keepassxc: please provide more options or more guidance

[BillDietrich]

Expected behavior
There are several ways or desired ways of using KeePassXC:

• with or without browser extension
• with or without allowing the app to check for updates
• with or without app acting as a secret service
• with or without app acting as an SSH agent
• with or without app being able to auto-type characters to another app

Please provide comments in the KeePassXC profile, or additional profiles, to support each of these choices. For example, I would like to run the app without browser extension, without update-checking, with secret service, with SSH agent, with auto-type. I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure. I want to lock down KeePassXC as tightly as possible given these choices. Please provide more commented sections in the profile, or more profiles, or something, to aid in this. Thanks.

Desktop:

• Linux Mint 19.3 Cinnamon with 5.3 kernel
• Firejail version 0.9.62

Additional context
KeePassXC 2.5.3

[glitsj16]

I think that means I could run with all network access disabled, but dbus has to be enabled ? Not sure.

Network access is already disabled via net none and protocol unix,netlink. What happens when you try with nodbus? Does that give you the desired setup? We can add comments later, no problem. But IMO it would create more confusion if we offered individual keepassxc profiles that accomodated all permutations you mention. But let's try to find your favo setup first okay?

[BillDietrich]

In the default configuration (nodbus commented out), neither clicking on an URL in KeePassXC nor auto-type using ctrl+shift+U works. I want them to work. So maybe my focus on dbus is wrong, something else needs to be changed or commented to change.

[BillDietrich]

You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work".

[rusty-snake]

FYI: #3314

or additional profiles,

The issue here is, how to select the profile. IMHO we have two options

1. comments (like thunderbird)
2. .incs (like feh)

You're right, in the default configuration, update-checking fails saying update error. So maybe add a comment saying "change this if you want update-checking to work".

Almost all profiles do not support updates, because updates are usually install via apt, dnf, ….

clicking on an URL in KeePassXC

You will need to allow firefox to

• read its profile, see thunderbird.profile (on master)
• communicate to the running firefox (sometimes dbus)
• be present in the sandbox: private-bin firefox (and maybe more Question on private-bin & Hyperlinking #3308)

if you use chrome or something else it are the same point.

[BillDietrich]

Almost all profiles do not support updates, because updates are usually install via apt, dnf, ….

I guess updates and update-checking are separate. Maybe add a comment to the profile saying "if you want update-checking to work, un-comment the following:"

[BillDietrich]

clicking on an URL in KeePassXC

I am not running the browser (Firefox) under Firejail. If I run KeePassXC without Firejail, clicking URLs and auto-typing work. If I run KeePassXC under Firejail, they fail. So I think the issue is with the KeePassXC profile.

[rusty-snake]

So I think the issue is with the KeePassXC profile.

Yes, it is. KPXC will start your default handler for e.g. https:// which is firefox. But is has no access to is (private-bin) and firefox then has no access to its profiles (blacklist ${HOME}/.mozilla). The things I descripted above needs to be added to the keepassxc.profile.

[rusty-snake]

Try this keepassxc.local

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin

[BillDietrich]

I added those lines in keepassxc.local, and with KeePasseXC running in Firejail:

• if I click an URL in KeePassXC, after 5+ seconds I get a dialog "Your Firefox profile cannot be loaded. It may be missing or inaccessible."

• if I auto-type in KeePassXC (ctrl+shift+U on an entry), I get the same error.

So do I have to run Firefox inside Firejail for this to work ? I'm running Firefox without Firejail.

[rusty-snake]

Is firefox running in at this time? are there any other modification on the keepassxc profile/local?

[BillDietrich]

Yes, FF is running. No, nothing else but comments in keepassxc.local

A year ago I was messing with my keepassxc.profile, but I think by now it's been overwritten by latest standard version. ls says it's 1383 bytes, Dec 30 2019 20:40 keepassxc.profile

[BillDietrich]

What does "be present in the sandbox: private-bin firefox" in a previous comment mean ? I'm not running FF inside Firejail.

[rusty-snake]

keepassxc will call /usr/bin/firefox <URL> (or where ever firefox is in $PATH). firefox will then detect that it is already running and use D-Bus (firefox-wayland) or something else (direct IPC?) to tell the running firefox to open .

firejail's private-bin options restricts the content of /bin, /usr/bin, … to the listed programs. (If you just add firefox to the list, keep in mind that /usr/bin/firefox is often a shell script).

[MrFrank17]

Comment about the ssh-agent issue.
Proposed in the linked issue above were these changes:

noblacklist ${HOME}/.ssh
# Other things to go.
# ignore machine-id
# ignore private-tmp
# noblacklist /tmp/ssh-*
# read-write ${HOME}/.ssh/authorized_keys

For me the first line was not enough, I had to comment in all lines (haven't checked if a subset might be enough, though).

