thunderbird: cannot open links in firefox (and vice-versa)

[Shimergo]

I hope it's OK to ask 'help' questions here, rather than raise an issue as such. I've not been able to get any advice on the Linux Mint forum I usually use.

Anyway, I launch both Thunderbird and Firefox with Firejail (from a terminal). Both work fine on their own, and have all the settings, tabs, etc as they do without Firejail. But they don't work together:

1. When I click on a link in a Thunderbird email it launches a new Firefox window with a different profile. Two profiles are listed in that window (about:profiles), neither of which are the profile with all my tabs and bookmarks are in. Any idea how I can get Thunderbird to open links in the existing Firejailed Firefox window?

2. For comms the other way around, when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I get Firefox to pop a Thunderbird New Message like it does without Firejail?

When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other.

If it makes any difference, I installed Firejail from the Linux Mint Software Manager (version is 0.9.62; am more comfortable with that than pasting commands I don't understand into a terminal - my skills are pretty limited), and haven't done any other setup (eg. I don't want apps to be auto-Firejailed - I want to keep the option of running without Firejail).

Thanks!

[rusty-snake]

What's your firejail version? EDIT: I should read, it's 0.9.62. There where improvements for this in 0.9.64.

[Shimergo]

Any idea of the details that might affect this?
And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff?

[rusty-snake]

And is there a way to update Firejail without having to uninstall, or do I have to do that apt-get stuff?

Stealing @glitsj16 comment.

Please update your firejail package, the 0.9.62 version is vulnerable to this. You can use the PPA maintained by one of our collaborators if the official repo's you use are not (yet) updated. The current chromium profiles block access to ${DESKTOP}, contrary to those in 0.9.62.

My opinion:
Firejail 0.9.64.4 has "fixes" for CVE-2021-26910. You should install an other distribution if you want security. Why? Firejail 0.9.64.4 is distributed by Arch Linux, Debian unstable, Fedora 33 and OpenSUSE (Leap and Tumbleweed). Gentoo has it in testing ATM and Debian stable has "fixed" CVE-2021-26910. While Alpine, Fedora 32, Mint (due to Ubuntu), MX Linux and Ubuntu (firejail is in universe) still distribute a vulnerable version.

When I do firejail --list, Thunderbird and Firefox are both listed, but it's like they're in separate sandboxes or something - well that's what I deduce cos they're not talking to each other.

You can create a profile for both. They already share firefox-common.profile.

$ fjp diff thunderbird firefox
The following commands are unique to thunderbird.profile:
include thunderbird.local
ignore include whitelist-runuser-common.inc
ignore dbus-system none
writable-run-user
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.thunderbird
include disable-passwdmgr.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/thunderbird
mkdir ${HOME}/.gnupg
mkdir ${HOME}/.thunderbird
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.thunderbird
whitelist /usr/share/gnupg
whitelist /usr/share/thunderbird
novideo
ignore private-tmp

The following commands are unique to firefox.profile:
include firefox.local
noblacklist ${HOME}/.cache/mozilla
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
whitelist /usr/share/doc
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist /usr/share/gtk-doc/html
dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*

Any idea of the details that might affect this?

Allow TB to open links in a running FFX:

firejail/etc/profile-m-z/thunderbird.profile

Lines 24 to 27 in 4b2914e

	# These lines are needed to allow Firefox to load your profile when clicking a link in an email
	noblacklist ${HOME}/.mozilla
	whitelist ${HOME}/.mozilla/firefox/profiles.ini
	read-only ${HOME}/.mozilla/firefox/profiles.ini

[Shimergo]

Thanks, rusty-snake, much appreciated. Have made some progress, but not quite there yet.
I managed OK to replace Firejail with version 0.9.64.4

Now when I click on a link in a Thunderbird email it still opens a new Firefox window but at least it now uses my standard Firefox profile. If I close that new Firefox window and then click another Thunderbird email link it opens it in a new tab in the original Firejailed Firefox window, which is what I want. /etc/firejail/thunderbird.profile already has those lines you mention. So how do I get Thunderbird to open all links as a new tab in the open Firefox window, even the first link that I click on in Thunderbird (this is the behaviour I have without Firejail)?

Also I still have the problem for the reverse FF-TB interaction, that when I ask Firefox to 'Email Link' , I get the Account Wizard for Unix Mailspool. How do I fix that to get Firefox to pop a Thunderbird New Message like it does without Firejail?

[Shimergo]

With a bit more work:

The first part (TB -> FF) seems to be a wider problem with Firefox, so I'll open a new issue.

The second part (FF -> TB) I've found a solution to a similar issue for evolution and had a crack at adapting it for Thunderbird. It works, but I've no clue if I've done it right, so if someone has time, I'd appreciate a check it's safe (inc. noblacklist ${HOME}/.thunderbird which was a typo, but changing it to add /profiles.ini breaks it; then 'Email link' and 'mailto' ask for a TB profile):
noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/applications/thunderbird.desktop
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.local/share/applications/thunderbird.desktop
read-only ${HOME}/.thunderbird/profiles.ini
ignore nodbus
Thanks!

[reinerh]

A similar issue was reported on the Debian bug tracker, but I was not able to reproduce it so far.

[rusty-snake]

With firejail >= 0.9.64 you should be able to open links from thunderbird in a running firefox.

firejail/etc/profile-m-z/thunderbird.profile

Lines 24 to 27 in 42e2db1

	# These lines are needed to allow Firefox to load your profile when clicking a link in an email
	noblacklist ${HOME}/.mozilla
	whitelist ${HOME}/.mozilla/firefox/profiles.ini
	read-only ${HOME}/.mozilla/firefox/profiles.ini

[Shimergo]

Thanks, both for getting back.

reinerh: It’s similar, but different. My spurious window from the first Thunderbird link click is in the same Firefox profile as the already open window.

rusty-snake: “should be able to”, but it doesn’t :) . I have those lines in my thunderbird.profile. Firejail is setup exactly as it came by default!

