socksify not available on all distributions

I use fedora and there is the dante-package and socksify not available. Thus reading html-mails does not work out of the box. One can install the tsocks package though and use tsocks. The filter-script should maybe check what is available on the machine (socksify, tsocks, nothing) and should use that.

Assigned to
2 years ago
1 year, 5 months ago
good first ticket refactoring

~davidbanham 2 years ago

tsocks doesn't appear to have a way to specify the target socks server on the command line. The point of using socksify the way aerc does is to sandbox w3m away from the network.

If we just called tsocks and there was a valid socks server in the tsocks config already on the system, the purpose of the script would be defeated.

To work around this we'll probably need to write a tsocks config with the dummy server to /tmp and then invoke tsocks with TSOCKS_CONFFILE=/tmp/aerc_tsocks_sandbox or similar.

That's... not particularly elegant.

Would it make more sense to use unshare instead of socksify?


It's been in the kernel for some time and appears to be pretty widely available across the few distros I had a look at. (arch, fedora, ubuntu, debian).

~sircmpwn 2 years ago

+1 for unshare

~davidbanham 2 years ago

Easy fix, then!

Just trying to test my change locally before I submit the PR. How do I swap between filters in the email view?

I've got a HTML email but the text/plain mimetype is highlighted and I can't for the life of me figure out how to switch to text/html. Tried the help and tutorial but couldn't find any commands or bindings.

~sircmpwn 2 years ago

^j and ^k by default, which are bound to :next-part and :prev-part respectively.

~davidbanham 2 years ago

Ahh, thanks!

Patch submitted, tested working on Arch.


~sircmpwn 2 years ago

Ah, uh, I was playing with unshare while looking over your patch and see you forgot to specify unshare -n, to remove network access. Try this:

unshare curl http://example.org


unshare -n curl http://example.org

Unfortunately... you'll notice the second one requires root. So I'm -1 to this solution now.

~davidbanham 2 years ago

Ah, good catch, thanks. Have had lunch now and brain works more good.

There is the -r option to unshare which should let it run unprivileged but it appears that most distros disable unprivileged user namespaces by default via a kernel patch. We'd need to twiddle that kernel param on installation which is a non-starter I think.

What's the threat model for this? I've been digging around and I can't figure out a way to make either w3m or lynx request an external network resource. They don't display images, load external stylesheets, populate iframes or execute javascript.

I appreciate the extra layer of comfort you get with socksify, but maybe the way out of this is to use socksify if it's present, but just execute without it if it isn't.

~hiciu 2 years ago

How about LD_PRELOAD trick, with something like:

int connect(...)
    errno = EADDRNOTAVAIL;
    return -1;

There is also bwrap from bubblewrap package, available in alpine, arch, fedora fc29+ and debian stretch+. (I'm not sure which distros are supported with aerc). Try:

$ bwrap --ro-bind / / --unshare-net curl google.com
curl: (6) Could not resolve host: google.com
$ bwrap --ro-bind / / curl google.com

bubblewrap is flatpak's dependency.

~cmpadden 2 years ago

It appears that tsocks is available on MacOS, but I don't think unshare, bwrap, or socksify are available, though I may be overlooking something. It would be nice if the chosen implementation uses a package that is also available on MacOS.

~pingiun 2 years ago

socksify can be installed on macOS with brew: brew install dante

~reedwade 2 years ago

I finally solved the prob on VoidLinux using unshare -n -r yep. I continue to think there is a better way, more compatible :)

~ernierasta 2 years ago

While this is not exactly solution to the problem, one can use something like this instead of w3m:

package main

import (


func main() {
	reader := bufio.NewReader(os.Stdin)
	input, _ := ioutil.ReadAll(reader)

	text, err := html2text.FromString(string(input), html2text.Options{PrettyTables: false})
	if err != nil {

Obviously results are different.

~labrat REPORTED FIXED 1 year, 5 months ago

the provided script is more of an example than a one size fits all solution... it's easy enough to patch / adapt to ones needs

Register here or Log in to comment, or comment via email.