PaulN
i hear ya, can get a bit confusing install stuff, setting user permissions
and all of that, i use firejail with palemoon with this config on arch linux
first to tell ya might be doin it wrong, bad config etc but think i got it
half way there, so this post is to give you something to reference,
for others to 'check' make sure i'm not messed up too bad and i do hope
this helps ya out
once you have palemoon downloaded and saved to your user's directory you want to
Code: Select all
chown -R palemoon yeruser:users etc
easiest way to figure out what that command is via terminal you will
cd to your download location, probably in your regular user's directory
so the command from terminal will be like "cd youruser"
you want to find out what who the files belong to via: "ls -l"
so if your output comes back "bobisawesome:users" there ya go
lets set the palemoon folder to that bob guy:
"chown -R palemoon bobisawesome:users"
ok, as ya know, firejail does its best to be universal for a lot of distros etc
but yeah, sometimes doesn't go to well even when the installation does,
it's like this on arch a lot simply because every arch box can be very unique in config
so first thing to do is backup whatever original firejail files ya got and are gonna use
for palemoon, that way if we make a mistake (seen me do it too) we can recover the edits
next thing is and this is way above my paygrade but different distros have different permission
configs, how or why i dunno but again keep that in mind, if a profile is not working you got it,
probably a permission deal or the files firejail was going for are not in their directory
as example on arch in order for me to even be able to launch firejail i have to at boot:
xhost local:myuser
that lets me launch palemoon since i have palemoon configd as a 'portable' app in my regular user
directory, and i have the files in the palemoon folder owned by that user via chown -R
i don't mean to repeat too much but treat what i'm posting here as 'entertainment'
someone else who knows what's up for real says something go with that
ok, next ya want say an example of a firejail profile, i combined everything into one file
and ran a command to get a list of my apps blah blah, probably diff command on your distro
Code: Select all
#--------------
# Firejail profile for palemoon/pmzport | 121418
# to list your apps out to a file:
# pacman -Qet | cut -f 1 -d " " > filename
# to add your switches to your filename list:
# sed -e 's#^#blacklist ${PATH}/#' filename > newfilename
#
noblacklist ${HOME}/.cache/moonchild productions
noblacklist ${HOME}/.moonchild productions
noblacklist ${HOME}/.mozilla
#
notv
nodvd
noroot
nodbus
nogroups
apparmor
netfilter
nonewprivs
private-tmp
disable-mnt
noexec /tmp
protocol unix,inet
#
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc
include /etc/firejail/disable-common.local
#
blacklist /home/youruser/downloads
blacklist /home/youruser/videos
blacklist /home/yourusers/.local
#
blacklist /root
blacklist /srv
blacklist ${PATH}/lua*
blacklist /usr/lib/lua
blacklist /usr/include/lua*
blacklist /usr/share/lua
blacklist ${PATH}/node
blacklist /usr/include/node
blacklist ${HOME}/.nvm
blacklist ${PATH}/cpan*
blacklist ${PATH}/core_perl
blacklist ${PATH}/perl
blacklist /usr/lib/perl*
blacklist /usr/share/perl*
blacklist ${PATH}/php*
blacklist /usr/lib/php*
blacklist /usr/share/php*
blacklist ${PATH}/ruby
blacklist /usr/lib/ruby
blacklist ${PATH}/python2*
