www/iridium README about unveil

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

www/iridium README about unveil

Solene Rapenne
Hi

I'm proposing a pkg/README file for iridium and chromium about unveil.
The following is the iridium README, chromium being the same with
s/iridium/chromium

$OpenBSD: README,v 1.2 2018/09/04 12:46:25 espie Exp $

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

Unveil
=================
Iridium has been patched to use pledge and unveil.
So, iridium can only display paths allowed in /etc/iridium/, this
includes the following paths:

        ~/Documents ~/Downloads ~/Music
        ~/Pictures ~/Videos /tmp

If you need to upload a file, you need to make the file available in one of
those folders.

When iridium file browser is showing up, it may be displaying an unauthorized
folder which will appear empty, which mean it is not possible to browse to some
other location. One can use the keyboard shortcut Ctrl+L and type a path in the
upper address bar to reach a whitelisted path.

Unveil can be disabled with the parameter --disable-unveil

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium README about unveil

Karel Gardas

Just iridium user here.

On Tue, 12 Feb 2019 07:02:31 +0100
Solene Rapenne <[hidden email]> wrote:

> So, iridium can only display paths allowed in /etc/iridium/, this

This "allowed in /etc/iridium/" is quite confusing. Shouldn't this be "allowed in /etc/iridium/unveil.main" unveil definition file for the main Iridium process" or something like that?

> includes the following paths:
>
> ~/Documents ~/Downloads ~/Music
> ~/Pictures ~/Videos /tmp
>
> If you need to upload a file, you need to make the file available in one of
> those folders.
>
> When iridium file browser is showing up, it may be displaying an unauthorized
> folder which will appear empty, which mean it is not possible to browse to some
> other location. One can use the keyboard shortcut Ctrl+L and type a path in the
> upper address bar to reach a whitelisted path.
>
> Unveil can be disabled with the parameter --disable-unveil

", but we highly discourage this practise" -- or something like that may be added here IMHO.

Thanks!
Karel

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium README about unveil

Solene Rapenne
On Tue, Feb 12, 2019 at 10:23:53AM +0100, Karel Gardas wrote:

>
> Just iridium user here.
>
> On Tue, 12 Feb 2019 07:02:31 +0100
> Solene Rapenne <[hidden email]> wrote:
>
> > So, iridium can only display paths allowed in /etc/iridium/, this
>
> This "allowed in /etc/iridium/" is quite confusing. Shouldn't this be "allowed in /etc/iridium/unveil.main" unveil definition file for the main Iridium process" or something like that?
>
>
> ", but we highly discourage this practise" -- or something like that may be added here IMHO.
>
> Thanks!
> Karel

thanks for feedback. I'm unsure about wording, I reworked it a bit from
your suggestions.


Index: pkg/README
===================================================================
RCS file: pkg/README
diff -N pkg/README
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/README 12 Feb 2019 18:13:05 -0000
@@ -0,0 +1,27 @@
+$OpenBSD: README-main,v 1.2 2018/09/04 12:46:25 espie Exp $
+
++-----------------------------------------------------------------------
+| Running ${PKGSTEM} on OpenBSD
++-----------------------------------------------------------------------
+
+Unveil
+=================
+Iridium has been patched to use pledge and unveil, so it can only
+display paths allowed in /etc/iridium/unveil.main, this includes
+the following paths:
+
+ ~/Documents ~/Downloads ~/Music
+ ~/Pictures ~/Videos /tmp
+
+If you need to upload a file, you need to make the file available
+in one of those folders.
+
+When iridium file browser is showing up, it may be displaying an
+unauthorized folder which will appear empty, which mean it is not
+possible to browse to some other location. One can use the keyboard
+shortcut Ctrl+L and type a path in the upper address bar to reach a
+whitelisted path.
+
+If you want your browser to be able to walk through your filesystem,
+which is discouraged, unveil can be disabled at runtime by using the
+parameter --disable-unveil

