Overly Permissive Permissions

flathub / com.tutanota.Tutanota

https://flathub.org/apps/details/com.tutanota.Tutanota

12 stars 11 forks source link

Overly Permissive Permissions #176

Open czhang03 opened 8 months ago

czhang03 commented 8 months ago

I realize that tuta has host:ro, and wondering why it is necessary.

I think if this is needed to access some system files, I think the host-os:ro should be more modular.

See: https://man7.org/linux/man-pages/man5/flatpak-metadata.5.html

pm4rcin commented 3 weeks ago

@charlag could you provide some details as to why we need access to whole home directory? What is the actual use case that cannot be done without all these permissions? Perhaps reducing them more then they are now? I can provide PR but I'd like to know why some things have to be kept.

charlag commented 3 weeks ago

@pm4rcin I am not sure anymore. I can find this commit:

https://github.com/flathub/com.tutanota.Tutanota/commit/bbb84c69ece1743158b86b3cec160e989d149ff0

which claims to fix second instance detection but that is in a well-known location.

It might be related to picking download destination or something else, one would have to do some testing.

I will be honest, for me personally this is not on top of my priority list, I would rather make everything work in Flatpak and then lock it down. Both might require some changes in the app itself.

pm4rcin commented 3 weeks ago

It might be related to picking download destination or something else, one would have to do some testing.

I have revoked all filesystem permissions and was able to easily pick any file because electron uses portals for this. My testing procedure:

Revoke all filesystem permissions.
Write a new email to self and pick any file.
Send email and click on the one you've received.
Download attachment and try to save it on any location (file system picker portal comes).
Compare the hashes just to make sure file was not corrupted.

pm4rcin commented 3 weeks ago

@charlag one more question do you remember why xdg-run/keyring access is needed? Isn't it only required to have bus access for it to work? Or there was some edge case?

charlag commented 2 weeks ago

@pm4rcin sorry, I have a memory of answering you but actually I didn't.

It's for libsecret. It might not be needed anymore but we also have a patched libsecret which switches back from forces file backend into d-bus backend but I have already heard from flatpak devs that such access to keyring is unsafe so I don't know how long we can get away with doing that.

I think you could try removing it and seeing if it works.