blacklist /usr/include/python2*
blacklist /usr/lib/python2*
blacklist /usr/local/lib/python2*
blacklist /usr/share/python2*
blacklist ${PATH}/python3*
blacklist /usr/include/python3*
blacklist /usr/lib/python3*
blacklist /usr/local/lib/python3*
blacklist /usr/share/python3*
blacklist-nolog ${HOME}/.*_history
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.cache/greenclip*
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.local/share/fish/fish_history
blacklist-nolog ${HOME}/.local/share/klipper
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog /tmp/clipmenu*
blacklist ${HOME}/.Xsession
blacklist ${HOME}/.blackbox
blacklist ${HOME}/.config/autostart
blacklist ${HOME}/.config/autostart-scripts
blacklist ${HOME}/.config/awesome
blacklist ${HOME}/.config/i3
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.config/openbox
blacklist ${HOME}/.config/plasma-workspace
blacklist ${HOME}/.config/startupconfig
blacklist ${HOME}/.config/startupconfigkeys
blacklist ${HOME}/.fluxbox
blacklist ${HOME}/.gnomerc
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/env
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.kde/share/config/startupconfig
blacklist ${HOME}/.kde/share/config/startupconfigkeys
blacklist ${HOME}/.kde/shutdown
blacklist ${HOME}/.kde4/env
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde4/shutdown
blacklist ${HOME}/.kde4/share/config/startupconfig
blacklist ${HOME}/.kde4/share/config/startupconfigkeys
blacklist ${HOME}/.local/share/autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.xserverrc
blacklist ${HOME}/.xsession
blacklist ${HOME}/.xsessionrc
blacklist /etc/X11/Xsession.d
blacklist /etc/xdg/autostart
blacklist ${HOME}/.config/khotkeysrc
blacklist ${HOME}/.config/krunnerrc
blacklist ${HOME}/.config/kscreenlockerrc
blacklist ${HOME}/.config/ksslcertificatemanager
blacklist ${HOME}/.config/kwinrc
blacklist ${HOME}/.config/kwinrulesrc
blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
blacklist ${HOME}/.config/plasmashellrc
blacklist ${HOME}/.config/plasmavaultrc
blacklist ${HOME}/.kde/share/apps/kwin
blacklist ${HOME}/.kde/share/apps/plasma
blacklist ${HOME}/.kde/share/apps/solid
blacklist ${HOME}/.kde/share/config/khotkeysrc
blacklist ${HOME}/.kde/share/config/krunnerrc
blacklist ${HOME}/.kde/share/config/kscreensaverrc
blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde/share/config/kwinrc
blacklist ${HOME}/.kde/share/config/kwinrulesrc
blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.kde4/share/apps/kwin
blacklist ${HOME}/.kde4/share/apps/plasma
blacklist ${HOME}/.kde4/share/apps/solid
blacklist ${HOME}/.kde4/share/config/khotkeysrc
blacklist ${HOME}/.kde4/share/config/krunnerrc
blacklist ${HOME}/.kde4/share/config/kscreensaverrc
blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde4/share/config/kwinrc
blacklist ${HOME}/.kde4/share/config/kwinrulesrc
blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.local/share/kglobalaccel
blacklist ${HOME}/.local/share/kwin
blacklist ${HOME}/.local/share/plasma
blacklist ${HOME}/.local/share/plasmashell
blacklist ${HOME}/.local/share/solid
read-only ${HOME}/.Xauthority
read-only ${HOME}/.cache/ksycoca5_*
read-only ${HOME}/.config/*notifyrc
read-only ${HOME}/.config/kdeglobals
read-only ${HOME}/.config/kio_httprc
read-only ${HOME}/.config/kiorc
read-only ${HOME}/.config/kioslaverc
read-only ${HOME}/.config/ksslcablacklist
read-only ${HOME}/.kde/share/apps/konsole
