Disable Tracker (the GNOME desktop search provider) by default #8372
Assignees
Labels
C: templates
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Comments
DemiMarie
added
T: enhancement
|
What is Tracker? It is not obvious from the issue. Is it part of the Gnome or Fedora? |
|
@jamke Tracker is the GNOME desktop search provider. It’s used primarily by GNOME applications. |
|
I see, thank you. I am not using GNOME stuff, and manually create KDE-based templates from fedora-minimal for years, so I have never heard about Tracker. Was afraid it is something from future Fedora versions. |
andrewdavidwong
changed the title
DemiMarie
added a commit
to DemiMarie/qubes-core-agent-linux
that referenced
this issue
Aug 1, 2023
Tracker has several problems that make it ill-suited to Qubes OS: - It parses untrusted email attachments downloaded to ~/Downloads, as well as the contents of several other directories. The parsing code is written in C and so may have memory corruption vulnerabilities. A remote code execution flaw in Tracker could be exploited by a malicious email attachment, even if the user would have only ever opened that attachment in a disposable VM. - It uses a nontrivial amount of memory (61.8MB in one test). This is significant when multiplied by the number of qubes running at a time. - Tracker is normally used by GNOME Shell, GNOME Photos, and other GNOME applications, but (to the best of my knowledge) no application that uses Tracker is frequently used in Qubes OS. This is very different from a default Fedora install, where Tracker provides desktop search in GNOME Shell and therefore provides a much larger benefit to the user. For these reasons, disable Tracker by default. It can be re-enabled via $ qvm-service VMNAME enable tracker where VMNAME is the name of the qube in which Tracker should run. Fixes: QubesOS/qubes-issues#8372
DemiMarie
added a commit
to DemiMarie/qubes-core-agent-linux
that referenced
this issue
Aug 2, 2023
Tracker has several problems that make it ill-suited to Qubes OS: - It parses untrusted email attachments downloaded to ~/Downloads, as well as the contents of several other directories. The parsing code is written in C and so may have memory corruption vulnerabilities. A remote code execution flaw in Tracker could be exploited by a malicious email attachment, even if the user would have only ever opened that attachment in a disposable VM. - It uses a nontrivial amount of memory (61.8MB in one test). This is significant when multiplied by the number of qubes running at a time. - Tracker is normally used by GNOME Shell, GNOME Photos, and other GNOME applications, but (to the best of my knowledge) no application that uses Tracker is frequently used in Qubes OS. This is very different from a default Fedora install, where Tracker provides desktop search in GNOME Shell and therefore provides a much larger benefit to the user. For these reasons, disable Tracker by default. It can be re-enabled via $ qvm-service VMNAME enable tracker where VMNAME is the name of the qube in which Tracker should run. Fixes: QubesOS/qubes-issues#8372
DemiMarie
added a commit
to DemiMarie/qubes-core-agent-linux
that referenced
this issue
Aug 2, 2023
Tracker has several problems that make it ill-suited to Qubes OS: - It parses untrusted email attachments downloaded to ~/Downloads, as well as the contents of several other directories. The parsing code is written in C and so may have memory corruption vulnerabilities. A remote code execution flaw in Tracker could be exploited by a malicious email attachment, even if the user would have only ever opened that attachment in a disposable VM. - It uses a nontrivial amount of memory (61.8MB in one test). This is significant when multiplied by the number of qubes running at a time. - Tracker is normally used by GNOME Shell, GNOME Photos, and other GNOME applications, but (to the best of my knowledge) no application that uses Tracker is frequently used in Qubes OS. This is very different from a default Fedora install, where Tracker provides desktop search in GNOME Shell and therefore provides a much larger benefit to the user. For these reasons, disable Tracker by default. It can be re-enabled via $ qvm-service VMNAME enable tracker where VMNAME is the name of the qube in which Tracker should run. Fixes: QubesOS/qubes-issues#8372
marmarek
added a commit
to marmarek/qubes-core-agent-linux
that referenced
this issue
Aug 8, 2023
Contrary to initial tests, disbling those do break some applications. So, do not disable them by default in AppVMs. But keep them disabled in system vms, as user applications are not expected there. QubesOS/qubes-issues#8372
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How to file a helpful issue
The problem you're addressing (if any)
Tracker has significant attack surface: Thunderbird downloads untrusted email attachments to ~/Downloads, which then get parsed by Tracker. If there is an RCE in Tracker, this could be exploited even if the user would have only viewed the file in a disposable VM. Furthermore, Tracker used 61.8MB of RAM in one of my disposable VMs even though it was doing nothing useful.
The solution you'd like
Tracker should be disabled by default, and controlled via
qvm-service.The value to a user, and who that user might be
All users will benefit from less attack surface and lower memory requirements.
Related to #7028.
The text was updated successfully, but these errors were encountered: