search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.84k stars 569 forks source link

bleachbit: cannot securely delete the Trash #5337

Closed ghost closed 3 months ago

ghost commented 2 years ago

Is your feature request related to a problem? Please describe.

Problem 1: Bleachbit is used to permanently delete files by overwriting the memory. So the most popular feature of Bleachbit is emptying the Trash.

But bleachbit.profile includes disable-common.inc which blacklists ${HOME}/.local/share/Trash so it's not possible to empty the trash with Bleachbit.

Problem 2: Bleachbit has access to $HOME dir. I don't think it makes sense to deny it access to Trash dir but allow it to home dir. It would make more sense to be the other way around.

Describe the solution you'd like

Improvement 1 to bleachbit.profile:

Add this line:

noblacklist ${HOME}/.local/share/Trash

or if you think it should be blacklisted by default even though it's the most popular use case for Bleachbit, then add these comments:

# Uncomment this line to allow emptying trash (or add to bleachbit.local):
# noblacklist ${HOME}/.local/share/Trash

Improvement 2:

blacklist ${HOME}/Desktop
blacklist ${HOME}/Documents
blacklist ${HOME}/Downloads
blacklist ${HOME}/Music
blacklist ${HOME}/Pictures
blacklist ${HOME}/Public
blacklist ${HOME}/Templates
blacklist ${HOME}/Videos

Describe alternatives you've considered

I have made this improvements in bleachbit.local and it works great.

Something that made me confused at first after using Bleachbit to empty Trash, is that the files in ${HOME}/.local/share/Trash were gone as they are supposed to be, but browsing Trash directory through a file manager shows that the files are still there, but it also says the files don't exist if you try to delete them without Bleachbit. I spent some time searching for answers about this, but then I restarted my file manager and then the non-existant files were really gone.

Additional context

Just want to help out with this improvement and contribute. I think it's easier to post this as a feature request instead of making a pull request since it's just a simple profile improvement.

kmk3 commented 2 years ago

@ydididodat commented on Aug 23:

Is your feature request related to a problem? Please describe.

Problem 1: Bleachbit is used to permanently delete files by overwriting the memory. So the most popular feature of Bleachbit is emptying the Trash.

But bleachbit.profile includes disable-common.inc which blacklists ${HOME}/.local/share/Trash so it's not possible to empty the trash with Bleachbit.

Problem 2: Bleachbit has access to $HOME dir. I don't think it makes sense to deny it access to Trash dir but allow it to home dir. It would make more sense to be the other way around.

Describe the solution you'd like

Improvement 1 to bleachbit.profile:

Add this line:

noblacklist ${HOME}/.local/share/Trash

We could add these commands to the profile:

noblacklist ${HOME}/.local/share/Trash
include disable-xdg.inc

Besides that, do you know all the paths that the program generally needs to access in the home directory? Such as configuration and cache files.

The security of the profile could be much improved by using whitelisting commands to only allow access to specific paths. Blacklisting commands can currently only block access to paths that already exist. That is, the program is free to create ${HOME}/.foorc if it does not already exist, even if blacklist ${HOME}/.foorc is used.

Describe alternatives you've considered

I have made this improvements in bleachbit.local and it works great.

Something that made me confused at first after using Bleachbit to empty Trash, is that the files in ${HOME}/.local/share/Trash were gone as they are supposed to be, but browsing Trash directory through a file manager shows that the files are still there, but it also says the files don't exist if you try to delete them without Bleachbit. I spent some time searching for answers about this, but then I restarted my file manager and then the non-existant files were really gone.

That indeed sounds strange.

Did this happen with or without noblacklist ${HOME}/.local/share/Trash?

What version of firejail and OS did you use?

Additional context

Just want to help out with this improvement and contribute.

That's great to hear; thanks for the report.

I think it's easier to post this as a feature request instead of making a pull request since it's just a simple profile improvement.

