flathub / ind.ie.Gnomit

https://flathub.org/apps/details/ind.ie.Gnomit
0 stars 3 forks source link

Reduce permissions #1

Closed rugk closed 4 years ago

rugk commented 6 years ago

…because this effectively allows a sandbox escape:

Almost all popular applications on flathub come with filesystem=host, filesystem=home or device=all permissions, that is, write permissions to the user home directory (and more), this effectively means that all it takes to "escape the sandbox" is echo download_and_execute_evil >> ~/.bashrc. That's it.

http://flatkill.org/

So it would be great, if it can be used without it.

TingPing commented 6 years ago

It could probably work without it but the command becomes very ugly:

flatpak run --file-forwarding ind.ie.Gnomit @@ /a/path @@

The network permission also seems unnecessary.

rugk commented 6 years ago

The network permission also seems unnecessary.

Good point, indeed!

but the command becomes very ugly

Yeah, but this is one value you set in your git config one time. That's it! And it strengthens the sandbox (not to say it fixes a big "loop hole"), so IMHO it is very much worth it.

aral commented 6 years ago

Regarding not having the host file system permission: I don’t understand how that could work as the commit message editor is meant to work with any number of repositories on your machine and the commit message file that is passed to it is repository-specific. Having you re-register your editor per repository is not a tenable proposition. Am I missing something?

Regarding network permissions: I don’t see why that’s necessary either. I will test it without and remove it if it isn’t necessary.

rugk commented 6 years ago

Could not you just use relative paths? E.g. allow access to ./.git or where the file is stored? And if you are in a subdir you may be able to just also whitelist ../.git, ../../.git and so on?

TingPing commented 6 years ago

@aral The command I posted will grant access to any file passed to it. Since it only needs to open individual files it should work fine.

aral commented 6 years ago

Is /a/path some sort of custom glob? I thought it would only grant access to, literally, /a/path

Aral

Sent from my iPhone

On 21 Oct 2018, at 15:24, TingPing notifications@github.com wrote:

@aral The command I posted will grant access to any file passed to it. Since it only needs to open individual files it should work fine.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

TingPing commented 6 years ago

Its a file path, any file path...

sonnyp commented 4 years ago

https://github.com/indie-mirror/gnomit/pull/7

aral commented 4 years ago

Closing this as Sonny’s changes have now been merged.