Thunderbird plugin: open in dispvm / untrusted vm

[Olivier Médoc]

Hello,

I was thinking about something I'm missing a lot. Have an easy way to
open a link on a different vm.

I'm reading all these RSS feeds in thunderbird, but I don't really trust
the links that are there. I want to open it in my untrusted vm to read
it and eventually create bookmarks...

Now I can use secure copy and paste it in whatever firefox instance, but
that takes a lot of clicks and keyboard shortcuts for something that I
will repeat several times in a single hour of reading.

The problem is that there are a lot of security implications there. The
simplest thing would be to add a "open link in dispvm" option in
thunderbird.

[Axon]

Olivier Médoc:

I've had the same thought. I agree that a plugin like that would be very
useful.

(As I've noted before, however, it could be dangerous if used in an
AnonVM, if the new DispVM is not also Torified. So, hopefully there's a
way to account for that.)

[Joanna Rutkowska]

On 12/02/13 11:31, Axon wrote:
> Olivier Médoc:
>> Hello,
>>
>> I was thinking about something I'm missing a lot. Have an easy way to
>> open a link on a different vm.
>>
>> I'm reading all these RSS feeds in thunderbird, but I don't really trust
>> the links that are there. I want to open it in my untrusted vm to read
>> it and eventually create bookmarks...
>>
>> Now I can use secure copy and paste it in whatever firefox instance, but
>> that takes a lot of clicks and keyboard shortcuts for something that I
>> will repeat several times in a single hour of reading.
>>
>> The problem is that there are a lot of security implications there. The
>> simplest thing would be to add a "open link in dispvm" option in
>> thunderbird.
>>
>

The infrastructure for implementing this is already in place, e.g.:

[user@work ~]$ qvm-open-in-vm work-pub http://google.com

This will open the URL given as the 2nd argument in the vm given as the
1st argument. Of course if the Dom0 qrexec policy allows that (or, if
there is no policy defined, if the user confirms that).

> I've had the same thought. I agree that a plugin like that would be very
> useful.
>
> (As I've noted before, however, it could be dangerous if used in an
> AnonVM, if the new DispVM is not also Torified. So, hopefully there's a
> way to account for that.)
>

Yes, just add a "deny" entry for this service for your anonvm (or
whatever it is called), e.g.:

[dom0]$ cat "anonvm $anyvm deny" >> /etc/qubes-rpc/qubes.OpenInVM

joanna.

[Joanna Rutkowska]

So, the best way to handle this is to write a mime handler that would be
using qvm-open-in-vm or qvm-open-in-dvm. The ticket #441 is in fact all
about this.

joanna.

[Olivier Médoc]

On 12/02/13 12:02, Joanna Rutkowska wrote:
> On 12/02/13 12:00, Joanna Rutkowska wrote:
>> On 12/02/13 11:31, Axon wrote:

>>> Olivier M�doc:

I'm currently trying this:

- I unset the mime handlers of thunderbird so that thunderbird ask each
time how to open the application
- I created the .desktop file for qvm-open-in-dvm in
/home/user/.local/share/applications/userapp-OpenDispVM.desktop as
following:
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Name=Open in DVM
GenericName=Web Browser
Exec=/bin/qvm-open-in-dvm %u
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
Comment=Open URL or application in DISPVM

This problem is that it is recognized as a desktop entry, but not as a
program that can be started using the mime-handler...





>

[Olivier Médoc]

I managed to get this working for the file manager (after restarting the
file manager), but I don't managed to make it working in thunderbird
which only give me the option to open the link with firefox...

[Olivier Médoc]

Some progress here:
- Creating the .desktop file allow to , but it requires additionnal
actions. On a system-wide side:
* copy the desktop file to /usr/share/applications
* edit the additionnal mimetypes of the .desktop file, because a
dispvm can potentially open any mimetype (I only put html currently).
* run update-desktop-database /usr/share/applications as root (it
will regenerate /usr/share/applications/mimeinfo.cache)
* eventually edit defaults.list if you want to change mime associations

Now you can right click on a .html file, and the file manager will add
"open in dispvm" in the "open with" menu.