[BillDietrich]

Try this keepassxc.local

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin

Trying again. Now I'm in Fedora 34 KDE with X. I did the keepassxc.local changes you gave. I run "firejail --debug keepassxc DBNAME", open database, click on a link, get this on CLI:

Launch failed (/usr/bin/xdg-open THELINKURL)

Now I'm using KeePassXC 2.6.4 with Firejail 0.9.64.4. KeePassXC and Firefox are natively installed; no appimage, snap, flatpak. KP works fine if Firejail is not used. I also filed keepassxreboot/keepassxc#6637

[rusty-snake]

I also filed keepassxreboot/keepassxc#6637

If firejail --noprofile keepassxc works, it's a firejail issue.

Launch failed (/usr/bin/xdg-open THELINKURL)

Good to know, that xdg-open is used. xdg-open is a shell-script, try

include allow-bin-sh.inc
ignore private-bin

[rusty-snake]

FWIW there as been done some more on "open-links-from-firejailed-applications" since 9 Apr 2020. #3919 and #3471 and #3881.

• A summary for firefox under wayland: Properly document how to "Drastically reduce security for profiles which need to open stuff in [browser name]" #3471 (comment)
• firejail url handler: https://github.com/glitsj16/firejail-handler-http and https://github.com/glitsj16/firejail-handler-extra.
• Workarounds using systemd-run (discord: cannot open links in the browser #3881 (comment))
• Workarounds using desktop portals (https://gist.github.com/rusty-snake/5104dc53ce3e52eef86cc34d359aa10e)

[BillDietrich]

KP works fine with --noprofile.

I changed keepassxc.local to be:

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin
include allow-bin-sh.inc

And KP fails differently now. When I click on a link, instead of an error on the CLI, I get an error dialog from "KIO Client" saying "unknown host: THEURL host name not found" or words to that effect.

[rusty-snake]

Looks like KIO is involved in some way (inside the sandbox) and wants internet access:

ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

[BillDietrich]

Okay, now keepassxc.local is:

noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
ignore private-bin
include allow-bin-sh.inc
ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

and when I click on a link, I get a dialog saying "Your Firefox profile could not be loaded, it may be missing or inaccessible". But I have an instance of FF running in the background. Without Firejail on KeePassXC, links will open in FF just fine.

[rusty-snake]

If firejail --profile=keepassxc ls ~/.mozilla works fine, we need to focus on dbus? seccomp? ...?. If it does not work we need to focus on filesystem commands ((no)blacklist, whitelist (should be all commented), read-only, ...).

[BillDietrich]

firejail --profile=keepassxc ls ~/.mozilla

works, it lists the dir. I guess I'll try commenting out all dbus stuff in keepassxc.profile ?

[BillDietrich]

It's something in disable-programs.inc that's doing it. If I comment out the include for that, KP works. Have to get back to a clean state and make just that change, re-verify.

[BillDietrich]

Okay, so it's working with stock keepassxc.profile BUT with disable-programs.inc commented out, AND with keepassxc.local containing:

ignore private-bin
include allow-bin-sh.inc
ignore net none
protocol unix,inet,inet6,netlink
private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl

[rusty-snake]

Then you can fiddle around with --build, --trace, --tracelog or do a binary search in disable-programs.inc (I guess this is caused by the KIO stuff that wants internet).

[BillDietrich]

Running with --trace shows a suspicious message "20:keepassxc:mkdir /run/user/1000:-1". 1000 is my userid. How can I allow access to that dir ? Or maybe that's the wrong idea.

The lines from --trace when I click a link are:

20:keepassxc:mkdir /run/user/1000:-1
20:keepassxc:access /usr/bin/xdg-open:0
Cannot open trace log file: No such device or address

[rusty-snake]

It's very very very likely accessible from inside the sandbox. This line just says that mkdir("/run/user/1000", ...) returned -1 (likely with EEXIST but for that you need to run firejail --allow-debuggers --maybe-something-else --profile=keepassxc strace --strace-args /usr/bin/keepassxc).

[BillDietrich]

There is a sizable (5-second ?) pause between the trace line "xdg-open" and the line "Cannot open trace log file". I wonder if some kind of mime-type or protocol-handler lookup is failing. But I don't see anything named "xdg*" or "kio*" or other relevant names in disable-programs.inc

[rusty-snake]

If a program crashes, the last (to all) lines of --trace are missing so my guess is that it's not flushed on every write.

[BillDietrich]

Okay, I'm confused about something. disable-programs.inc is full of "blacklist" statements. I copied it to disable-programs.local and changed every "blacklist" to "noblacklist". I thought that would negate every line in disable-programs.inc, but it didn't (KP still doesn't work). How do I negate a "blacklist" line ?

[rusty-snake]

Assuming disable-programs.local is included (no typo or so, check top of --debug) it's maybe IDK I don't think there's a hardcoded limit of noblacklists and globbing should work too. 😕 You can try to ignore blacklist PATH instead.

