Turn Auto File Previews off by default in Debian / Whonix templates

[powerpeep]

https://www.whonix.org/forum/index.php/topic,1492.0.html

Qubes Fedora templates has auto file preview off by default in the file manager to stop random files or downloads from being able to exploit parsing vulnerabilities here.

The Debian / Whonix templates have this on by default. So it shows thumbnails of images and more in the file manager's icons.

For security, could this preview feature please be turned off by default in future releases?

[adrelanos]

I guess Qubes does not influence Debian's defaults at present. Would speculate, that Fedora has just different defaults. Just now checked, in a jessie template and dolphin, preview is not enabled by default. In nautilus however I can confirm it is enabled by default. This undermines the security benefit by the right click action "Open in DisposableVM".

[adrelanos]

I guess Qubes does not influence Debian's defaults at present. Would speculate, that Fedora has just different defaults. Just now checked, in a jessie template and dolphin, preview is not enabled by default. In nautilus however I can confirm it is enabled by default. This undermines the security benefit by the right click action "Open in DisposableVM".

[adrelanos]

Correction, it's also enabled in dolphin. Quote powerpeep.

Settings => Configure Dolphin => General => Previews
Directories: Checked
Images (GIF, PNG, BMP, ...): Checked
JPEG Images: Checked
JPEG: Rotate the image automatically: Checked

[adrelanos]

Correction, it's also enabled in dolphin. Quote powerpeep.

Settings => Configure Dolphin => General => Previews
Directories: Checked
Images (GIF, PNG, BMP, ...): Checked
JPEG Images: Checked
JPEG: Rotate the image automatically: Checked

[adrelanos]

I have some experience with changing distribution defaults for KDE applications. There is a number of packages, where we at Whonix change these settings:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde-

If you want, I could create a kde-dolphin-security-settings package.

Dunno about nautilus. Configuration of Gnome packages is more cumbersome. I could try this as well. Would be a more time intense task.

[adrelanos]

I have some experience with changing distribution defaults for KDE applications. There is a number of packages, where we at Whonix change these settings:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde-

If you want, I could create a kde-dolphin-security-settings package.

Dunno about nautilus. Configuration of Gnome packages is more cumbersome. I could try this as well. Would be a more time intense task.

[marmarek]

Generally good idea. @adrelanos if you know how to do it, feel free to take this ticket :)

[marmarek]

Generally good idea. @adrelanos if you know how to do it, feel free to take this ticket :)

[adrelanos]

Will do. Start with configuration of dolphin. Will call that package security-misc where we can aggregate similar settings.

Are you okay with the packages implemented in the following style:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde- ? As a specific example you could take for example https://github.com/Whonix/kde-sounds-off. I.e. a simple genmkfile based settings package.

[adrelanos]

Will do. Start with configuration of dolphin. Will call that package security-misc where we can aggregate similar settings.

Are you okay with the packages implemented in the following style:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde- ? As a specific example you could take for example https://github.com/Whonix/kde-sounds-off. I.e. a simple genmkfile based settings package.

[marmarek]

On Wed, Sep 02, 2015 at 02:41:30AM -0700, Patrick Schleizer wrote:

Will do. Start with configuration of dolphin. Will call that package security-misc where we can aggregate similar settings.

Are you okay with the packages implemented in the following style:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde- ? As a specific example you could take for example https://github.com/Whonix/kde-sounds-off. I.e. a simple genmkfile based settings package.

Currently we place such things (configuration of template stuff) in
core-agent-linux package, but I'm ok with creating new one.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Wed, Sep 02, 2015 at 02:41:30AM -0700, Patrick Schleizer wrote:

Will do. Start with configuration of dolphin. Will call that package security-misc where we can aggregate similar settings.

Are you okay with the packages implemented in the following style:
https://github.com/Whonix?utf8=%E2%9C%93&query=kde- ? As a specific example you could take for example https://github.com/Whonix/kde-sounds-off. I.e. a simple genmkfile based settings package.

Currently we place such things (configuration of template stuff) in
core-agent-linux package, but I'm ok with creating new one.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

Tracking this under https://phabricator.whonix.org/T418.

