Use 1Password 4 with sandbox-exec
In v3.8 I run 1Password using 'sandbox-exec' to prevent 1Password from making any kind of network access. Yes, I know that doing so disables many of the cool features that 1Password has in it (cloud, dropbox, etc.) ... but it does still work for my limited needs and gives me the peace of mind I require in a Password Manager product. The ability to use 1Password completely firewalled is what made me willing to use the solution (i.e., because I know my vault is going nowhere unless I lose physical control of my computer).
Recently I attempted to upgrade to v4. I found that I was no longer able to employ my solution of firewalling 1Password from all network access. The reason, I think, was that on startup 1Password insists on working with "mini" thing ... and when it couldn't it shut itself down.
I understand that probably 80%+ of your customers want all of the cloud-integrated and browser-integrated convenience features that you are working hard at adding to 1Password. That is great. However, I just wanted to try to make a case for keeping options open so that I can continue to use 1Password as a truly stand-alone vault (i.e., firewalled from all network access and not integrated with any browser). Please consider not implementing new features in such a way that I can no longer use 1Password in my particularly paranoid way.
As it is right now, I am unwilling to upgrade to v4 because of the new limitations (which were introduced by new features) which require that 1Password must be allowed network access on startup.
Comments
-
Hi, @aheusser.
It appears at least part of the trouble you're having using sandbox-exec to run 1Password 4 is that it's blocking localhost access necessary for communication with the 1Password helper (mini) process. Yet neither the main 1P4 app or its helper should require any external network connectivity to function properly. And 1P4 web browser extension installation/usage is totally optional.
While this article only mentions extensions it's essentially the same with the helper process:
Although these appear as network connections, they are limited to your local machine. These connections are encrypted and authenticated, so they cannot be used to deliver information to any other processes beyond the extensions and the 1Password application.
Please let me know if you have questions or concerns about this so I can make sure they're addressed. Thank you!
0 -
Good point. I probably configured sandbox-exec to block all network access (as opposed to only external access) ... because it was marginally simpler to do so. I will double-check on that. And yes, you are right that simply blocking external access only should still satisfy my requirements.
The other path I was proposing was to structure it so that the main app doesn't require mini in order to just give me access to my vault. I understand that if mini is not running / available that there may be a bunch of features that would have to be disabled. But the one feature I need (to be able to see/edit the entries in my vault would, I suspect, at least be possible.
Thank you for the response.
0 -
Thanks for the followup, @aheusser.
About the "other path" you were proposing, here's a simple explanation from @MikeT of why it's really not feasible:
Basically, 1Password mini is the master. You can't have the main 1Password app running without the mini, that's why it behaves the way it does.
1P4 is designed so mini can run and be used independently of the main app and browser extensions. The main app relies on mini, not the inverse. :)
0