[BillDietrich]

Okay, here's a good one:
--trace fails
--debug works
--trace=xxx.txt works

[BillDietrich]

Okay, looks like Firefox is being launched inside the KP firejail, so adding this to keepassxc.local made it work:

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla

[rusty-snake]

looks like Firefox is being launched inside the KP firejail

That's true, but if firefox is already running (in it's own sandbox) it usually communicates to this instance to open a new tab/window. At least until now this worked without access to it's cache. ... anyway

[BillDietrich]

Didn't mean to close the issue; can it be re-opened, please ?

[BillDietrich]

Confirmed that noblacklist of .cache is needed if an instance of FF is running already. Will check case where FF is not already running.

[rusty-snake]

Will check case where FF is not already running.

Then FF will start in the KPXC sandbox and totally fail becaus of seccomp, tracelog, blacklist /usr/libexec, ...

[BillDietrich]

Yes, checked case where FF is not already running, and it dies horribly. Browser window opens but never loads the page, underneath it seems to be copying my FF profile, and then FF crashes. Is this a known limitation of Firejail or something ?

[BillDietrich]

So, I have it working if FF is default browser and an instance is running and click on a link in KP. But can't do same with either Brave browser or ungoogled-chromium. I tried noblacklist of all their config stuff, but still they're failing silently if they're default browser and a browser instance is running and then I click on a link in KP.

[rusty-snake]

For chrom* you need to noblacklist their paths and at least I guess

ignore caps.drop all
caps.keep sys_admin,sys_chroot
ignore nonewprivs
ignore noroot
ignore protocol
ignore seccomp
ignore seccomp.block-secondary
ignore tracelog

[rusty-snake]

Is this a known limitation of Firejail or something ?

Without workarounds (#3329 (comment)), firefox is started in the keepassxc sandbox. If there is a running firefox instance, firefox just does early startup tasks (parse commandline, find profile, ...) and communicates to the running instance. If not, it does a full startup inside the kpxc sandbox. Starting program A in the sandbox made for program B will fail if A requires a permission that is blocked (because B does need it).

[BillDietrich]

Okay, the chrom* statements you gave me sort-of worked. If Brave or ungoogled-chromium is default browser and an instance is running, clicking on a link in KP opens another instance of the browser (should use existing instance) and shows some error messages about unable to read profile and want to restore session, but does open the right page. I think if no instance is running and click on a link, instance is launched and page loaded with no error dialogs.

[BillDietrich]

firefox is started in the keepassxc sandbox

Yes, this seems to be a key lack in Firejail. There should be some directive to say "launch-outside-sandbox xdg-open" or something. So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside.

[rusty-snake]

There should be some directive to say "launch-outside-sandbox xdg-open" or something.

You can use systemd-run for that (see workarounds above) but Why do you want to use a sandbox with escape feature? I would call this sandbox anymore.

Related: #3785

So whenever KeePassXC or anything launches xdg-open, xdg-open is run outside sandbox, and browser ends up getting launched outside.

See xdg-open.c or firejail-handler-http workarounds above.

[BillDietrich]

You can use systemd-run

Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev.

Why do you want to use a sandbox with escape feature?

The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it".

[rusty-snake]

Would that mean changing the source code of KeePassXC to do that ? I'm a user, not the dev.

One option, however we can not add such firejail support in every app. Therefore it needs to be somewhere else. And systemd-run allows you to start everything outside of the sandbox.

The "escape" would be limited to "send this URL out to be opened in whatever app is supposed to be able to open it".

👍 That already possible with xdg-open.c or firejail-handler-http.

[WhyNotHugo]

with or without browser extension

Support is being worked on upstream. KeePassXC already has the changes is
master, but pending release:

keepassxreboot/keepassxc#8030

You also need a proxy with these changes:

varjolintu/keepassxc-proxy-rust#10

with or without allowing the app to check for updates

This seems really out-of-scope for a password manager, and requires giving it
network access. Why not simply rely on your distribution's update mechanisms?

---

Regarding opening URLs in the browser, we have a few options:

1. Allow running Firefox inside the sandbox. If an instance is already running,
   it will talk to it over dbus and open the window. However, if no instance is
   running, this will run Firefox inside KeePassXC's sandbox. This approach
   seems risky.

2. We could place a tiny script in the sandbox's $PATH that uses the D-Bus
   OpenURL portal: Allow portal access non-flatpak sandboxes flatpak/xdg-desktop-portal#741
   Regrettably, the portal is broken and won't work with non-flakpak
   sandboxes. This is really an ideal approach for sandboxed applications, but
   the PR is simply stalled.

3. Ideally, KeePassXC could use the above mentioned portal API to open URLs.
   Again, the portal will reject the request due to the same issue above, so
   this is not viable either.

Perhaps an alternative implementation of the xdg-desktop-portal would help us
fix this, but given its monolithic design, we'd need to re-implement ALL of it