Both/All: A fellow Mint user has now kindly been able to replicate this problem, and added some more detail here (see especially later posts). For LibreOffice the same issue is affected by symbolic links to Firejail, but Thunderbird isn’t. Hopefully this may give you some clues to help figure out what’s going on? I’m obviously happy to test any suggestions you have.

[rusty-snake]

For reference: #3471 (comment)
For reference: Firefox' IPC differs between Wayland and X11. DBus is only used when firefox runs native under wayland, otherwise SystemV-IPC (?) is used AKAIK.

Does cat ${HOME}/.mozilla/firefox/profiles.ini looks like?

[Profile0]
Name=foo
IsRelative=1
Path=foo
Default=1

[General]
StartWithLastProfile=1
Version=2

[Install123bar]
Default=foo
Locked=1

What happens if you whitelist ${HOME}/.mozilla/firefox/installs.ini in TB?

What happens if you run

• firejail --profile=thunderbird /usr/bin/firefox https://github.com/
• firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/
• firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/
• firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/
• firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/
• firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/

while firefox is running inside firejail?

I will try to reproduce this in a mint VM when I have the time.

[Shimergo]

Does cat ${HOME}/.mozilla/firefox/profiles.ini looks like?

No, I get this:

[Install4F96D1932A9F858E]
Default=mwad0hks.default
Locked=1

[Profile0]
Name=default
IsRelative=1
Path=mwad0hks.default
Default=1

[General]
StartWithLastProfile=1
Version=2

What happens if you whitelist ${HOME}/.mozilla/firefox/installs.ini in TB?

Same problem

What happens if you run

* `firejail --profile=thunderbird /usr/bin/firefox https://github.com/`

Opens a new Firefox window with my home page, nothing else

* `firejail --profile=thunderbird /usr/bin/firefox --new-tab https://github.com/`

Opens the GitHub page in a new tab in current Firefox window :)

* `firejail --profile=thunderbird /usr/bin/firefox --new-window https://github.com/`

Opens the GitHub page in a new window

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox https://github.com/`

Opens a new Firefox window with my home page, nothing else

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-tab https://github.com/`

Opens the GitHub page in a new tab in current Firefox window :)

* `firejail --profile=thunderbird /usr/bin/firejail /usr/bin/firefox --new-window https://github.com/`

Opens the GitHub page in a new window

while firefox is running inside firejail?

BTW, I also had that extra whitelist in the thunderbird profile for all the above tests. That line is still there for now.

I will try to reproduce this in a mint VM when I have the time.

Thanks – much appreciate it!

And in case it’s relevant, for all 6 of the above tests I got the error:
dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory
And for the last 3, it was preceded by:
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

[rusty-snake]

And in case it’s relevant, for all 6 of the above tests I got the error:
dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory

#3680

[rusty-snake]

I will try to reproduce this in a mint VM when I have the time.

Did, here what I found:

1. I was able to reproduce it. firejail --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/ opens https://www.linuxmint.com/start/ulyssa/ in a new window.
2. firejail --profile=thunderbird /usr/lib/firefox/firefox https://duckduckgo.com/ opens https://duckduckgo.com/ in the current window. So the issues is caused by the wrapper script.
3. After reading /usr/bin/firefox in vim and running firejail --profile=thunderbird bash -x /usr/bin/firefox https://duckduckgo.com/ turns out that the differences between unsandboxed and sandboxed is that firefox is started with --purgecaches.
4. firejail --whitelist=/var/lib/dpkg --whitelist=${HOME}/.mozilla/*.dpkg_version --profile=thunderbird /usr/bin/firefox https://duckduckgo.com/ opens https://duckduckgo.com/ in the current window.

Conclusion: The following thunderbird.local should work.

mkfile ${HOME}/.mozilla/0.dpkg_version
whitelist ${HOME}/.mozilla/0.dpkg_version

[Shimergo]

Yep, that works - Brilliant! - Much appreciate your time on this.

One last question (a quick one hopefully): From further up the thread, are the following lines safe to add to firefox.local? I edited them from someone who had the same issue with evolution, ie. that Firefox 'mailto' and 'File -> Email link' were not working. But I have no clue what these lines do. Bottom line is I just want to check the noblacklists and whitelists aren't adding any vulnerability to the system? Thanks.

noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/applications/thunderbird.desktop
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.local/share/applications/thunderbird.desktop
read-only ${HOME}/.thunderbird/profiles.ini
ignore nodbus

[rusty-snake]

noblacklist ${HOME}/.local/share/applications/thunderbird.desktop

There is no such blacklist.

whitelist ${HOME}/.local/share/applications/thunderbird.desktop

Depending: useless or overkill

noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.thunderbird
noblacklist ${HOME}/.gnupg
whitelist /var/mail
whitelist /var/spool/mail
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
whitelist ${HOME}/.gnupg
read-only ${HOME}/.thunderbird/profiles.ini

If TB is already running, you can remove /var/... and .gnupg and .cache/thunderbird (maybe) I guess.

ignore nodbus

Allows full escape and does not work with fj>=0.9.64

[Shimergo]

Great, so to confirm for others, all I need in firefox.local is this, which works a treat:

noblacklist ${HOME}/.thunderbird
whitelist ${HOME}/.thunderbird/profiles.ini
read-only ${HOME}/.thunderbird/profiles.ini

As you say, it only works if TB is already running - but turns out that the code I had before didn’t work either with TB closed. For me, that’s all fine cos TB is always open.