pwsafe icon indicating copy to clipboard operation
pwsafe copied to clipboard
verified publisher icon pwsafe

can't enter or navigate to the /home/.pwsafe directory to get to my database

Open tinker2much opened this issue 1 year ago • 6 comments

I installed the flatpak of v1.18.2 on several machines. So far, I'm getting the same failure on two very different machines. It's as if it won't recognize or display the ~/.pwsafe directory at all, and that's where I have my password database. Actually (see the end of this post), the same problem exists in the v1.16 apt version.

so far tried on: A Raspberry Pi 5, 8GB, under Raspberry Pi OS Bookworm 64-bit. An Acer laptop running Debian 12, Bookworm 64-bit.

On both, on first use, I can't enter the location of my password database. I can't just type the path and filename into the box ("File or path not found"), and I can't navigate to it using the "Please choose a Database" dialog. When I click "Home" at the left, I am shown only the .local, .var, and Documents directories (I have many more directories than that - both starting with a "." and otherwise). Note: this is even having chosen "All files (.; *) at the lower right.

On the same machines, using my accustomed older version obtained from apt, it remembers the location of the database, but if I try to use the dialog, it ALSO fails to show any directory starting with "." in the left or right panes, making me wonder how I entered the location in the first place. Although, coming into the dialog with the full path to my database remembered in the initial box, it does show the .pwsafe in the sequential location tool at the top - showing home and .pwsafe in those cells.

tinker2much avatar Feb 09 '24 20:02 tinker2much

@tinker2much, this is actually security feature and not a bug. I described details at bug report https://github.com/pwsafe/pwsafe/issues/1094

Work-around solutions:

  1. Copy/move your database file .pswafe3 and/or .ibak files to $HOME/.var/app/org.pwsafe.pwsafe/config/pwsafe where is official flatpak location Password Safe program is looking into.
  2. Create e.g. new folder inside $HOME/Documents like $HOME/Documents/PasswordSafe and copy/move .pswafe3 and/or .ibak files from $HOME/.pwsafe/ directory to newly created directory.
  3. Using GUI to add permission to specific folder. a) Install Flatseal flatpak application e.g. from terminal: flatpak install com.github.tchx84.Flatseal and on left site click on Password Safe and on the right site search for the "Filesystem" section and add manually permissions you would like to set. For example at "Other files" click on "folder" icon on right and type in: ~/.pwsafe b) Close down Password Safe flatpak application and start it again. c) Now open database, and press CTRL+L to change location of top path bar and paste ~/.pwsafe and then point to your database from GUI. Using terminal to add permission to specific folder. a) Add permission to specific directory (you must use sudo): sudo flatpak override org.pwsafe.pwsafe --filesystem=~/.pwsafe b) Check permissions you have assigned manually: flatpak override --show org.pwsafe.pwsafe c) Remove all of manually added permissions (you must use sudo): sudo flatpak override --reset org.pwsafe.pwsafe

@ronys, maybe we should not close down this bug report, because I assume others may search for opened "bug" and then opening a new one. Probably some info somewhere would be nice addition.

@ronys, maybe idea in yaml file to create flatpak we should add two additional permissions like like after line 12 add two new lines: --filesystem=~./.pwsafe --filesystem=~./.config/pwsafe that are locations of Password Safe deb package files (old and new path).

igor2x avatar Feb 09 '24 20:02 igor2x

OK, I will try some one of those workarounds, thanks.

I can see this as a flatpak security measure, but I was having trouble accessing the .pwsafe folder in v1.16 as well.

tinker2much avatar Feb 09 '24 21:02 tinker2much

I'm not use about the use-case for supporting both the flatpak and 'classic' locations for PasswordSafe files. If a user already has pwsafe installed as a .deb/.rpm/... package, why would s/he switch to flatpak? And vice-versa.

ronys avatar Feb 10 '24 08:02 ronys

@ronys, I have already explained what are the benefits of flatpak in https://github.com/pwsafe/pwsafe/issues/562#issuecomment-1700899895, benefits like sandboxed app etc.