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

Solene Rapenne
> thanks for feedback. I'm unsure about wording, I reworked it a bit from
> your suggestions.
>
>
> Index: pkg/README
> ===================================================================
> RCS file: pkg/README
> diff -N pkg/README
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ pkg/README 12 Feb 2019 18:13:05 -0000
> @@ -0,0 +1,27 @@
> +$OpenBSD: README-main,v 1.2 2018/09/04 12:46:25 espie Exp $
> +
> ++-----------------------------------------------------------------------
> +| Running ${PKGSTEM} on OpenBSD
> ++-----------------------------------------------------------------------
> +
> +Unveil
> +=================
> +Iridium has been patched to use pledge and unveil, so it can only
> +display paths allowed in /etc/iridium/unveil.main, this includes
> +the following paths:
> +
> + ~/Documents ~/Downloads ~/Music
> + ~/Pictures ~/Videos /tmp
> +
> +If you need to upload a file, you need to make the file available
> +in one of those folders.
> +
> +When iridium file browser is showing up, it may be displaying an
> +unauthorized folder which will appear empty, which mean it is not
> +possible to browse to some other location. One can use the keyboard
> +shortcut Ctrl+L and type a path in the upper address bar to reach a
> +whitelisted path.
> +
> +If you want your browser to be able to walk through your filesystem,
> +which is discouraged, unveil can be disabled at runtime by using the
> +parameter --disable-unveil
>

up

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

Mihai Popescu-3
There is another issue here. I'm not sure if it is because me or all
are experiencing it.

Each run after install, chromium is not able to cd into the designed
~/Downloads/
It looks like I am thrown into ~ and I can't move from there because
of that error message.
A good setup for this is run chrome --disable-unveil and set up the
download directory, then run it normally with unveil and be able to
use it.

Also a big confusion with iridium is when the downloaded files are not
accessible / are deleted / are not shown because of some potential
danger to your computer. Seriously, Internet Explorer style? Didn't
bother to investigate this, I don't run iridium anymore. It looks to
me like chromium with some check marks disabled in settings.

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

Antoine Jacoutot-7
In reply to this post by Solene Rapenne
On Mon, Feb 25, 2019 at 02:35:04PM +0100, Solene Rapenne wrote:

> > thanks for feedback. I'm unsure about wording, I reworked it a bit from
> > your suggestions.
> >
> >
> > Index: pkg/README
> > ===================================================================
> > RCS file: pkg/README
> > diff -N pkg/README
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ pkg/README 12 Feb 2019 18:13:05 -0000
> > @@ -0,0 +1,27 @@
> > +$OpenBSD: README-main,v 1.2 2018/09/04 12:46:25 espie Exp $
> > +
> > ++-----------------------------------------------------------------------
> > +| Running ${PKGSTEM} on OpenBSD
> > ++-----------------------------------------------------------------------
> > +
> > +Unveil
> > +=================
> > +Iridium has been patched to use pledge and unveil, so it can only
> > +display paths allowed in /etc/iridium/unveil.main, this includes
> > +the following paths:
> > +
> > + ~/Documents ~/Downloads ~/Music
> > + ~/Pictures ~/Videos /tmp
> > +
> > +If you need to upload a file, you need to make the file available
> > +in one of those folders.
> > +
> > +When iridium file browser is showing up, it may be displaying an
> > +unauthorized folder which will appear empty, which mean it is not
> > +possible to browse to some other location. One can use the keyboard
> > +shortcut Ctrl+L and type a path in the upper address bar to reach a
> > +whitelisted path.
> > +
> > +If you want your browser to be able to walk through your filesystem,
> > +which is discouraged, unveil can be disabled at runtime by using the
> > +parameter --disable-unveil

I think the allowed paths should be synced with chromium first.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

