I use fedora and there is the dante-package and socksify not available. Thus reading html-mails does not work out of the box. One can install the tsocks package though and use tsocks. The filter-script should maybe check what is available on the machine (socksify, tsocks, nothing) and should use that.
tsocks doesn't appear to have a way to specify the target socks server on the command line. The point of using socksify the way aerc does is to sandbox w3m away from the network.
If we just called tsocks and there was a valid socks server in the tsocks config already on the system, the purpose of the script would be defeated.
To work around this we'll probably need to write a tsocks config with the dummy server to /tmp and then invoke tsocks with TSOCKS_CONFFILE=/tmp/aerc_tsocks_sandbox or similar.
That's... not particularly elegant.
Would it make more sense to use
unshare
instead of socksify?https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process
It's been in the kernel for some time and appears to be pretty widely available across the few distros I had a look at. (arch, fedora, ubuntu, debian).
+1 for unshare
Easy fix, then!
Just trying to test my change locally before I submit the PR. How do I swap between filters in the email view?
I've got a HTML email but the
text/plain
mimetype is highlighted and I can't for the life of me figure out how to switch totext/html
. Tried the help and tutorial but couldn't find any commands or bindings.
^j and ^k by default, which are bound to :next-part and :prev-part respectively.
Ahh, thanks!
Patch submitted, tested working on Arch.
Ah, uh, I was playing with unshare while looking over your patch and see you forgot to specify
unshare -n
, to remove network access. Try this:unshare curl http://example.org
vs
unshare -n curl http://example.org
Unfortunately... you'll notice the second one requires root. So I'm -1 to this solution now.
Ah, good catch, thanks. Have had lunch now and brain works more good.
There is the
-r
option to unshare which should let it run unprivileged but it appears that most distros disable unprivileged user namespaces by default via a kernel patch. We'd need to twiddle that kernel param on installation which is a non-starter I think.What's the threat model for this? I've been digging around and I can't figure out a way to make either w3m or lynx request an external network resource. They don't display images, load external stylesheets, populate iframes or execute javascript.
I appreciate the extra layer of comfort you get with socksify, but maybe the way out of this is to use socksify if it's present, but just execute without it if it isn't.
How about LD_PRELOAD trick, with something like:
int connect(...) { errno = EADDRNOTAVAIL; return -1; }
There is also bwrap from bubblewrap package, available in alpine, arch, fedora fc29+ and debian stretch+. (I'm not sure which distros are supported with aerc). Try:
$ bwrap --ro-bind / / --unshare-net curl google.com curl: (6) Could not resolve host: google.com $ bwrap --ro-bind / / curl google.com (...)
bubblewrap is flatpak's dependency.
It appears that
tsocks
is available on MacOS, but I don't thinkunshare
,bwrap
, orsocksify
are available, though I may be overlooking something. It would be nice if the chosen implementation uses a package that is also available on MacOS.
socksify can be installed on macOS with brew:
brew install dante
I finally solved the prob on VoidLinux using unshare -n -r yep. I continue to think there is a better way, more compatible :)
While this is not exactly solution to the problem, one can use something like this instead of w3m:
package main import ( "bufio" "fmt" "io/ioutil" "os" "github.com/jaytaylor/html2text" ) func main() { reader := bufio.NewReader(os.Stdin) input, _ := ioutil.ReadAll(reader) text, err := html2text.FromString(string(input), html2text.Options{PrettyTables: false}) if err != nil { panic(err) } fmt.Println(text) }Obviously results are different.
the provided script is more of an example than a one size fits all solution... it's easy enough to patch / adapt to ones needs