I get what you mean and having a dedicated issue is usually good for extended discussion, but feel free to also open a pull request if you want. I think that generally pull requests are welcome, especially when the changes are straightforward and the commits are self-explanatory (for example, see https://chris.beams.io/posts/git-commit/).

ghost commented 2 years ago

We could add these commands to the profile:

noblacklist ${HOME}/.local/share/Trash
include disable-xdg.inc

Besides that, do you know all the paths that the program generally needs to access in the home directory? Such as configuration and cache files.

The security of the profile could be much improved by using whitelisting commands to only allow access to specific paths. Blacklisting commands can currently only block access to paths that already exist. That is, the program is free to create ${HOME}/.foorc if it does not already exist, even if blacklist ${HOME}/.foorc is used.

sorry, don't know. I think it can be found out by monitoring the app without restrictions while testing the features you want. But I'm still a n00b and have lots to learn and too little time.

That indeed sounds strange.

Did this happen with or without noblacklist ${HOME}/.local/share/Trash?

What version of firejail and OS did you use?

Happened with noblacklist, if you don't have the noblacklist then it won't delete anything at all.

But I think it's normal behavior because I noticed later that if I delete (aka move to trash) things on other disks than the one my OS is on, and then I actually delete them in ${HOME}/.local/share/Trash then I look in the hidden Trash dir on the other disk which the files were in before I moved them to trash, and the files are still there even though they're deleted. If I try to delete them again it says they don't exist. So then I restart the file manager and the files are gone. So it seems like normal behavior.

That's great to hear; thanks for the report.

I think it's easier to post this as a feature request instead of making a pull request since it's just a simple profile improvement.

I get what you mean and having a dedicated issue is usually good for extended discussion, but feel free to also open a pull request if you want. I think that generally pull requests are welcome, especially when the changes are straightforward and the commits are self-explanatory (for example, see https://chris.beams.io/posts/git-commit/).

I'm still new and learning and trying to setup my computers the way I like. So I'm just not ready to start doing pull requests yet. Currently I browse github in Whonix. I guess it should be fine to install git on it. I guess maybe I would use file sharing to move the project from the Whonix VM to my host and do the work (changes) there, then file share it back to Whonix VM and use git to make a pull request. Or maybe there are better/easier ways to use git with TOR.

Have to be careful when using Github because if you are working on a project which is currently legal, but in the future it becomes illegal, then you can be banned from Github and go to prison for it. That's what happened to the dev of Tornado Cash. Crazy!

rusty-snake commented 2 years ago

Improvement 1: Open a PR. Improvement 2: No. Localization, ...

Whitdlisting: Will be a lot work (maybe the source code of blechbit contains a list) but if somebody wants to do this go for it. While I'm not sure if we should make it the default we would at least include it as an opt-in commend.

[github usage]

For single file edits the github editor works good.

kmk3 commented 1 year ago

Bleachbit is used to permanently delete files by overwriting the memory. So the most popular feature of Bleachbit is emptying the Trash.

Improvement 2:

blacklist ${HOME}/Desktop
blacklist ${HOME}/Documents
blacklist ${HOME}/Downloads
blacklist ${HOME}/Music
blacklist ${HOME}/Pictures
blacklist ${HOME}/Public
blacklist ${HOME}/Templates
blacklist ${HOME}/Videos

This overwriting feature could also be useful to use in these other directories, so blacklisting them (and/or using whitelisting in ${HOME}) might get in the way of that.

That is, since it works kind of like a file manager, blocking access to common directories by default might be counter-productive, especially if files are deleted directly instead of using the Trash directory (which is more likely to be the case when using a WM instead of a DE).

@rusty-snake Thoughts?

kmk3 commented 3 months ago

Improvement 1 to bleachbit.profile:

Add this line:

noblacklist ${HOME}/.local/share/Trash

Added on commit 154ffadef ("bleachbit.profile: allow erasing Trash contents", 2023-07-15) / PR #5902.

Improvement 2:

blacklist ${HOME}/Desktop
blacklist ${HOME}/Documents
blacklist ${HOME}/Downloads
blacklist ${HOME}/Music
blacklist ${HOME}/Pictures
blacklist ${HOME}/Public
blacklist ${HOME}/Templates
blacklist ${HOME}/Videos

It needs access to these directories in order to overwrite the files in them as well; wontfix.

Closing as resolved.