Keyring isn't suid on nixos

Hey @SebTM, I apologize for our delayed response here. We greatly appreciate all the details you've provided. I'll pass this along to the relevant team 👍

Ali

@tobiasvd Thanks for the great feedback, I appreciate it :)

AliH1P @Savanni Ping still relevant!

Just wanted to express my gratitude for 1Password being available on NixOS, with browser support, which I did not expect at all tbh. You guys are awesome :)

For people new to NixOS like me arriving at this topic:

Install 1password as a system package using https://search.nixos.org/options?channel=22.11&show=programs._1password-gui.enable&from=0&size=50&sort=relevance&type=packages&query=1password. One can set the package to the beta version if desired (just add '-beta'). With just that, browser support already works (I did a reboot, not sure if that's required).

Keep up the great work!

Ping?

small reminder ;)

Hey @Savanni,

did you have time to look into ( https://1password.community/discussion/comment/635755/#Comment_635755 ) again/forward the request as suggestion/feature request? :)

Best Wishes

Hey @Savanni,

did you have time to look into (https://1password.community/discussion/comment/635755/#Comment_635755) again/forward the request to the PO/Devs as suggestion/feature request? :)

Best Wishes

A followup after random finding: Something GUI/pinentry-based like would be very nice ;) - https://github.com/StanfordSNR/guardian-agent

Hey @Savanni, I'm pleased to help :)

Something to add up:

I'm currently trying to re-automate my backup-workflow (Vorta => Borg), to be not disrupted for every backup (currently hourly). I got it working to use "polkit.lookup" to get the "polkit.message" but somehow it's an issue to work with the (string?) result (of action.lookup) non of the documented javascript-functions is working:


polkit.log(action.lookup("polkit.message").indexOf("python"));
polkit.log(action.lookup("polkit.message").includes("python"));
polkit.log(action.lookup("polkit.message").search(/python/));
polkit.log((/python/.test(action.lookup("polkit.message")));


Polkit seems to segfault (with each of this approaches - single tested):

polkit.service: Main process exited, code=dumped, status=11/SEGV
polkit.service: Failed with result 'core-dump'.


https://gist.github.com/grawity/3886114?permalink_comment_id=4125345#gistcomment-4125345
https://wiki.archlinux.org/title/Polkit
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

It would be very helpful and appreciated if you could add an additional parameter "program" (like shown in the polkit-docs - freedesktop-link above) so the user can easily decide in a rule if he want's to e.g. generally permit the key access.

Currently I can match against the whole text which is kind of ugly:

polkit.addRule(function(action, subject) {
if (
action.id == "com.1password.1Password.authorizeSshAgent"
&& action.lookup("polkit.message") == "1Password is trying to allow \“Vorta\” to use the key \“Backup SSH-Key\” for SSH"
&& subject.isInGroup("auto-backup")
) {
polkit.log("Sucess Rule: \"Backup XXX\"");
return polkit.Result.YES;
}
});

and in case of the timed (automated) backup will break after each python-upgrade:

1Password is trying to allow “/nix/store/9px00aaqzb6n5p03i9wd8rx3msg95y9r-python3-3.9.11/bin/python3.9” to use the key “Personal SSH-Key” for SSH

(Would be cool if this/another value could be stripped from the path)

Best Wishes :v:

• Post edited by staff to remove possible sensitive information.

Wow, @SebTM thank you for this writeup! There's a lot in here for me to absorb and digest.