[adrelanos]

Tracking this under https://phabricator.whonix.org/T418.

[adrelanos]

I still intent another try figuring this out for nautilus... https://phabricator.whonix.org/T500

But if someone else wanted to help out, please do.

[adrelanos]

I still intent another try figuring this out for nautilus... https://phabricator.whonix.org/T500

But if someone else wanted to help out, please do.

[adrelanos]

@andrewdavidwong:

File previews in the Fedora templates have been disabled for a long time now.

Is this a Fedora or Qubes feature? Where is that implemented?

(I am asking, because then implementing this ticket would be a lot simpler.)

[adrelanos]

@andrewdavidwong:

File previews in the Fedora templates have been disabled for a long time now.

Is this a Fedora or Qubes feature? Where is that implemented?

(I am asking, because then implementing this ticket would be a lot simpler.)

[andrewdavidwong]

I figured @marmarek simply changed that setting in Nautilus before packaging the standard Fedora template.

[andrewdavidwong]

I figured @marmarek simply changed that setting in Nautilus before packaging the standard Fedora template.

[marmarek]

It wasn't me, anyway: QubesOS/qubes-core-agent-linux@40fcbde

[marmarek]

It wasn't me, anyway: QubesOS/qubes-core-agent-linux@40fcbde

[marmarek]

If not working on Debian, it may require to call glib-compile-schemas. From rpm spec:

%posttrans
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :

[marmarek]

If not working on Debian, it may require to call glib-compile-schemas. From rpm spec:

%posttrans
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :

[andrewdavidwong]

It wasn't me, anyway: QubesOS/qubes-core-agent-linux@40fcbde

Oh, sorry!

@adrelanos: BTW, here's the issue that was closed by the above commit: #813

[andrewdavidwong]

It wasn't me, anyway: QubesOS/qubes-core-agent-linux@40fcbde

Oh, sorry!

@adrelanos: BTW, here's the issue that was closed by the above commit: #813

[unman]

I believe that file previews are turned off in dolphin by default. At least in jessie and stretch it appears to be so.

[unman]

I believe that file previews are turned off in dolphin by default. At least in jessie and stretch it appears to be so.

[unman]

@andrewdavidwong The merging of QubesOS/qubes-core-agent-linux#39 closes this in Debian.
Whonix has its own solution.

[unman]

@andrewdavidwong The merging of QubesOS/qubes-core-agent-linux#39 closes this in Debian.
Whonix has its own solution.

[adrelanos]

Whonix does not have a solution for nautilus yet. Do you know, can there be multiple files like '/usr/share/glib-2.0/schemas/org.gnome.nautilus.gschema.override' doing the same? I am asking, because I'd like to add it to the security-misc package. (And as per Debian packaging, a file may not be owned by two packages at once.)

[adrelanos]

Whonix does not have a solution for nautilus yet. Do you know, can there be multiple files like '/usr/share/glib-2.0/schemas/org.gnome.nautilus.gschema.override' doing the same? I am asking, because I'd like to add it to the security-misc package. (And as per Debian packaging, a file may not be owned by two packages at once.)

[unman]

On Sun, Feb 19, 2017 at 09:37:44AM -0800, Patrick Schleizer wrote: Whonix does not have a solution for nautilus yet. Do you know, can there be multiple files like '/usr/share/glib-2.0/schemas/org.gnome.nautilus.gschema.override' doing the same? I am asking, because I'd like to add it to the security-misc package. (And as per Debian packaging, a file may not be owned by two packages at once.)

I'm sorry Patrick - I misread your earlier comment.

[unman]

On Sun, Feb 19, 2017 at 09:37:44AM -0800, Patrick Schleizer wrote: Whonix does not have a solution for nautilus yet. Do you know, can there be multiple files like '/usr/share/glib-2.0/schemas/org.gnome.nautilus.gschema.override' doing the same? I am asking, because I'd like to add it to the security-misc package. (And as per Debian packaging, a file may not be owned by two packages at once.)

I'm sorry Patrick - I misread your earlier comment.