- Using thunderbird is different because thunderbird use its own mime
handler:
* If no mime handler is configured, thunderbird use the default
mime handler found in the defaults.list file (probably using gnome-open
or gvfs-open)
* Thunderbird creates new handlers only when opening an attachment,
and it doesn't give the choice to use system defined handlers (in
mimeinfo.cache)
* As a consequence, it is not possible to easily create new
handlers for html links, except by loading the file mimeTypes.rdf into
your thunderbird profile. It attached this file in its simplest form
that could be used for selecting either firefox or open in dispvm:

<?xml version="1.0"?>
<RDF:RDF xmlns:NC="http://home.netscape.com/NC-rdf#"
xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<RDF:Description RDF:about="urn:root"
NC:en-US_defaultHandlersVersion="-1" />
<RDF:Description RDF:about="urn:scheme:handler:http"
NC:alwaysAsk="true">
<NC:possibleApplication
RDF:resource="urn:handler:local:/usr/bin/qvm-open-in-dvm"/>
<NC:possibleApplication
RDF:resource="urn:handler:local:/usr/bin/firefox"/>
<NC:externalApplication
RDF:resource="urn:scheme:externalApplication:http"/>
</RDF:Description>
<RDF:Seq RDF:about="urn:mimetypes:root">
</RDF:Seq>
<RDF:Description RDF:about="urn:handler:local:/usr/bin/firefox"
NC:prettyName="Firefox"
NC:path="/usr/bin/firefox" />
<RDF:Description RDF:about="urn:handler:local:/usr/bin/qvm-open-in-dvm"
NC:prettyName="Open in DispVM"
NC:path="/usr/bin/qvm-open-in-dvm" />
<RDF:Description RDF:about="urn:scheme:https"
NC:value="https">
<NC:handlerProp RDF:resource="urn:scheme:handler:https"/>
</RDF:Description>
<RDF:Description RDF:about="urn:scheme:handler:https"
NC:alwaysAsk="true">
<NC:possibleApplication
RDF:resource="urn:handler:local:/usr/bin/firefox"/>
<NC:possibleApplication
RDF:resource="urn:handler:local:/usr/bin/qvm-open-in-dvm"/>
<NC:externalApplication
RDF:resource="urn:scheme:externalApplication:https"/>
</RDF:Description>
<RDF:Seq RDF:about="urn:schemes:root">
<RDF:li RDF:resource="urn:scheme:http"/>
<RDF:li RDF:resource="urn:scheme:https"/>
</RDF:Seq>
<RDF:Description RDF:about="urn:schemes">
<NC:Protocol-Schemes RDF:resource="urn:schemes:root"/>
</RDF:Description>
<RDF:Description RDF:about="urn:scheme:http"
NC:value="http">
<NC:handlerProp RDF:resource="urn:scheme:handler:http"/>
</RDF:Description>
<RDF:Description RDF:about="urn:scheme:externalApplication:https"
NC:prettyName="Firefox"
NC:path="/usr/bin/firefox" />
<RDF:Description RDF:about="urn:scheme:externalApplication:http"
NC:prettyName="Firefox"
NC:path="/usr/bin/firefox" />
<RDF:Description RDF:about="urn:mimetypes">
<NC:MIME-types RDF:resource="urn:mimetypes:root"/>
</RDF:Description>
</RDF:RDF>

[Olivier Médoc]

In fact this discussion is similar as on the qubes-user mailing list:
"How to open Thunderbird email URL link in a DVM"

Here is Steve Coleman proposal:

The first step is to modify Thunderbird for a selection box:

Edit -> Preferences -> [Config Editor] -> ["I'll be careful, I promise"]

Search for "network.protocol-handler.warn-external" in the top search
bar, and double-click each entry to change the values of
ftp,http,https,file to true. The 'default' is likely already set to true.

network.protocol-handler.warn-external-default true
network.protocol-handler.warn-external.file true
network.protocol-handler.warn-external.ftp true
network.protocol-handler.warn-external.http true
network.protocol-handler.warn-external.https true


This disable auto start for links even if no mimeTypes have been defined.

Is it possible to make this configuration by default in thunderbird ?
Because these settings are initialized only when creating a new account ?

[Joanna Rutkowska]

On 12/03/13 10:01, Olivier_M=E9doc wrote:
> On 12/02/13 16:19, Olivier Médoc wrote:
>> On 12/02/13 14:16, Olivier Médoc wrote:

>>> On 12/02/13 13:31, Olivier Médoc wrote:
>>>> On 12/02/13 12:02, Joanna Rutkowska wrote:
>>>>> On 12/02/13 12:00, Joanna Rutkowska wrote:
>>>>>> On 12/02/13 11:31, Axon wrote:

>>>>>>> Olivier Médoc:

To be honest, I don't quite like a solution that would be
Thunderbird-specific or any other app-specific. After all not everybody
uses TB, and I would expect there must be a way for the OS to tell the
app, such as TB, which program to use for URL opening, as well as .PDF
opening, etc.

