telegram: cannot open links in browser

[reagentoo]

Hello :) fresh install of Gentoo with Firejail and noticed that clicking links in Telegram with Firejail does not open them in default browser.

Linux:

Gentoo Linux ~amd64

Configuration:

firejail-0.9.72
firefox-123.0.1
telegram-desktop-4.15.2

Console output on clicking links:

/usr/local/bin/xdg-open: line 665: grep: command not found
/usr/local/bin/xdg-open: line 659: grep: command not found
/usr/local/bin/xdg-open: line 688: grep: command not found
xdg-open: file 'https://some.link' does not exist

This is reopen #3031

[kmk3]

Hello :) fresh install of Gentoo with Firejail and noticed that clicking
links in Telegram with Firejail does not open them in default browser.

/usr/local/bin/xdg-open: line 665: grep: command not found
/usr/local/bin/xdg-open: line 659: grep: command not found
/usr/local/bin/xdg-open: line 688: grep: command not found
xdg-open: file 'https://some.link' does not exist

Hello, what happens with the following in ~/.config/firejail/telegram.local:

private-bin grep,sed,tr

If there are more similar errors try adding the commands to private-bin.

[reagentoo]

Hello, what happens with the following in ~/.config/firejail/telegram.local:

private-bin grep,sed,tr

If there are more similar errors try adding the commands to private-bin.

xdg-open: no method available for opening 'https://link'

[kmk3]

If there are more similar errors try adding the commands to private-bin.

xdg-open: no method available for opening 'https://link'

What happens with just ignore private-bin?

Note that you can probably debug this with xdg-open directly:

firejail --profile=telegram /usr/bin/xdg-open 'https://link'

[reagentoo]

What happens with just ignore private-bin?

Note that you can probably debug this with xdg-open directly:

firejail --profile=telegram /usr/bin/xdg-open 'https://link'

I've added the next lines:

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
ignore private-bin

And got the next result:

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

[reagentoo]

Fixed by adding dbus related lines and all xdg-open dependencies:

dbus-user.own org.chromium.*
dbus-user.own org.mozilla.firefox.*
private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime
private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser

(not tested with chromium)

Related issues:
#3290

[glu8716]

I just came across this thread and I have a similar problem. By using the default profile what I get is xdg-open: no method available for opening 'https://link'

Adding ignore private-bin opens a new Firefox instance and not the one that is already running:

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

[reagentoo]

I just came across this thread and I have a similar problem.

Try this (~/.config/firejail/telegram.local):

noblacklist ${HOME}/Documents
noblacklist ${HOME}/Pictures
noblacklist ${HOME}/Public
noblacklist ${HOME}/Videos

whitelist ${HOME}/Documents
whitelist ${HOME}/Pictures
whitelist ${HOME}/Public
whitelist ${HOME}/Videos

# Fix video calls
# https://github.com/netblue30/firejail/issues/3872
dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
whitelist /usr/share/pipewire/client.conf

# Fix xdg-open
# https://github.com/netblue30/firejail/issues/6275
dbus-user.own org.chromium.*
dbus-user.own org.mozilla.firefox.*
private-bin awk,basename,cut,env,grep,head,realpath,sed,tr,uname,xdg-mime
private-bin chromium,chromium-browser,elinks,epiphany,firefox,google-chrome,iceweasel,konqueror,links,links2,lynx,mozilla,seamonkey,w3m,www-browser,x-www-browser

[glu8716]

@reagentoo I've already tried the options in your last post, but unfortunately it doesn't work

[glitsj16]

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716
This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

[reagentoo]

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

@glitsj16 Hi. Can you please give some comment for the telegram.local in #6275 (comment) (in the context of the refactoring)? Are there any extra or missing rules to fix xdg-open? This config works for me with 0.9.72.

[glitsj16]

@reagentoo Hi. Your fix from #6275 (comment) looks fine. The mentioned private-etc refactoring doesn't affect it. That being said, there are (socket) alternatives being considered for using D-Bus to support URL handling. See #5364 and #5582 for context.

HTH

[glu8716]

Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default

@glu8716 This is fixed in git and will be in the next release. /etc/login.defs is now part of the default group in private-etc refactoring. For 0.9.72 you can add login.defs to private-etc in a telegram.local override. Unlikely this fixes your issue (unless your user != 1000), so just a FYI.

Can confirm that the error is fixed with the git version. However I'm still getting Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features and the link is opened in a new instance of Firefox instead of the already running one.

[glitsj16]

However I'm still getting Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features and the link is opened in a new instance of Firefox instead of the already running one.

@glu8716
Have you tried exporting MOZ_DBUS_REMOTE=1 in your ~/.bashrc (or similar if you happen to use a different shell)? It's a known environment variable that avoids the infamous Firefox is already running dialog and should force opening the link in a running Firefox instance. You've got to close all running FF instances, export the env var and start using FF again afterwards.

[glu8716]

@glitsj16 It doesn't work, unfortunately