iridium-browser + unveil

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

iridium-browser + unveil

Stefan Wollny-2
Hi there,

just a little nit with the iridium-browser unveiled:

I changed the 'exec' command in /usr/local/bin/iridium like so:
- LANG=${_l} exec "/usr/local/iridium/iridium" "${@}"
+ LANG=${_l} exec "/usr/local/iridium/iridium" "--enable-unveil" "${@}"

With this change I can browse the web as before. BUT: My startpage is a
html-file in the users home directory containing a huge collection of
links to web sites. I use this file at home and at work where I am
forced to use the most popular unsafe OS. With iridium unveiled this
page is no longer accessible instead I get 'ERR_FILE_NOT_FOUND'.

Switching back to the exec without "--enable-unveil" and iridium finds
the file again. Easily reproducible.

With other browsers (e.g. FF, otter, netsurf, links+) this particular
file is accessible. No reason not to enable unveil on iridium in
particular as it just has been updated (in ports).

Best,
STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: iridium-browser + unveil

Stefan Wollny-2
Am 08.11.18 um 09:03 schrieb Stefan Wollny:

> Hi there,
>
> just a little nit with the iridium-browser unveiled:
>
> I changed the 'exec' command in /usr/local/bin/iridium like so:
> - LANG=${_l} exec "/usr/local/iridium/iridium" "${@}"
> + LANG=${_l} exec "/usr/local/iridium/iridium" "--enable-unveil" "${@}"
>
> With this change I can browse the web as before. BUT: My startpage is a
> html-file in the users home directory containing a huge collection of
> links to web sites. I use this file at home and at work where I am
> forced to use the most popular unsafe OS. With iridium unveiled this
> page is no longer accessible instead I get 'ERR_FILE_NOT_FOUND'.
>
> Switching back to the exec without "--enable-unveil" and iridium finds
> the file again. Easily reproducible.
>
> With other browsers (e.g. FF, otter, netsurf, links+) this particular
> file is accessible. No reason not to enable unveil on iridium in
> particular as it just has been updated (in ports).
>
Found an easy solution: While access to the user's home directory is not
permitted, access to the subfolders _is_ allowed. Simply copied that
particular file to ~/Downloads/, changed the path in iridium's settings
and we're back to familiar operations. :-)

Now: How to give permission to access my home directory?

Reply | Threaded
Open this post in threaded view
|

Re: iridium-browser + unveil

Dumitru Moldovan-2
In reply to this post by Stefan Wollny-2
On Thu, 8 Nov 2018 09:03:51 +0100, Stefan Wollny <[hidden email]> wrote:

>
> I changed the 'exec' command in /usr/local/bin/iridium like so:
> - LANG=${_l} exec "/usr/local/iridium/iridium" "${@}"
> + LANG=${_l} exec "/usr/local/iridium/iridium" "--enable-unveil" "${@}"
>
> With this change I can browse the web as before. BUT: My startpage is a
> html-file in the users home directory containing a huge collection of
> links to web sites. I use this file at home and at work where I am
> forced to use the most popular unsafe OS. With iridium unveiled this
> page is no longer accessible instead I get 'ERR_FILE_NOT_FOUND'.

With unveil enabled, your browser can only download files to your ~/Downloads sub-dir, and can only upload files from your ~/Uploads sub-dir.  So maybe put your HTML file in ~/Uploads and use the new location as the start page?

Disclaimer: I am not a user of Iridium or Chromium with unveil, but this is what I remember from Bob Beck's presentation on the subject at EuroBSDCon in September.  Hope I got the sub-dirs right!  Thinking about it, there should be write access to ~/.cache as well, maybe even /tmp, but these are just extra details.

Reply | Threaded
Open this post in threaded view
|

Re: iridium-browser + unveil

Florian Obser-2
On Thu, Nov 08, 2018 at 10:52:11AM +0200, Dumitru Moldovan wrote:

> On Thu, 8 Nov 2018 09:03:51 +0100, Stefan Wollny <[hidden email]> wrote:
> >
> > I changed the 'exec' command in /usr/local/bin/iridium like so:
> > - LANG=${_l} exec "/usr/local/iridium/iridium" "${@}"
> > + LANG=${_l} exec "/usr/local/iridium/iridium" "--enable-unveil" "${@}"
> >
> > With this change I can browse the web as before. BUT: My startpage is a
> > html-file in the users home directory containing a huge collection of
> > links to web sites. I use this file at home and at work where I am
> > forced to use the most popular unsafe OS. With iridium unveiled this
> > page is no longer accessible instead I get 'ERR_FILE_NOT_FOUND'.
>
> With unveil enabled, your browser can only download files to your ~/Downloads sub-dir, and can only upload files from your ~/Uploads sub-dir.  So maybe put your HTML file in ~/Uploads and use the new location as the start page?
>
> Disclaimer: I am not a user of Iridium or Chromium with unveil, but this is what I remember from Bob Beck's presentation on the subject at EuroBSDCon in September.  Hope I got the sub-dirs right!  Thinking about it, there should be write access to ~/.cache as well, maybe even /tmp, but these are just extra details.
>

It's only ~/Downloads

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: iridium-browser + unveil

Florian Obser-2
In reply to this post by Stefan Wollny-2
On Thu, Nov 08, 2018 at 09:45:38AM +0100, Stefan Wollny wrote:

> Am 08.11.18 um 09:03 schrieb Stefan Wollny:
> > Hi there,
> >
> > just a little nit with the iridium-browser unveiled:
> >
> > I changed the 'exec' command in /usr/local/bin/iridium like so:
> > - LANG=${_l} exec "/usr/local/iridium/iridium" "${@}"
> > + LANG=${_l} exec "/usr/local/iridium/iridium" "--enable-unveil" "${@}"
> >
> > With this change I can browse the web as before. BUT: My startpage is a
> > html-file in the users home directory containing a huge collection of
> > links to web sites. I use this file at home and at work where I am
> > forced to use the most popular unsafe OS. With iridium unveiled this
> > page is no longer accessible instead I get 'ERR_FILE_NOT_FOUND'.
> >
> > Switching back to the exec without "--enable-unveil" and iridium finds
> > the file again. Easily reproducible.
> >
> > With other browsers (e.g. FF, otter, netsurf, links+) this particular
> > file is accessible. No reason not to enable unveil on iridium in
> > particular as it just has been updated (in ports).
> >
> Found an easy solution: While access to the user's home directory is not
> permitted, access to the subfolders _is_ allowed. Simply copied that
> particular file to ~/Downloads/, changed the path in iridium's settings
> and we're back to familiar operations. :-)
>
> Now: How to give permission to access my home directory?
>

I'm afraid you are missing the point. If you want it to have access to
your home directory run it without --enable-unveil. For all intents
and purposes that's the same thing as "giving permission to ~/"

The point of unveil in chrome is that it can't exfiltrate your ssh
private key.

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: iridium-browser + unveil

Stefan Wollny-2
Am 08.11.18 um 12:47 schrieb Florian Obser:
> The point of unveil in chrome is that it can't exfiltrate your ssh
> private key.

Got it!

Thank you for making things clear.