gaschz/passff-host
1
0
Fork 0
mirror of https://codeberg.org/gaschz/passff-host.git synced 2025-06-06 18:08:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

README: Instructions for OpenBSD's unveil(2)

Browse Source 
Credits go to @pinecat (#67)
This commit is contained in:
Thomas Vogt 2024-04-27 20:19:32 +02:00 committed by GitHub
parent bfabb222dd
commit 5891558bea
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -32,8 +32,15 @@ curl -sSL github.com/passff/passff-host/releases/latest/download/install_host_ap
Users of other supported browsers need to replace the last argument (`firefox`) by `librewolf`, `chrome`, `opera`, `chromium` or `vivaldi`.
The script will download the host application (a small python script) and the add-on's manifest file (a JSON config file) and put them in the right place.
If you're concerned about executing a script that downloads files from the web, you can download the files yourself and run the script with the `--local` option instead or link the files yourself. Details below.
For **OpenBSD** users (cf. [issue #67](https://github.com/passff/passff-host/issues/67)), note that Firefox is patched with the [unveil(2)](https://man.openbsd.org/unveil.2) system call to restrict access to the filesystem, in order to make Firefox more secure. Therefore, Firefox on OpenBSD can only execute files for which execution is explicitly permitted in a local configuration file. To allow execution of the PassFF host script, add the following line to the file `/etc/firefox/unveil.main` on your OpenBSD system:
```
~/.mozilla/native-messaging-hosts rx
```
Please keep in mind that this does still lessen the security provided by the default OpenBSD settings. Make the change at your own risk!
#### Windows
Download the `install_host_app.bat` script from [our releases page](https://github.com/passff/passff-host/releases) and execute it from within a shell with a correct PATH, mentioning your browser in the last argument (i.e., replace `firefox` by `librewolf`, `chrome`, `opera`, `chromium` or `vivaldi` if necessary).
*The rule of thumb is: if you can execute pass and python from your shell, then your host application will be installed correctly.*
@ -168,6 +175,7 @@ If your browser is confined by a security module such as AppArmor, then its poli
$ grep passff /var/log/syslog
Apr 22 19:55:24 <HOST> kernel: [70746.170024] audit: type=1400 audit(1650650124.793:2258): apparmor="DENIED" operation="exec" profile="firefox" name="/home/<USER>/.mozilla/native-messaging-hosts/passff.py" pid=73124 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
```
Similarly, OpenBSD has its own ways to restrict execution of scripts by Firefox. See the "Installation" section above for instructions on how to remove those restrictions.
#### Testing OTP support
```console