Search

Ubuntu 18.04 - Solve Nautilus 3.26.4+ external thumbnailers problem

Contents[Hide]

dropcap nautilus

Since latest Nautilus 3.26.4, most external thumbnailers are not working anymore under Ubuntu 18.04 or 18.10.

I realized the problem when my LibreOffice and MsOffice thumbnailers stopped to work.

Why ? Because, since few months, some Nautilus external thumbnailers vulnerabilities have come to light (gnome-exe-thumbnailer for example).

As a result, Gnome Shell team has decided to harden thumbnails generation when using external thumbnailers.

First hardening steps have come with Nautilus 3.26.4, where all external thumbnailers are not called directly but thru bwrap, the bubblewrap project sandboxing tool.

Default bwrap options used by Nautilus appear to work fine under Fedora, but fail badly under Ubuntu and Debian based distros.

This short article explains how to reactivate Nautilus external thumbnails generation under Ubuntu Bionic 18.04 and Cosmic 18.10. You should get back thumbnails generation as they were working with previous versions of Nautilus.

If you don't need all the explanations and just want to get your thumbnails back, you can jump directly to Complete Installation Procedure.

1. Short explanation

Since version 3.26.4, Nautilus makes every external thumbnailer call thru a sandboxing tool called bwrap from bubblewrap project.

bubblewrap project has come with flatpak project. It's a very simple and efficient sandboxing solution.

It works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host. Thru its commandline, you can construct the root filesystem, process environment variables and run a command in this protected namespace.

Here is the command that Nautilus uses when calling an external thumbnailer :

Terminal
# bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind /lib64 /lib64 --proc /proc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-TG9VTZ /tmp --ro-bind /home/myhome/Documents/test.odt /tmp/gnome-desktop-file-to-thumbnail.odt --seccomp 29 /usr/local/sbin/lo-thumbnailer /tmp/gnome-desktop-file-to-thumbnail.odt /tmp/gnome-desktop-thumbnailer.png 256

After some research, I realised that this command seems to works fine on Fedora distro, but it fails badly on Ubuntu 18.04 or 18.10.

In fact, problem comes from the /bin and /usr/bin directories which are not merged under Debian based distros.

So, these options are problematic :

  • --symlink usr/bin /bin
  • --symlink usr/sbin /sbin

Under Ubuntu they need to be replaced with :

  • --ro-bind /bin /bin
  • --ro-bind /sbin /sbin

As a result, Nautilus external thumbnailer call should ressemble something like this under Ubuntu 18.04 :

Terminal
# bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind /lib64 /lib64 --proc /proc --dev /dev --ro-bind /bin /bin --ro-bind /sbin /sbin --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-TG9VTZ /tmp --ro-bind /home/myhome/Documents/test.odt /tmp/gnome-desktop-file-to-thumbnail.odt --seccomp 29 /usr/local/sbin/lo-thumbnailer /tmp/gnome-desktop-file-to-thumbnail.odt /tmp/gnome-desktop-thumbnailer.png 256

2. Solution proposed

To get a solution that works with every external thumbnailer, we need to patch Nautilus call to bwrap to replace --symlink options with equivalent --ro-bind options.

One more thing to do is to add 2 more binding options to :

  • /etc/alternatives to allow the use of imagemagick tools (often used by thumbnailers)
  • /var/cache/fontconfig to speed up text rendering

As I didn't want to handle any compilation job, I decided to take advantage of Ubuntu standard $PATH where /usr/local is checked before /usr.

So, solution is to write a /usr/local/bin/bwrap wrapper script that is in charge of setting up proper options before calling original /usr/bin/bwrap. It does 3 simple things :

  1. parse all parameters and replace --symlink options by --ro-bind options
  2. add two more --ro-bind options on /etc/alternatives and /var/cache/fontconfig to allow the use of imagemagick tools
  3. call original /usr/bin/bwrap

/usr/local/bin/bwrap
#!/bin/bash
# bwrap wrapper to correct nautilus 3.26.4+ bug for external thumbnailers under debian based distros
#  * add --ro-bind needed by imagemagick tools
#  * replaces --symlink calls with equivalent --ro-bind calls

# intialise parameters array
ARR_PARAM=( )

# add both --ro-bind needed by thumbnailers using imagemagick tools
[ -d "/etc/alternatives" ] && ARR_PARAM=( "${ARR_PARAM[@]}" "--ro-bind" "/etc/alternatives" "/etc/alternatives" )
[ -d "/var/cache/fontconfig" ] && ARR_PARAM=( "${ARR_PARAM[@]}" "--ro-bind" "/var/cache/fontconfig" "/var/cache/fontconfig" )

# loop thru original parameters
while test $# -gt 0
do
    case "$1" in
        # --symlink : convert to --ro-bind
        "--symlink") shift; shift; ARR_PARAM=( "${ARR_PARAM[@]}" "--ro-bind" "$1" "$1" ); shift; ;;
        # others : add parameter
        *) ARR_PARAM=( "${ARR_PARAM[@]}" "$1" ); shift; ;;
    esac
done

# call original bwrap
/usr/bin/bwrap "${ARR_PARAM[@]}"

From now onward, Nautilus will call transparently /usr/local/bin/bwrap wrapper instead of /usr/bin/bwrap to generate external thumbnails.

3. Complete Installation Procedure

Wrapper script to solve Nautilus 3.26.4+ external thumbnails generation bug is available from my GitHub account.

You just need to download it and to mark it as executable :

Terminal
# sudo wget -O /usr/local/bin/bwrap https://raw.githubusercontent.com/NicolasBernaerts/ubuntu-scripts/master/nautilus/bwrap
# sudo chmod +rx /usr/local/bin/bwrap

You also need to purge all failed thumbnails cache to force Nautilus to generate thumbnails again :

Terminal
# rm --recursive --force $HOME/.cache/thumbnails/*

Your thumbnails should be back …

 

Hope it helps !

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus