Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: clarify to run "sudo firecfg" as a normal (desktop) user #6677

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

docs: clarify to run "sudo firecfg" as a normal (desktop) user #6677

wants to merge 1 commit into from

Conversation

kmk3
Copy link
Collaborator

@kmk3 kmk3 commented Mar 7, 2025

End users following the steps for desktop integration may end up running
sudo firecfg as root (or as a similar account) rather than as a normal
desktop user.

In that case, programs opened through a desktop launcher would still not
be running under firejail, which might surprise users.

So clarify that sudo firecfg should be executed as a normal (desktop)
user for desktop integration.

Relates to #6657.

Kind of relates to #5812.

Reported-by: @ginto37

@kmk3 kmk3 added the documentation Issues and pull requests related to the documentation label Mar 7, 2025
@kmk3 kmk3 requested a review from rusty-snake March 7, 2025 11:38
rusty-snake
rusty-snake reviewed Mar 7, 2025
View reviewed changes
README.md
@@ -206,6 +206,9 @@ $ firejail --list

## Desktop integration

Note: Desktop integration is only applied to the user running firecfg, so make
sure to run `sudo firecfg` as a normal (desktop) user, not as root.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The alternatives is

# firecfg
# firecfg --add-users YOUR_USER
$ firecfg --fix

@rusty-snake
Copy link
Collaborator

In that case, programs opened through a desktop launcher would still not
be running under firejail, which might surprise users.

Half the story.

  • if the .desktop file has the program name in the Exec= key rather than the absolute path and does not use DBusActivatable=true, then it works.
  • if the .desktop file has an absolute path in the Exec= key or uses DBusActivatable=true, then it does not work.
  • if the .desktop file has the wrong name ...
  • if the program does autostart, dbus, systemd, ...

@kmk3
docs: clarify to run "sudo firecfg" as a normal (desktop) user
2aed3ce 
End users following the steps for desktop integration may end up running
`sudo firecfg` as root (or as a similar account) rather than as a normal
desktop user.

In that case, programs opened through a desktop launcher would still not
be running under firejail, which might surprise users.

So clarify that `sudo firecfg` should be executed as a normal (desktop)
user for desktop integration.

Relates to netblue30#6657.

Kind of relates to netblue30#5812.

Reported-by: @ginto37
@kmk3 kmk3 force-pushed the docs-clarify-firecfg-user branch from f45266d to 2aed3ce Compare March 7, 2025 12:16
@kmk3 kmk3 mentioned this pull request Mar 7, 2025
Closed
@kmk3 kmk3 marked this pull request as draft March 14, 2025 06:12
@ginto37
Copy link

ginto37 commented Mar 15, 2025

I'm not sure the phrase "normal (desktop) user" really helps here, and I'd suggest not going with that. My admin account, the one with sudo privileges, is a normal, desktop user, and so is my standard user account, the one without the sudo privileges and the one I work in 90% of the time. But only the admin account can run sudo firecfg. Also, most desktop users won't have direct access to root - Fedora, Ubuntu and Debian don't even enable it by default. So the average user will be working with just the admin account and the standard account, only one of which will work with that command.

I feel like there's a fundamental difference in views here regarding the use of accounts on Linux. Basically I feel like you're looking at this from a different angle and it's leading you to write up the instructions from a slightly unhelpful viewpoint that's going to confuse users rather than help them.

For that reason, Rusty-snake's suggestion should be the default method, not the alternative, IMO, otherwise users like myself are going to wonder why sudo firecfg won't work when run in an account which doesn't have sudo privileges for firecfg.

Rusty-snake's method doesn't involve modifying the sudoers file - which would be necessary for a non-admin account, and which you don't cover in the steps, despite it being crucial and capable of breaking the system if performed incorrectly - and encourages separation of admin and standard user accounts, which is good security practice.

In essence,

# firecfg
# firecfg --add-users <EACH USER WHO NEEDS TO USE FIREJAIL>
As each of those users, for those who want desktop integration:
$ firecfg --fix

OOC, where would firecfg --fix-sound come in that list? Does it also have to be run for each user intending to use Firejail?

@rusty-snake
Copy link
Collaborator

sudoers file

I still don't get why you want to modify it.

OOC, where would firecfg --fix-sound come in that list? Does it also have to be run for each user intending to use Firejail?

Each user.

Keep in mind that firejails primary target are single user desktop systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rusty-snake rusty-snake rusty-snake left review comments

Assignees
No one assigned
Labels
documentation Issues and pull requests related to the documentation
Projects
Release 0.9.74
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kmk3 @rusty-snake @ginto37