Discord should have the ability to read the whole filesystem #12
Comments
|
See #10 |
|
@TingPing Thanks, I saw that already. But I think it would be better for new / all users to be able to simply drop any file to send. Not every user knows that this is an issue because flatpak blocks it and not every user knows how to solve this. So maybe it should can read all files by default? What do you think? |
|
I don't know, I think Discord is a great example of software that should be sandboxed. Its proprietary, user to user data, includes a large security sensitive browser, etc. |
|
Hm, maybe you are right. We should try to let it sandboxed, if it is possible. Would it be possible to temporary copy files that are dropped into a flatpak app into a folder where flatpak / the app can read them? Or better would be to not copy, but link the file. Beside: I think the current setting is not that perfect. Why Discord should can read my private pictures and videos, but not the rest of my home? Either we fully trust Discord and let it read all, or don't read anything. We should decide for one, everything or nothing. Well, just my opinion ;) |
There is currently no secure solution for drag-n-drop, a discussion about that is here: flatpak/xdg-desktop-portal#99
There is a big leap in trust between "You can read my pictures" and "You can read my browser history and passwords, my ssh and gpg keys, my documents, etc" Now the permissions for this package are already fairly relaxed so maybe it does make sense to give up. Discord won't be sandbox friendly for many years to come... |
Oh sorry, I'm that stupid :D I think I will close this here to not get on your nerves ;) |
To a degree but there are valuable files in non-hidden directories.
Nah, this is a reasonable discussion about real problems. I'm just not convinced the best solution. |
|
This exact issue is really the reason i do not fully use Flatpak as of yet. Sure, it's proprietary, but this is clearly marked in Software and anyone installing from CLI will know this already. I'm not asking for full filesystem access; I fully understand why that, security-wise is absurd. But Discord is a chat app. I use it to hang out as well as collaborate on projects. It's completely silly that I can't, by default, say, upload a story or design document I'm working on from my Documents folder, or upload something from my Music folder. No dot folders is fine - normal users don't need to upload dot files. But there are so many cases where not being able to upload from my Documents folder without first arbitrarily copying it to my Downloads or something is simply an enormous hassle. |
|
@taciturasa You always control permissions on your machine ( |
|
This issue is silly, I thought something was wrong with Discord on Linux because I installed it via flatpak and couldn't drag and drop images. I later realized it was because I was using a flatpak and uninstalled the whole thing. I went with the deb because that is significantly simpler. It is not clear that the issue is with permissions if you install Discord via flatpak. This should be fixed with no requirements for command line. Honestly Discord should be removed from flathub, this problem just creates confusion for new users. |
|
Everybody can stop bumping the issue, If you want Discord to have full access I gave a command to do so. If you hate the idea of a sandbox then go ahead and keep using traditional packages. |
|
Where can documentation on permission overrides be found? The command you listed only gives access to ~/Documents on my system, which is a start but isn't terribly useful since I don't think I've ever uploaded from ~/Documents to Discord. I don't have access to ~/Videos or ~/Pictures, either. |
|
Would it be possible to fix this by forcing discord to use the xdg filechooser portal for uploading files? |
|
It's not possible. There was an attempt to do this using zypak but this was hacky and didn't end up working out. |
|
Which part did not work? |
|
Forcing discord to use xdg filechooser in an electron version that didn't support it by hijacking signals in zypak. Discord still doesn't ship a new enough version of Electron which supports xdg filechooser |
|
Oof, I didn't realize that was the case... |
|
Discord ships Electron 13.6.6 (yes, that does mean they're shipping a version with known CVEs which are fixed in 13.6.6+). XDG Filechoosing came in Electron 14, I believe. I hope they start updating Electron more often for feature, bug and security improvements because this is kinda ridiculous. |
|
This is massively confusing for users. Can Discord at least show a meaningful message when upload fails? It was by pure chance that I found out that Discord upload succeeds if the file is in one of the magic folders. For ages I thought it just didn't work. |
|
The Discord flatpak is not official or supported. Official Discord packages don't have this flatpak-specific problem. On top of that, even for issues that do lay at Discord's official feet they've always been unwilling to fix Linux issues. As people have mentioned, they're shipping known vulnerable versions of Electron, so really they're failing to do the bare minimum for any platform. They need to update their copy of Electron and everything else will follow. |
... because it has drag n drop support for sending files. But currently Discord can only read the pictures and videos folder in the users home.
When trying to send a file from another folder, this ends in an error.
So maybe it should can read the whole filesystem, so that we can drag n drop to send files from everywhere.
The text was updated successfully, but these errors were encountered: