Bug#965097: firejail: Firejail Disables U2F/WebAuthn By Default
Package: firejail Version: 0.9.58.2-2 Severity: normal Dear Maintainer, * What led up to the situation? Upgraded from Debian 9 to Debian 10. * What exactly did you do (or not do) that was effective (or ineffective)? Kept fiddling with Yubikey libs, u2f libs. Unistall, purge, reinstall. Ran firefox-esr with extensions disabled, ran with fresh profile. I also tried removing the Security Device configuration item from the browser. I re-loaded the Security Device into the browser. * What was the outcome of this action? WebAuthn/U2F failed. Test site demo.yubico.com. would not enable U2F registration. * What outcome did you expect instead? I expected to use demo.yubico.com to register, then authenticate with my Yubikey4. * What fixed the problem? I discovered that /etc/firejail/firejail.conf had # Disable U2F in browsers, default enabled. # browser-disable-u2f yes I uncommented that line, and changed it to "no" to solve the problem. I believe there are two problems here. First, I don't see any reason why WebAuthn would be disabled by default. I'm not aware of any reason that would improve security or usability. Second, it was very difficult to understand this setting; the man page documents BROWSER_DISABLE_U2F, and explains how to _disable_ U2F, but not how to ENable U2F. As Debian/upstream has it disabled by default, I think it would be better for the man page to show how to enable it, or preferably show how to enable it. The documentation (and this is likely an upstream issue) doesn't really describe how the profiles are used, what the config file is for, or how to override these settings. (For example, there's a command line argument to firejail, --nou2f, but no sign of how to _not_ disable U2F. I would suggest that Debian change that default setting to "no" so that U2F works out of the box. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.2-10 ii libc6 2.28-10 Versions of packages firejail recommends: ii firejail-profiles 0.9.58.2-2 ii iproute2 4.20.0-2 ii iptables 1.8.2-4 ii xauth 1:1.0.10-1 ii xserver-xephyr 2:1.20.4-1 ii xvfb 2:1.20.4-1 firejail suggests no packages. -- Configuration Files: /etc/firejail/firejail.config changed [not included] -- no debconf information
Bug#383554: 'pump' fails after receiving IP address, and card is disabled
Package: pump Version: 0.8.21-2 Severity: normal Pump fails after obtaining an IP address from a DHCP server. It sends a DHCPDISCOVER request, gets a DHCPOFFER reply, then sends a second DHCPDISCOVER request. This gets a DHCPOFFER, which sets my IP address, then I get "failed to set default route", which then stops the interface and disables the card. (See daemon.log snippet below.) I replaced 'pump' with 'dhcp3-client', and it all works. I've swapped between dhcp3-client and pump several times, and the failure came and went with pump. I've seen similar reports on the 'net, and it appears to be a combination of 'pump' and Prism2 cards. Jeff Root -- System Information: My OS: Debian stable (Sarge), up-to-date. Kernel: 2.4.27-2-386 My HW: Vaio 505TS, Microsoft MN-520 802.11b PCMCIA wireless card - From daemon.log - Aug 17 13:45:15 localhost cardmgr[1060]: socket 0: Microsoft Wireless Notebook Adapter MN-520 Aug 17 13:45:15 localhost cardmgr[1060]: executing: 'modprobe hostap' Aug 17 13:45:16 localhost cardmgr[1060]: executing: 'modprobe hostap_cs' Aug 17 13:45:17 localhost cardmgr[1060]: executing: './network start wlan0' Aug 17 13:45:17 localhost pumpd[1994]: PUMP: sending discover Aug 17 13:45:26 localhost pumpd[1994]: got dhcp offer Aug 17 13:45:26 localhost pumpd[1994]: PUMP: sending second discover Aug 17 13:45:26 localhost pumpd[1994]: PUMP: got an offer Aug 17 13:45:27 localhost pumpd[1994]: PUMP: got lease Aug 17 13:45:27 localhost pumpd[1994]: intf: device: wlan0 Aug 17 13:45:27 localhost pumpd[1994]: intf: set: 416 Aug 17 13:45:27 localhost pumpd[1994]: intf: bootServer: 172.16.241.1 Aug 17 13:45:27 localhost pumpd[1994]: intf: reqLease: 43200 Aug 17 13:45:27 localhost pumpd[1994]: intf: ip: 172.16.8.149 Aug 17 13:45:27 localhost pumpd[1994]: intf: next server: 172.16.241.1 Aug 17 13:45:27 localhost pumpd[1994]: intf: netmask: 255.255.252.0 Aug 17 13:45:27 localhost pumpd[1994]: intf: gateways[0]: 172.16.8.254 Aug 17 13:45:27 localhost pumpd[1994]: intf: numGateways: 1 Aug 17 13:45:27 localhost pumpd[1994]: intf: dnsServers[0]: 172.16.89.1 Aug 17 13:45:27 localhost pumpd[1994]: intf: dnsServers[1]: 172.16.32.10 Aug 17 13:45:27 localhost pumpd[1994]: intf: numDns: 2 Aug 17 13:45:27 localhost pumpd[1994]: intf: broadcast: 172.16.11.255 Aug 17 13:45:27 localhost pumpd[1994]: intf: network: 172.16.8.0 Aug 17 13:45:32 localhost pumpd[1994]: configured interface wlan0 Aug 17 13:45:32 localhost pumpd[1994]: failed to set default route: Network is unreachable Aug 17 13:45:39 localhost cardmgr[1060]: executing: './network stop wlan0' Aug 17 13:45:39 localhost pumpd[1994]: terminating as there are no more devices under management Aug 17 13:45:39 localhost cardmgr[1060]: + Operation failed. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
