Project

General

Profile

Bug #17260

Allow sharing files with OnionShare from external storage media

Added by goupille about 2 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Yes
Affected tool:
OnionShare

Description

Steps to reproduce :

1. plug in a USB stick with a file on it
2. right click on the said file and "Share via Onionshare"
3. Onionshare opens, click on "Start sharing"
4. after a few seconds the popup is dislayed with "Permission denied"

To fix this, we should extend the AppArmor profile (config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare) to allow reading files owned by the amnesia user, from external storage media (/media/amnesia/*).


Related issues

Related to Tails - Feature #15874: Start looking at snaps/Flatpak for sandboxing Confirmed 08/30/2018

History

#1 Updated by intrigeri about 2 months ago

  • Related to Feature #15874: Start looking at snaps/Flatpak for sandboxing added

#2 Updated by intrigeri about 2 months ago

I don't know if it is expected that Onionshare can't share files from external medium,

This behavior is indeed a direct consequence of the AppArmor profile we are using for OnionShare.

I can't recall if we confined OnionShare with AppArmor with security in mind, or merely as a way to have Onion Grater identify grant OnionShare processes extra privileges. @anonym, do you remember? What do you think?

If the latter, then it's totally fine to extend the AppArmor profile to allow reading from external storage media.

but if itwas, then it should not be possible to go that far in the process and it should be documented.

Wrt. "it should not be possible to go that far in the process": I agree in principle. Unfortunately, the tools we use for this sort of things don't allow us to implement this. Something like Flatpak would solve the problem.

Wrt. "it should be documented": I'll let sajolida decide whether documentation can realistically be expected to improve UX on this front, iff. it turns out that we should not allow OnionShare to read files from external storage media.

#3 Updated by anonym about 2 months ago

intrigeri wrote:

I can't recall if we confined OnionShare with AppArmor with security in mind, or merely as a way to have Onion Grater identify grant OnionShare processes extra privileges. anonym, do you remember? What do you think?

The motivation was indeed just to make it work at all with Onion Grater, but when it was written it was arguably done so with security in mind, and one such decision was to limit it to the home folder (excluding dot files). Also allowing something like /media/$USER/** seems like a fine idea, however.

#4 Updated by sajolida about 2 months ago

Wrt. "it should be documented": I'll let sajolida decide whether documentation can realistically be expected to improve UX on this front

Documenting it won't make much of a difference to users, though it might
be useful to our help desk.

We shouldn't assume that doc fixes UX issues.

For example, when doing the usability test for VeraCrypt Participant 4,
the one who struggled so much with the Tor Browser folder permissions,
was already following the doc on unlocking a file container with “Disks”
as part of the same task. But she didn't realize that the doc could help
her as well regarding the Tor Browser folders permission problem.
It seemed like a bug rather than something that she could learn how to
do by reading the doc.

#5 Updated by intrigeri about 1 month ago

  • Type of work changed from Research to Code
  • Starter set to Yes

Next step: extend the AppArmor profile (config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare) to allow reading from external storage media.

#6 Updated by intrigeri about 1 month ago

  • Description updated (diff)
  • Assignee deleted (intrigeri)

#7 Updated by intrigeri about 1 month ago

  • Subject changed from 'permission denied' popup when trying to share a file with onionshare from an external medium to Allow sharing files with OnionShare from external storage media

Also available in: Atom PDF