Supported browsers on NixOS incorrectly identified.

Hi,

I'm working on packaging this to work on NixOS, but browser support detection in it's current state will refuse all browsers even if the versions are supported due to the locations that all packages are installed to.

The install location for a package is uniquely identified by a hash which depends on the inputs to building the package, so if any of them change the hash will as well.

For example, here's a log from ~/.config/1Password/logs/BrowserSupport/1Password_rCURRENT.log

INFO  2021-04-11T17:55:27.221 main [1P:native-messaging/op-browser-support/src/main.rs:47] Starting 1Password-BrowserSupport
INFO  2021-04-11T17:55:27.221 main [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:24] Verifying browser "/nix/store/k824kf5qab222vq3fg4011608afia4qg-firefox-release-bin-unwrapped-87.0/usr/lib/firefox-bin-87.0/firefox-bin"
ERROR 2021-04-11T17:55:27.308 main [1P:native-messaging/op-browser-support/src/main.rs:52] UnknownBrowser(/nix/store/k824kf5qab222vq3fg4011608afia4qg-firefox-release-bin-unwrapped-87.0/usr/lib/firefox-bin-87.0/firefox-bin)
    Happened in: native-messaging/op-browser-support/src/browser_verification/linux.rs:60
    Additional error context: /nix/store/k824kf5qab222vq3fg4011608afia4qg-firefox-release-bin-unwrapped-87.0/usr/lib/firefox-bin-87.0/firefox-bin isn't a supported browser

This is essentially the same issue that these other users are experiencing, but hard coding the path to be marked as supported won't last very long.


1Password Version: 8.0.32
Extension Version: 1.25.2
OS Version: NixOS
Sync Type: Not Provided

Comments

  • nickmcguirenickmcguire

    Team Member

    Heya @jpas 👋🏼

    Thanks for reaching out! With this feature we have a number of checks and precautions about supported browsers, so we have kept our list contained to that of the ones we know/have been asked for (and been able to verify)

    You are correct though that this system won't work for something like this and with a coming release we're adding a system to allow you to specify which browsers should be supported. This will still of course be a bit a pain given that the hash of the browser will change with every release, but you will be able to make this feature work for you without requiring us to release new updates.

    I'd love to hear how this works out for you when this feature is released

  • SavanniSavanni

    Team Member

    Hi, @jpas! Great to hear from a NixOS user! I've been using NixOS on my personal machine for several years now, and I'm in contact with the 1Password derivation maintainers.

    We actually only check the final filename of the browser, not the full path, so, the path to the nix store will hopefully not cause problems. You're just waiting for us to give you the user-configurable browser list.

    More than that, though, one of our support programs must have suid permission. I haven't finished writing the FAQ about that yet, but the bottom line is that I don't yet know how to write a derivation that allows suid apps. There's research I need to do, but I think that the only applications I've seen that include suid are written as modules that can be included in /etc/nixos/configuration.nix.

    Of course, the other NixOS experts are going to figure that out faster than I can.

  • Thanks for the detailed replies @nickmcguire and @Savanni! Yes, a user configurable list would definitely alleviate these problems, I'll keep my eye out for it in the release notes.

    Making a program SUID on NixOS should be as "easy" as adding it to security.wrappers in /etc/nixos/configuration.nix. But as far as I am aware, there is no way to bake the SUID permissions directly into a derivation. Might there be a way to rely on PAM or dbus instead for the features that are required? Relying on SUID may also be an issue if someone tries to just use the program through an AppImage they downloaded.

    I'd love to know more about the various system features required/used for a fully featured installation of 1Password on Linux. I noticed some of the features listed in the options rely on X11, but should likely also be supported on Wayland compositors. Such as locking when idle and clearing the clipboard.

    I look forward to seeing the FAQ @Savanni!

  • SavanniSavanni

    Team Member

    Now I really need to write that FAQ.

    We have the suid executable because it stores encryption keys for the communication channel between desktop and browser in the root kernel keyring. It was the only place we could find to safely store such keys on a system not running SELinux in a very strict mode. Some of our security researchers did a lot to work on this, because part of the threat model we're protecting against is malicious programs running as the same user who is running 1Password.

    I'll look into the security.wrappers documentation and see if I can get it to work. :) Thanks for telling me about that, because you may have short-circuited a few nights of research. Even after several years of running NixOS, I'm not so great at writing Nix derivations.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file