Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor bitwarden as electron redirect #4332

Merged
merged 2 commits into from
Jun 28, 2021
Merged

Refactor bitwarden as electron redirect #4332

merged 2 commits into from
Jun 28, 2021

Conversation

rusty-snake
Copy link
Collaborator

See #4294.

@glitsj16 @iandstanley can you say something about the ignore block.

ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 4, 2021

@rusty-snake I haven't used the desktop app in a long time and don't have it installed anymore. But I downloaded the AppImage (version 1.26.5) to test this refactored profile. Here are my observations of running it for a while and testing functionality.

(1) I cannot reproduce #4294. The app works fine here with the existing bitwarden.profile, vault syncing included. I've confirmed this with both network no/yes in firejail.config. Whether that's due to having version 1.26.5 while the OP references 1.24.6 is not something I can judge. Upstream just mentions 'Bug Fixes' on their release page.

Latest Bitwarden .DEB downloaded from Bitwarden's own website Bitwarden-1.24.6-amd64.deb

Could be a typo, but in any case 1.24.6 was released on Jan 26 and there have been updates since then.

Regarding the ignore block:

include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
disable-mnt
dbus-user none
dbus-system none

These can be used, I couldn't detect anything breaking. That includes tray functionality.

Additionally I could use private-dev with the AppImage as well, so the conditional
#?HAS_APPIMAGE: ignore private-dev
doesn't seem needed...

One other thing I noticed is that the current bitwarden.profile has
caps.drop all
while electron.profile uses
caps.keep sys_admin,sys_chroot
For me, again, using the AppImage, it works fine with caps.drop all...

Hopefully @iandstanley can clear up some of all this.

@rusty-snake
Copy link
Collaborator Author

Thanks. Here are some notes on that

  1. This PR does not try to fix the network issue from Firejail broke latest Bitwarden by blocking network access  #4294, just the it's a elcetron program issue.
  2. Good to here that we can remove the ignore block. However if you only tested the AI I will keep to ignore wusc.
  3. Of course a AI can not contains a privileged (e.g suid) program. Therefore it work with caps.drop all (and --appimage enforces it anyway).

@iandstanley
Copy link

Hic @rusty-snake

I'm in the same position as I was forced to uninstall firejail as the debian packages broke my daily drivers (without Bitwarden I couldn't do anything).

@rusty-snake
Copy link
Collaborator Author

I'm in the same position as I was forced to uninstall firejail as the debian packages broke my daily drivers (without Bitwarden I couldn't do anything).

😕 Why uninstalling firejail if one program fails? Why not just use bitwarden w/o firejail and keep it for everything else?

@iandstanley
Copy link

I'm in the same position as I was forced to uninstall firejail as the debian packages broke my daily drivers (without Bitwarden I couldn't do anything).

Why uninstalling firejail if one program fails? Why not just use bitwarden w/o firejail and keep it for everything else?

Just way to busy to spend extensive time debugging. as it stopped me dead in my tracks.

The combination of bitwarden app breaking and firefox not allowing me to use fido2 second factors meant I had no access to any of my passwords and couldn't log into virtually every online account I have.

I'd already lost a couple of days trying to debug what was going on and deadlines were looming.

Normally I would persevere through issues to fix them (like the issue I had trying to use a GPG key in Yubikey on a second machine - after nearly a month I managed to debug the issue down to an issue with pinentry and /dev/pts/? permissions )
But this one hitting all access to my passwords reduced productivity to 0% which can only last so long before the world starts shouting.

Once the pressure is off again I will come back to it ... it's a great technology

@rusty-snake rusty-snake marked this pull request as ready for review June 8, 2021 10:50
@netblue30
Copy link
Owner

@rusty-snake: is it done? are you merging? I'm asking because I have a release coming in a few days!

@rusty-snake
Copy link
Collaborator Author

Yes, the current state can be merged. Enabled wusc can be done later, there are more electron redirects with a bigger "Disabled until someone reported positive feedback" block.

@netblue30 netblue30 merged commit a3397a7 into netblue30:master Jun 28, 2021
@netblue30
Copy link
Owner

cool!

@rusty-snake rusty-snake deleted the bitwarden-electron branch June 28, 2021 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rusty-snake @glitsj16 @iandstanley @netblue30