read-only ${HOME}/.kde/share/apps/kssl
read-only ${HOME}/.kde/share/config/*notifyrc
read-only ${HOME}/.kde/share/config/kdeglobals
read-only ${HOME}/.kde/share/config/kio_httprc
read-only ${HOME}/.kde/share/config/kioslaverc
read-only ${HOME}/.kde/share/config/ksslcablacklist
read-only ${HOME}/.kde/share/kde4/services
read-only ${HOME}/.kde4/share/apps/konsole
read-only ${HOME}/.kde4/share/apps/kssl
read-only ${HOME}/.kde4/share/config/*notifyrc
read-only ${HOME}/.kde4/share/config/kdeglobals
read-only ${HOME}/.kde4/share/config/kio_httprc
read-only ${HOME}/.kde4/share/config/kioslaverc
read-only ${HOME}/.kde4/share/config/ksslcablacklist
read-only ${HOME}/.kde4/share/kde4/services
read-only ${HOME}/.local/share/konsole
read-only ${HOME}/.local/share/kservices5
read-only ${HOME}/.local/share/kssl
blacklist /run/user/*/kdeinit5__*
blacklist /run/user/*/ksocket-*/kdeinit4__*
blacklist /tmp/ksocket-*/kdeinit4__*
blacklist ${HOME}/.local/share/gnome-shell
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist /var/lib/systemd
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.config/VirtualBox
blacklist ${HOME}/VirtualBox VMs
blacklist ${HOME}/.VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist /usr/share/veracrypt
blacklist ${HOME}/.TrueCrypt
blacklist ${PATH}/truecrypt
blacklist ${PATH}/truecrypt-uninstall.sh
blacklist /usr/share/applications/truecrypt.*
blacklist /usr/share/pixmaps/truecrypt.*
blacklist /usr/share/truecrypt
blacklist ${HOME}/.zuluCrypt
blacklist ${HOME}/.zuluCrypt-socket
blacklist ${PATH}/zuluCrypt-cli
blacklist ${PATH}/zuluMount-cli
blacklist /var/cache/apt
blacklist /var/cache/pacman
blacklist /var/lib/apt
blacklist /var/lib/clamav
blacklist /var/lib/dkms
blacklist /var/lib/mysql/mysql.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/pacman
blacklist /var/lib/upower
blacklist /var/mail
blacklist /var/opt
blacklist /var/run/acpid.socket
blacklist /var/run/docker.sock
blacklist /var/run/minissdpd.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/screens
blacklist /var/spool/anacron
blacklist /var/spool/cron
blacklist /var/spool/mail
blacklist /etc/anacrontab
blacklist /etc/cron*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/rc?.d
blacklist /etc/kernel*
blacklist /etc/grub*
blacklist /etc/dkms
blacklist /etc/apparmor*
blacklist /etc/selinux
blacklist /etc/modules*
blacklist /etc/logrotate*
blacklist /etc/adduser.conf
read-only ${HOME}/.antigen
read-only ${HOME}/.bash_aliases
read-only ${HOME}/.bash_login
read-only ${HOME}/.bash_logout
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bashrc
read-only ${HOME}/.config/fish
read-only ${HOME}/.csh_files
read-only ${HOME}/.cshrc
read-only ${HOME}/.forward
read-only ${HOME}/.local/share/fish
read-only ${HOME}/.login
read-only ${HOME}/.logout
read-only ${HOME}/.oh-my-zsh
read-only ${HOME}/.pam_environment
read-only ${HOME}/.pgpkey
read-only ${HOME}/.plan
read-only ${HOME}/.profile
read-only ${HOME}/.project
read-only ${HOME}/.tcshrc
read-only ${HOME}/.zlogin
read-only ${HOME}/.zlogout
read-only ${HOME}/.zprofile
read-only ${HOME}/.zsh.d
read-only ${HOME}/.zsh_files
read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
read-only ${HOME}/.ssh/authorized_keys
read-only ${HOME}/.caffrc
read-only ${HOME}/.dotfiles
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
read-only ${HOME}/.exrc
read-only ${HOME}/.gvimrc
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.mailcap