Reasons to replace deb/rpm application with flatpak app:

  1. Automatic update & upgrade. If program is installed from repository, you are force to stick with some old and probably outdated version that do not get any update. If you install program by downloading deb/rpm from web site, you are force to check regularly for updates and install them manually.
  2. User base. For example Red Hat has announced that it will not be packaging LibreOffice in RPM packages anymore and instead will help to make flatpak better. It is good to be on the boat where majority of users are from all of the Linux distributions. Why? Problems are spotted sooner and better tested and fixed.
  3. The same version and behavior in all of the distributions. I use Ubuntu on two of my home computers and Fedora on third one. I also have some of the desktop virtual machines on my work computer. Having multiple distributions and multiple versions of distributions (like having LTS at one machine and the latest release on another), I am constantly force to search and solve problems related to individual distribution and sub-version, spins/flavor etc. Each of distributions and versions have there own list of libraries versions and programs behave differently on each of the version. Linux huge fragmentation problem.
  4. I want stable system. Using deb/rpm every program you install you get potentially less stable system. You can broke something with new version of program or some other program may cause problem to your existing program. Potential stability decreases with each new program you install. Flatpaks are sandboxes and they do not effect system stability or stability of other programs.
  5. Immutable Linux distributions. I love Fedora Silverblue idea of being immutable operating system. This is just like mobile phone concept, when you update your operating system whole image is replaced as a whole, you reboot and get new image. All users on the word have exactly the same image (unless they intentionally do not upgrade). In this concept operating system and user programs must be separated. Users programs are installed as flatpak. You can still install user programs on base operating system image, but it gets layered and every time you upgrade base image (at Fedora Silverblue this is every day), your base image gets upgraded and programs installed at top of base image get installed in separate layer again and again. I have already got into the trap of fixing layered programs. But the concept is, don't layer applications, install them separately as flatpaks. There is one more way installing applications and that is installing them inside containers by yourself (docker, podman...), but you have to maintain this by yourself and majority of users do not install user programs like that, so you are on the boat that minority of users are on (I am writing for desktop application, not server applications).
  6. Not in my case, but users may use flatpak not only on x86-64 but also on aarch64. The same program, tested by many people. For example from Flathub Stats page I see some people have already installed aarch64 version of Password Safe. Because there are no official aarch64 Password Safe packages, users were up till now been forced to compile it by themself or use some other password manager program. Using one and the same beloved program on multiple platforms it just makes a lot of sense.

I am migrating all of the deb/rpm user programs to flatpak on all of my Linux distributions. Password Safe was the last program I use on daily basis. I have had a choice, create Password Safe flatpak myself or search for other password management software and migrate all of my systems to that program (and from Windows too). Why? Because I don't want to use all kind of different utilities doing the same thing on different systems, because password manager is kind of utility I want to spend in as little time as possible, because I need to work on other stuff.

In my humble opinion. Probably the simplest for the users migrating from deb/rpm to flatpak would just be to make deb/rpm paths .pwsafe and .config/pwsafe accessible, so they can quickly migrate and in this case security is not undermined at all. User using deb/rpm and switching to flatpak will have access to the same password database files. That is why I suggested in my previous post, that it would be good idea to add this two paths as flatpak file system access permission directories.

Another way is to write documentation how user can copy password database file by themself or use program like Flatseal to assign permissions by themself.

igor2x avatar Feb 10 '24 13:02 igor2x

@tinker2much, have you tried any of the solution I have provided in my first post of this bug report?

igor2x avatar Feb 10 '24 16:02 igor2x

I took your suggestions #1 ("Copy/move your database file .pswafe3 and/or .ibak files to $HOME/.var/app/org.pwsafe.pwsafe/config/pwsafe where is official flatpak location Password Safe program is looking into.") because I will be using the flatpak version more places than the regular version, so this is the best location for me to standardize on.

Thank you.

tinker2much avatar Feb 10 '24 16:02 tinker2much