Theo de Raadt-2
In reply to this post by Solene Rapenne
>There is another issue here. I'm not sure if it is because me or all
>are experiencing it.
>
>Each run after install, chromium is not able to cd into the designed
>~/Downloads/
>It looks like I am thrown into ~ and I can't move from there because
>of that error message.
>A good setup for this is run chrome --disable-unveil and set up the
>download directory, then run it normally with unveil and be able to
>use it.
>
>Also a big confusion with iridium is when the downloaded files are not
>accessible / are deleted / are not shown because of some potential
>danger to your computer. Seriously, Internet Explorer style? Didn't
>bother to investigate this, I don't run iridium anymore. It looks to
>me like chromium with some check marks disabled in settings.

please try a very recent set of packages.  robert has been working
on resolving that mess.

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

Stuart Henderson
On 2019/02/25 14:28, Theo de Raadt wrote:

> >There is another issue here. I'm not sure if it is because me or all
> >are experiencing it.
> >
> >Each run after install, chromium is not able to cd into the designed
> >~/Downloads/
> >It looks like I am thrown into ~ and I can't move from there because
> >of that error message.
> >A good setup for this is run chrome --disable-unveil and set up the
> >download directory, then run it normally with unveil and be able to
> >use it.
> >
> >Also a big confusion with iridium is when the downloaded files are not
> >accessible / are deleted / are not shown because of some potential
> >danger to your computer. Seriously, Internet Explorer style? Didn't
> >bother to investigate this, I don't run iridium anymore. It looks to
> >me like chromium with some check marks disabled in settings.
>
> please try a very recent set of packages.  robert has been working
> on resolving that mess.
>

Current status for chromium 72.0.3626.109p0 or newer: you can get to
~/Downloads via buttons (as long as it's a directory not a symlink),
and you can get to /tmp if you type in the path.

This isn't ported to iridium yet.

Reply | Threaded
Open this post in threaded view
|

Re: www/iridium and www/chromium README about unveil

岡本健二
The -current chromium (updated yesterday) produces the error as:
ci5hp2$
[95250:-478283696:0227/100638.919493:ERROR:process_metrics_openbsd.cc(126)]
Not implemented reached in bool
base::GetSystemMemoryInfo(base::SystemMemoryInfoKB *)
[95250:-478283696:0227/100638.921060:ERROR:process_posix.cc(388)] Not
implemented reached in base::Time base::Process::CreationTime() const
Gkr-Message: 10:06:42.180: secret service operation failed: The name
org.freedesktop.secrets was not provided by any .service files

After this error, if I remove all the files under .config/chromium, I can
restart chromium.

I don't know it also related or not, Gnucash also has problem where she
cannnot remember the previous status
of windows size, position, what iterms are opened etc.

Kenji



2019年2月26日(火) 6:43 Stuart Henderson <[hidden email]>:

> On 2019/02/25 14:28, Theo de Raadt wrote:
> > >There is another issue here. I'm not sure if it is because me or all
> > >are experiencing it.
> > >
> > >Each run after install, chromium is not able to cd into the designed
> > >~/Downloads/
> > >It looks like I am thrown into ~ and I can't move from there because
> > >of that error message.
> > >A good setup for this is run chrome --disable-unveil and set up the
> > >download directory, then run it normally with unveil and be able to
> > >use it.
> > >
> > >Also a big confusion with iridium is when the downloaded files are not
> > >accessible / are deleted / are not shown because of some potential
> > >danger to your computer. Seriously, Internet Explorer style? Didn't
> > >bother to investigate this, I don't run iridium anymore. It looks to
> > >me like chromium with some check marks disabled in settings.
> >
> > please try a very recent set of packages.  robert has been working
> > on resolving that mess.
> >
>
> Current status for chromium 72.0.3626.109p0 or newer: you can get to
> ~/Downloads via buttons (as long as it's a directory not a symlink),
> and you can get to /tmp if you type in the path.
>
> This isn't ported to iridium yet.
>
>