Access to my personal files

flathub / com.obsproject.Studio

This repository is no longer used to build OBS. Issues should be reported at https://github.com/obsproject/obs-studio

https://github.com/obsproject/obs-studio

29 stars 21 forks source link

Access to my personal files #162

Closed lpyparmentier closed 2 years ago

lpyparmentier commented 2 years ago

Hello,

I'm a little bit confuse, I'm using flatpak for security reasons, essentially in such a way that all the softwares do not have access to my personal directories.

I'm confuse here, through flatseal i've disable everything (network, icp, wayland, all device, host fs and other directories, everything in system bus, session bus) and still, OBS has access to my /home/$user directory (visible in settings when selecting the output directory) !? how is that possible ? with only x11 socket activated and pulseaudio socket.

security motivation

EDIT: does not happen with other soft that i've configured (e.g., discord, gimp)

TingPing commented 2 years ago

flatpak override --user --nofilesystem=host com.obsproject.Studio

TingPing commented 2 years ago

I'd expect it to work fine but you'll have to ensure all recordings go to a place it can write to.

lpyparmentier commented 2 years ago

Hey @TingPing , but that's what i'm doing. Remove absolutely everything (along with host fs access that you propose through the CLI), but once i run obs, and go to the settings (output directory), all the directories under $HOME are completely accessible (so its capable of r/x and get inside all the directories/subdirectories). I dont get it how is that possible... is it possible that obs get a "visible" access through X11 ? it would be odd because it does not happen with all my other soft (like i said: discord, gimp have no visible access of the host/$HOME)

Some pictures that might help:

Additional information (just in case):

HOME=/home/lparmentier

lparmentier@po-lbl:~/unsecure-share$ flatpak --version
Flatpak 1.10.5

lparmentier@po-lbl:~/unsecure-share$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

GeorgesStavracas commented 2 years ago

OBS uses the file chooser portal to select files, the application itself doesn't have access to these files. You can confirm that by running the following commands:

$ flatpak run --command=sh com.obsproject.Studio
$ ls -la

lpyparmentier commented 2 years ago

Sure, weird that it is fine through shell, somehow he finds a way to discover the directory on GUI

[📦 com.obsproject.Studio ~]$ ls -la
total 4
drwxr-xr-x 5 lparmentier lparmentier  100 Oct 22 17:21 .
drwxr-xr-x 3 lparmentier lparmentier   60 Oct 22 17:21 ..
drwxr-xr-x 3 lparmentier lparmentier   60 Oct 22 17:21 .local
drwxr-xr-x 2 lparmentier lparmentier 4096 Oct 21 16:49 unsecure-share
drwxr-xr-x 3 lparmentier lparmentier   60 Oct 22 17:21 .var
[📦 com.obsproject.Studio ~]$ pwd
/home/lparmentier

TingPing commented 2 years ago

Sure, weird that it is fine through shell, somehow he finds a way to discover the directory on GUI

The goal of Flatpak is to be secure without compromising on user experience, so without exposing the filesystem to applications you can still, securely, allow individual files in through a file chooser.

GeorgesStavracas commented 2 years ago

Sure, weird that it is fine through shell, somehow he finds a way to discover the directory on GUI

Just to try and make things clearer, when you remove these filesystem permissions, OBS really does lose access to them. The file chooser dialog that you see is controlled by the host system, not by OBS. That's how it's designed to behave.

lpyparmentier commented 2 years ago

@GeorgesStavracas Ok thanks :)

@TingPing that's why I'm using it :)