enpass: fix install to work with browser extensions #21082
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
Enpass is a password manager. Browser extensions in Chrome and Firefox talk to it via websocket, but currently aren't working in NixOS. The issue comes from Enpass looking up the browser process through lsof, with argument the port from the client side (the browser).
Enpass requires lsof to be installed in /usr/bin in order to function correctly. Because the path is hardcoded inside Enpass binary, we try to wrap it in a user fhs compliant environment. Unfortunately this is not sufficient. NixOS uses Linux user namespaces to implement the fhs env, with restricted access to
/proc/*/fd/*
in particular. This prevents lsof to function fully.This patch bypasses the restriction by talking to lsof outside of the user namespace via named pipe. The browser extensions for Enpass are now working. However a better fix might be to lessen the restrictions in NixOS user namespaces, if appropriate.
Can somebody help with this ? A way to reproduce is by creating a fhs user environment with nix-shell, running it with this
shell.nix
in the current directory :Outside of the namespace, lsof sees Firefox connections :
Inside of it it doesn't, strace showing permission denied errors :
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)