Running meld in firejail sandbox

Hi all, :wave:

this is a follow-up on the topic of meld discussed here: Comparing files and folders with `meld` .

As I like to run as many programmes as possible within the firejail sandbox I tried running meld this way as well.
However it turned out that firejail hardcodes some paths as inaccessable by default for security reasons. :wink:

See discussion here.

So I wrote a script to circumvent this difficulty. ChatGPT has been of tremendous help, I have to admit. :+1:

The script aims to compare two files but without accessing the original ones.

If any of the files are edited you can still decide afterwards whether or not to exchange them for the original ones. That was my intention.

The script meld_compare.sh basically does the following:

  • Ask for the paths of the two files to be compared

  • Copy the files into a dedicated work directory. We can create a directory in /tmp or another suitable location.

  • Run meld within firejail to compare the two files.

  • Ask whether to keep or delete the copied files after you’re done.

  • Handle any necessary sudo privileges for copying files that require them.

For anyone interested hereΒ΄s the script:

File: meld_compare.sh
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   β”‚ #!/bin/bash
   2   β”‚ 
   3   β”‚ # script for executing meld: copying two files, comparing them and ask if the copied ones should be deleted or kept
   4   β”‚ # with kind help of ChatGPT
   5   β”‚ # Wed 28.8.2024
   6   β”‚ 
   7   β”‚ # Define the work directory
   8   β”‚ WORK_DIR="/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/ErgΓ€nzungen_zu_Programmen/zu_meld/fΓΌr_meld_script_copied_files"
   9   β”‚ 
  10   β”‚ # Create the work directory if it doesn't exist
  11   β”‚ mkdir -p "$WORK_DIR"
  12   β”‚ 
  13   β”‚ # Ask for the paths of the two files to compare
  14   β”‚ echo "Please enter the path for the first file:"
  15   β”‚ read -r FILE1
  16   β”‚ echo "Please enter the path for the second file:"
  17   β”‚ read -r FILE2
  18   β”‚ 
  19   β”‚ # Check if the files exist
  20   β”‚ if [[ ! -f "$FILE1" || ! -f "$FILE2" ]]; then
  21   β”‚     echo "One or both of the files do not exist. Please check the paths."
  22   β”‚     exit 1
  23   β”‚ fi
  24   β”‚ 
  25   β”‚ # Determine if sudo is needed for copying the files
  26   β”‚ NEED_SUDO=0
  27   β”‚ if [[ ! -w "$WORK_DIR" || ! -r "$FILE1" || ! -r "$FILE2" ]]; then
  28   β”‚     NEED_SUDO=1
  29   β”‚ fi
  30   β”‚ 
  31   β”‚ # Copy the files to the work directory
  32   β”‚ if [[ $NEED_SUDO -eq 1 ]]; then
  33   β”‚     sudo cp "$FILE1" "$WORK_DIR/"
  34   β”‚     sudo cp "$FILE2" "$WORK_DIR/"
  35   β”‚ else
  36   β”‚     cp "$FILE1" "$WORK_DIR/"
  37   β”‚     cp "$FILE2" "$WORK_DIR/"
  38   β”‚ fi
  39   β”‚ 
  40   β”‚ # Get the base names of the files for use in meld
  41   β”‚ BASENAME1=$(basename "$FILE1")
  42   β”‚ BASENAME2=$(basename "$FILE2")
  43   β”‚ 
  44   β”‚ # Run meld within firejail
  45   β”‚ firejail meld "$WORK_DIR/$BASENAME1" "$WORK_DIR/$BASENAME2"
  46   β”‚ 
  47   β”‚ # Ask if the copied files should be kept
  48   β”‚ echo "Do you want to keep the copied files in $WORK_DIR? (y/n)"
  49   β”‚ read -r KEEP_FILES
  50   β”‚ 
  51   β”‚ if [[ "$KEEP_FILES" == "n" || "$KEEP_FILES" == "N" ]]; then
  52   β”‚     if [[ $NEED_SUDO -eq 1 ]]; then
  53   β”‚         sudo rm "$WORK_DIR/$BASENAME1" "$WORK_DIR/$BASENAME2"
  54   β”‚     else
  55   β”‚         rm "$WORK_DIR/$BASENAME1" "$WORK_DIR/$BASENAME2"
  56   β”‚     fi
  57   β”‚     echo "Copied files have been deleted."
  58   β”‚ else
  59   β”‚     echo "Copied files have been kept in $WORK_DIR."
  60   β”‚ fi
  61   β”‚ 
  62   β”‚ # Terminate the script
  63   β”‚ echo "Script finished."
  64   β”‚ exit 0

The only path youΒ΄d have to modifiy to suit your needs is found in line 8:

For me the working directory is

WORK_DIR="/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/ErgΓ€nzungen_zu_Programmen/zu_meld/fΓΌr_meld_script_copied_files".

You can either choose e.g. /tmp/meld_work_dir or anything else that suits you better.
For surviving reboots (i.e. to retain the copied files) using /tmp is not advisable, of course.

Explanation:

  • WORK_DIR: This is the temporary directory where the files will be copied. It’s set to /tmp/meld_work_dir, but you can change it if you prefer another location.
  • File existence check: Before copying, the script checks if the files exist.
  • sudo check: The script checks if it has write permissions to the work directory and read permissions to the files. If not, it uses sudo to copy the files.
  • firejail: The script runs meld within the firejail sandbox using the meld.profile.
  • File retention: After meld is done, the script asks if you want to keep or delete the copied files.
  • Cleanup: Depending on your choice, the copied files are either kept or deleted, and then the script terminates.

Usage:

  1. Save the script to a file, e.g., meld_compare.sh.
  2. Make it executable: chmod +x meld_compare.sh.
  3. Run the script: ./meld_compare.sh.

To be clear: The script primarily caters for the use case of running meld in firejail without any limitations.
For running it outside the sandbox this workaround is not needed.

Hope itΒ΄s some kind of help for any firejail advocates.

Many greetings from Rosika :slightly_smiling_face:

3 Likes

I think that is a good way to work, even if you do not use meld inside firejail.
For important files any merging or editing would be safer that way.
and
I would hope that meld is a safe program not requiring a sandbox… it does come from inside the package system.
on the other hand
any program that uses X11 for graphic display is less safe than a CLI command

1 Like

@nevj :

Hi Neville, :wave:

thanks for your feedback.

Yes, my thoughts exactly.

IΒ΄m sure thereΒ΄s nothing wrong with running meld the β€œnormal way”, i.e. outside the sandbox.

I was thinking: as long as firejail ships with a dedicated meld.profile, why not make use of it.
Maybe IΒ΄m a bit paranoid in sandboxing almost everything at my disposal but taking advantage of an existing worthwhile technology may prove to be beneficial. :wink:

Thanks for pointing it out, Neville. :+1:

I was already referring to the background of my post, but hereΒ΄s a practical example of the original calamity:

I issued the command

firejail meld /home/rosika/.config/firejail/meld.local /home/rosika/.config/firejail/meld.profile .

So the two files I wanted meld to compare are residing in ~/.config/firejail.

HereΒ΄s the graphical output of it:

glitsj16 from firejail discussions/help came up with the explanation to it and pointed out:

Firejail hardcodes some paths as inaccessable by default for security reasons.

Pretty sure ~/.config/firejail is one of those. I can see how this would be awkward for a diff tool like meld, but perhaps you can temporarily move whatever you need to diff out of ~/.config/firejail into ~/Downloads for example.

The script aims to be a simpler solution to that. :wink:

Many greetings from Rosika :slightly_smiling_face:

1 Like