read-only ${HOME}/.msmtprc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.nano
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
read-only ${HOME}/.vimrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
read-only ${HOME}/_exrc
read-only ${HOME}/_gvimrc
read-only ${HOME}/_vimrc
read-only ${HOME}/dotfiles
read-only ${HOME}/.homesick
read-only ${HOME}/.gem
read-only ${HOME}/.luarocks
read-only ${HOME}/.npm-packages
read-only ${HOME}/bin
blacklist ${HOME}/.local/share/Trash
read-only ${HOME}/.config/menus
read-only ${HOME}/.local/share/applications
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.key
blacklist ${HOME}/.Private
blacklist ${HOME}/.caff
blacklist ${HOME}/.cert
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.ecryptfs
blacklist ${HOME}/.fetchmailrc
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.local/share/keyrings
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.netrc
blacklist ${HOME}/.pki
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/.ssh
blacklist ${HOME}/.vaults
blacklist /etc/group+
blacklist /etc/group-
blacklist /etc/gshadow
blacklist /etc/gshadow+
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/passwd-
blacklist /etc/shadow+
blacklist /etc/shadow-
blacklist /etc/ssh
blacklist /home/.ecryptfs
blacklist /var/backup
blacklist ${HOME}/.aws
blacklist ${HOME}/.boto
blacklist /etc/boto.cfg
blacklist ${HOME}/.config/gcloud
blacklist ${HOME}/.kube
blacklist /sbin
blacklist /usr/local/sbin
blacklist /usr/sbin
blacklist ${PATH}/at
blacklist ${PATH}/chage
blacklist ${PATH}/chfn
blacklist ${PATH}/chsh
blacklist ${PATH}/crontab
blacklist ${PATH}/evtest
blacklist ${PATH}/expiry
blacklist ${PATH}/fusermount
blacklist ${PATH}/gpasswd
blacklist ${PATH}/ksu
blacklist ${PATH}/mount
blacklist ${PATH}/mount.ecryptfs_private
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
blacklist ${PATH}/newgidmap
blacklist ${PATH}/newgrp
blacklist ${PATH}/newuidmap
blacklist ${PATH}/ntfs-3g
blacklist ${PATH}/pkexec
blacklist ${PATH}/procmail
blacklist ${PATH}/sg
blacklist ${PATH}/strace
blacklist ${PATH}/su
blacklist ${PATH}/umount
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
blacklist /usr/lib/virtualbox
blacklist /usr/lib64/virtualbox
blacklist /tmp/.lxterminal-socket*
blacklist /tmp/tmux-*
blacklist ${PATH}/lxterminal
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/tilix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
blacklist /initrd*
blacklist /vmlinuz*
blacklist /.snapshots
blacklist ${HOME}/*.config/flatpak
blacklist ${HOME}/*.var
blacklist ${HOME}/*.local/share/flatpak
blacklist /var/lib/flatpak
blacklist /usr/share/flatpak
blacklist ${PATH}/bwrap
********* blacklist ${PATH}/PASTE YOUR APPS LIST BELOW ************
#
#--------------
so i took the smaller original firejail palemoon profile combined everything
that it was looking for, yeah alot of it is not on my computer's config but that's ok,
left them in there, then ran the command at the top to search for a recent copy of my
installed apps and added them manually via the commands above this way the profile is specific
to my config, not generic, now how much a diff does that make? i dunno, but it's a warm fuzzy
anytime you can't get your browser to start a way to 'troubleshoot' that is say for example:
Code: Select all
firejail --profile=/etc/firejail/pmzporttok.profile sudo -u youruser /home/youruser/pmz/app/./palemoon -profile /home/youruser/palemoon/data
now mod that command for your directory
