop
 Comment=Official desktop version of Telegram messaging app
-TryExec=telegram-desktop
-Exec=telegram-desktop -- %u
+TryExec=firejail /usr/bin/telegram-desktop
+Exec=firejail /usr/bin/telegram-desktop -- %u
 Icon=telegram
 Terminal=false
 StartupWMClass=TelegramDesktop
@@ -18,6 +18,6 @@ X-GNOME-SingleWindow=true
 Path=/usr/bin
 
 [Desktop Action quit]
-Exec=telegram-desktop -quit
+Exec=firejail /usr/bin/telegram-desktop -quit
 Name=Quit Telegram
 Icon=application-exit

In that case I get:
The desktop entry file /home/username/.local/share/applications/org.telegram.desktop is not valid.

[rusty-snake]

TryExec is a file path not a command I guess.

[Utini2000]

TryExec is a file path not a command I guess.

Alright so changing the file this way makes it possible to run telegram from directly executing the .desktop file but it gives the following error when run via start menu / application launcher:

Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 

file content:

[Desktop Entry]
Name=Telegram Desktop
Comment=Official desktop version of Telegram messaging app
TryExec=telegram-desktop
Exec=firejail /usr/bin/telegram-desktop -- %u
Icon=telegram
Terminal=false
StartupWMClass=TelegramDesktop
Type=Application
Categories=Chat;Network;InstantMessaging;Qt;
MimeType=x-scheme-handler/tg;
Keywords=tg;chat;im;messaging;messenger;sms;tdesktop;
Actions=quit;
DBusActivatable=no
SingleMainWindow=true
X-GNOME-UsesNotifications=true
X-GNOME-SingleWindow=true
Path=/usr/bin

[Desktop Action quit]
Exec=firejail /usr/bin/telegram-desktop -quit
Name=Quit Telegram
Icon=application-exit