How to write a Thumbnailer for files with external dependancies (.scad files for 3d Printing)

I’ve taken up 3d printing as a hobby, and so in short order had hundreds of little files sitting around of various works in progress. STLs, 3mf’s, gcode files, and scad files to name a few. I found someone’s github project to thumbnail STL files, and discovered how gnome’s plug-able thumbnailers work.

How cool, I thought. I found someone else’s thumbnailer example for gcode and that worked a treat too. And then I got greedy. Why should I ever have a vanilla icon again if I can make thumbnails. THUMBNAIL EVERYTHING. that hammer is golden after all…

When I couldn’t find one for 3mf, I remembered that 3mf files are just a zipfile, and contain a preview image already. I wrote my first ever thumnailer from scratch, that’s just a oneline script to use unzip to pull out that preview image.

Then I took on scad files and here is where I ran into a snag.

STLs are a self contained mesh (array of tangential triangles in 3 dimensional space.)
gcode is machine instructions for where to squirt out plastic and how fast
3mf’s are assemblies of STL files on a 2 dimensional plate, with some instructions for custom printting

SCAD files however, are scripts that can generate STL files. Most of the time they have default values sufficient to immediately render something when you open them. And I found a command line to do just that.

more or less:
/usr/bin/openscad --imgsize=%s,%s -o %o %i

But here’s the snag. Unlike STLs, gcode, and 3MF, because scad files are ‘programs’ they often ‘include’ other scad files, or standard libraries. And when the thumbnailer executes it’s in some sort of chroot jail. the included files aren’t available to it in the jail, and so the renders, frustratingly fail.

Is there a way to disable this chroot for one specific thumbnailer? or do I need to expand on my thumbnailer script to have it, itself parse out what includes are needed, and copy then into the jail or something else?

I assume this is a problem thats been seen before. For instance, some types of word processor documents can embed images by URL or filepath, so your .doc file doesn’t become rediculously large for example.

What’s the right way to write a thumbnailer for a file type with external dependencies?

This post was flagged by the community and is temporarily hidden.

It’s not a “chroot”: it’s a full sandbox. The thumbnailer process is executed in an environment that only has access to the file that can generate the thumbnail. The environment is set up prior to executing the thumbnailing process, so you cannot “copy” files into the sandbox—or out of it.

There’s really no way to implement what you want, at the moment.

You can file a new issue asking for the ability for a thumbnailer to “relax” the sandbox.

You can thank the security freaks here who are paranoid about any plugin code.

Thumbnailers are sandboxed for a reason. They’ll happily parse any file on your disk without any user intervention, including files that your web browser might download automatically without asking for permission. It’s really not OK to run these unsandboxed.

Maybe we should mount the entire directory in the sandbox, instead of only the current file. It’s less secure, sure, but you’re not the first person to ask for this. Are the external files that you require always in the same directory?

Beyond that, I’m not sure. Allowing thumbnailers to completely disable the sandbox or allow themselves to mount arbitrary paths doesn’t sound appealing.

Indeed. Sometimes they are so busy fear mongering and fantasizing about clever names for a 0-day they haven’t yet discovered, that they forget job #1 of a computer is to do what the user needs it to do. Security must not ever be prioritized over function, because if it were, if they were genuinely sincere, we’d just cut the power cords and go home. All security vulnerabilities exploit moving electrons after all.

Pardon me while I go register for my 0-day announcement…

Unfortunately no. We can’t rely on that. There are a number of “standard libraries” that are often imported with openscad, and I’m sure other file formats are similar. The definition of a .thumbnailer file should include what types of sandboxing are appropriate. I’ll work on a feature request for that.

Agreed. But it must be allowed if the user so requests, until such time that a solution more pleasing to the developers comes along. We have to assume users are mature adults with the personal agency to decide what risks they wish to take. To drive a car, or own a gun, or (gasp) turn on a computer.

I’ve been a happy user of selinux=enforcing for years. It’s great security, and it should be on by default, but I’d never tolerate a distribution that didn’t allow me to turn it off.

I’d almost be on board with saying every file format needs to generate its own thumbnail at time of save and embed that into the file being saved for later retrieval by thumbnails. But the beauty of openscad files is they are just text files. I have literally written php scripts to generate openscad files, which generate STLs, …

I’ve also contemplated writing a cronjob to find and make thumbnails for every .scad file in my homedir, and save those off to somewhere in /tmp for the .thumbnailer to come along later and use, but I doubt that would get through the sandbox either.

I get it. It would be dangerous, if say, we had a thumbnailer for .sh files and the thumbnail was the stdout of the process in comic sans, or if .html files were thumbnailed in a way that caused outbound connections. Disabled by default, is fine. But only if we remember that “by default” leaves room to respect a user’s choice.

But then if you thumbnail a file in /home/user, it just gets access to all user files anyway. Not much point to a sandbox then.

Please let us not go back to the “user maybe does not need security” attitude of the late 90s. This is exactly the wrong time to be doing that: Linux malware on a rise reaching all-time high in H1 2022 - Atlas VPN

In general, if it is impossible to build a function in a secure and responsible way, then that function should probably not be built in the first place. So, there are actually circumstances where security must be prioritized over function. There is no point to giving the user a choice between a very bad option and an even worse option.

1 Like

False Dichotomy. Mother dearest.

Except that’s circular logic. Just saying we can’t do that’s why we can’t… That’s not how to make a logical argument.

Rephrasing/repeating is not the same as making a clear logical argument.

There happens to be a chasm of nuance between what we have now and “forget about all security”.

It is dishonest to say that security must always be the first priority and still use a computer at all.

Okay, the issue has been solved, and now we’re just degenerating. People can go and argue on the security/usability spectrum somewhere else.