here's a bash script you can modify so grabs latest version i use it to snag palemoon and config it as a 'portable':
Code: Select all
#################################################
#!/bin/sh
# 031819
# modify url when needed for latest version
# find latest: http://linux.palemoon dot org/download/mainline/
# SHA-256 checksum: 77222e60d09f9ea984bbea5589e7b12f0d459e89e722f0bc25c46527d71a6389
# sha256sum palemoon-28.4.0.linux-x86_64.tar.bz2
# wget -q --show-progress https://linux.palemoon.org/datastore/release/palemoon-28.4.0.linux-x86_64.tar.bz2.sig
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEQ59G9Cxq49I89S5whl5sh8ZShewFAlxq8sgACgkQhl5sh8ZS
heynbgf8DMCE/bT/Y5OtLex8ICXFAky8l07O2dEWzyOISua0BbJE6zWHKMUaxIKb
D2A7okOTX8rw2Esfq27i+EW0iuJNZIXGvYte0wtCqJLXZpJHMEwtAtzuJUM4rPD2
RuWwYMMTZpB7p6Xvv1aIfAYOL77rLJy1qk9GcD6hAiXdgdbSz7JgSx7f39gurYBX
NvtHT6XqoUNyYaIpYzDQHCITATPgcPiwedwRO/hbf343weFB/6icHkNcf9oSupw3
raI+cROg9fCHcjt74yx9d3pwAfXc9kYaAt5sDtvkaCyCM3Xj5t0i1pR3ZLUMJVwc
c33Ld3RndN++NeVjP5DFi29sI6BlRg==
=KKSe
-----END PGP SIGNATURE-----
# list palemoon:
# https://pgp.key-server.io/pks/lookup?search=palemoon&fingerprint=on&op=vindex
# verify signature from here:
# http://pgp.key-server.io/pks/lookup?search=0x865E6C87C65285EC&fingerprint=on&op=vindex
# wget -q --show-progress https://pgp.key-server.io/download/0x865E6C87C65285EC && mv 0x865E6C87C65285EC 0x865E6C87C65285EC.asc
# gpg2 --import 0x865E6C87C65285EC.asc
# gpg2 --verify palemoon-28.4.0.linux-x86_64.tar.bz2.sig palemoon-28.4.0.linux-x86_64.tar.bz2
# gpg: Good signature from "sumbruh <xxxxxxxxx at sumemaildotcom>" [unknown]
url='https://linux.palemoon.org/datastore/release/palemoon-28.4.0.linux-x86_64.tar.bz2' # change when needed
#
echo 'downloading palemoon....'
sleep 1
cd /home/yerusr
mkdir -p /home/yerusr/palez
cd /home/yerusr/palez
sleep 1
wget $url
echo 'creating directories...'
sleep 1
tar xfj palemoon-28.4.0.linux-x86_64.tar.bz2
sleep 1
mv palemoon-28.4.0.linux-x86_64.tar.bz2 palemoonbkup.tar.bz2
mv /home/yerusr/palez/palemoon /home/yerusr/palez/app
mkdir -p /home/yerusr/palez/data
sleep 1
echo 'stopping all instances...'
killall palemoon
rm -r /home/yerusr/.moonchild productions
rm -r /home/yerusr/.mozilla
rm -r /home/yerusr/.cache/moonchild productions
sleep 1
echo 'setting permissions...'
sleep 1
chown -R tok:users /home/yerusr/palez
echo 'yerusr given boss status'
sleep 1
echo 'palemoon portable installed'
sleep 2
echo 'fluxbox menu ex: [exec] (palz) {firejail --profile=/etc/firejail/palemoon.profile sudo -u yerusr /home/yerusr/palez/app/./palemoon -profile /home/yerusr/palez/data}'
sleep 2
#
#########################################################
as ya can see the directory in the script is 'palez' so yeah change what ya want for your configuration or needs
and change for your user's name
so if you copy the script to a text file, save it as palemoon.sh for example, chmod +x palemoon.sh then run it via ./palemoon.sh
change the download target from palemoon's site to the recent version if needed
sincerely, mrtok
--------
note: forgot to add some .bashrc aliases mod for your distro helps clear out palemoon when needed:
#
Code: Select all
alias pale2="rm -r /home/yerusr/.mozilla"
#
Code: Select all
alias pale3="rm -r /home/yerusr/.cache/moonchild\ productions && rm -r /home/yerusr/.moonchild\ productions"
nuthr update: updated portable script for latest palemoon at this time plus added signature verfiy