If we have a normal OS system and install a new Web Browser and set it
as default -- are you saying there is no way to tell TB to use it for
URL opening? I would expect otherwise...

joanna.

[Olivier Médoc]

On 12/03/13 10:40, Joanna Rutkowska wrote:
> On 12/03/13 10:01, Olivier_M=E9doc wrote:

>> On 12/02/13 16:19, Olivier M�doc wrote:
>>> On 12/02/13 14:16, Olivier M�doc wrote:

>>>> On 12/02/13 13:31, Olivier M�doc wrote:
>>>>> On 12/02/13 12:02, Joanna Rutkowska wrote:
>>>>>> On 12/02/13 12:00, Joanna Rutkowska wrote:
>>>>>>> On 12/02/13 11:31, Axon wrote:

>>>>>>>> Olivier M�doc:

In fact, if a web or mail browser follows the .desktop specification, it
will have two choice:
1/ run the default program depending on the mimetype
(/usr/share/applications/defaults.list), or
2/ load a list of programs that can be used for this mimetype and give
the user the choice (mimeinfo.cache).

This is where creating .desktop files for qvm-run-in-dvm is great
because "Run in DispVM" will appears as a choice for opening a file or
an URL (either from the file manager or any program following the
.desktop specification).

Now about thunderbird:
Case 1/ is the default for several mimes type, especially URLs (http,
https, ftp...), and the system defaults are apparently respected.
Case 2/ is the default for most attachements, but thunderbird does not
rely on programs known by the system, but on its own list (which is
empty by default). As a consequence, the user will have to go to
/usr/bin/ and select its program of choice.

Thats why I want to:
1/ Create the run-in-dvm .desktop file, which makes web/email browser
plugins not really necessary
2/ Set case 2 to be the default for any attachment or URL in thunderbird
(the user can change that later by selecting the box 'always perform
this action')
3/ Create a list of programs that the user can select depending on the
mime-type. Here are some exemples:
- Run in DispVM
- Use system default (for exemple by running gnome-open or
gvfs-open to rely on system defaults)
- Any program that can be selected by default, possibly the
programs that are installed default in the default qubes template

[cprise]

The Mozilla programs are not as well integrated on "Linux" systems as
they are on OS X and Windows. This is one of those areas where they are
half-hearted about it. IIRC, Firefox and Thunderbird will show the
dialog when the user clicks on unfamiliar link and file types, but that
dialog doesn't invite the user to browse their whole filesystem...
showing a proper list of applications instead.

There may be some way to nudge TB into doin' the right thing, but I
suspect most people have just overlooked the shortcoming or dealt with
it within TB. Perhaps the way forward here is to implement both the
system-wide spec and the Mozilla-specific klugde.

[Steve Coleman]

On 12/03/13 16:08, cprise wrote:
> The Mozilla programs are not as well integrated on "Linux" systems as
> they are on OS X and Windows. This is one of those areas where they are
> half-hearted about it. IIRC, Firefox and Thunderbird will show the
> dialog when the user clicks on unfamiliar link and file types, but that
> dialog doesn't invite the user to browse their whole filesystem...
> showing a proper list of applications instead.
>
> There may be some way to nudge TB into doin' the right thing, but I
> suspect most people have just overlooked the shortcoming or dealt with
> it within TB. Perhaps the way forward here is to implement both the
> system-wide spec and the Mozilla-specific klugde.
>

The prior thunderbird fix mentioned has been serving me quite well for a
while, and it gives me a list of whatever applications (scripts in my
case) that I might choose to open the email links with. Whenever I click
on a link from any email I then need to make a choice from a list of
where I want to open that link. That destination of course depends on
how much I trust the source of that email. Thunderbird uses its own
application settings internally, but once its set up, I certainly have
no complaints. I can add whatever scripts to the menu any time I like
without having to hack the thunderbird settings, after that initial
settings tweak of course.

My work vm firefox browser then uses the "open with" plugin, which does
the same to add a right click "open link with" menu from where I select
my open-in-vm script(s). If I initially opened a link from an email in
my work vm using firefox, I am always free to send the next link to my
untrusted domain or a disposable vm with a simple right-menu click. I
always have a choice of where to launch the next link.

Steve Coleman