Ubuntu
snapd-glib package

[MIR] snapd-glib

Bug #1620159 reported by Robert Ancell
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd-glib (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

[Availability]
In Universe.

[Rationale]
Required to get non-root snapd working in gnome-software (bug 1616943) and for further gnome-software improvements. Also expected to be used by other projects to access snapd.

[Security]
Provides a root D-Bus service that uses Polkit for authorization. The rest of the API just wraps the snapd API and thus is dependent on snapd being secure.

[Quality assurance]
Follows standard procedures for a GLib based library.

[Dependencies]
Basic GNOME depdencies, all in main currently.

[Standards compliance]
Packaging meets current standards.

[Maintenance]
Will be maintained by Ubuntu desktop team.

See original description
Robert Ancell (robert-ancell)
Changed in snapd-glib (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Will Cooke (willcooke)
Changed in snapd-glib (Ubuntu):
importance: Wishlist → High
importance: High → Wishlist
Revision history for this message
Michael Terry (mterry) wrote :

Fine from a packaging POV. But with a root daemon, even a tiny proxy one, it should still have a security check.

Changed in snapd-glib (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Robert Ancell (robert-ancell)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed snapd-glib version 0.14-0ubuntu1 as checked into yakkety. This
shouldn't be considered a full security audit; in fact, it was entirely
too hasty due to external time pressures.

Most calls appeared to check for error returns. I found a few instances
that didn't:

- send_request() doesn't check error return from
  snapd_auth_data_get_macaroon() but hands the result directly to
  g_string_append_printf(); 'Macaroon root="(null)"' is the possible
  outcome. Is this tolerable?

- send_request() doesn't check error return from
  snapd_auth_data_get_discharges() but hands the result directly to a
  for loop that will sigsegv

It's an insane pity this handles HTTP directly. Chunked encoding has
been the source of many vulnerabilities. Maybe investigate if a library
such as yahttp or other choices are available to outsource the potential
trouble. This is probably not a big deal here, since the point is to talk
to a more-privileged tool. Still, HTTP is subtle.

I'd like to spend more time reviewing this in the next cycle, but I think
in the meantime we can accept it for yakkety without undue risk.

Security team ACK for promoting snapd-glib to main.

Thanks

Changed in snapd-glib (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Michael Terry (mterry)
Changed in snapd-glib (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

SnapdAuthData should always contain a valid Macaroon and discharges. It's created in three possible ways:
- On the result of a v2/login request
- On the result of a D-Bus call to snapd-login-service
- By the user

In normal operation it shouldn't be possible to have an invalid SnapdAuthData, but I'll add some more checks at creation time to confirm macaroon != NULL and some checks when reading to handle a NULL discharges (which is a valid empty string array in GObject).

Yeah, the manual HTTP code is a pain. As mentioned in the code this is because libsoup doesn't support Unix sockets (https://bugzilla.gnome.org/show_bug.cgi?id=727563). I decided to use as much of libsoup as possible and not another library because:
- We only talk to snapd using this code - so a corrupt call shouldn't be much higher risk than a malicious program accessing snapd directly.
- Other libraries are not likely to match well with existing GObject code.
- I don't want to add an additional dependency.
- I hold out hope that libsoup will support this case in the future and we can drop our manual code. (I like to dream...)

Revision history for this message
Robert Ancell (robert-ancell) wrote :

SnapdAuthData fixes in revisions 148-149.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Robert; if you've got login privs on the gnome bugzilla please consider adding a comment to let them know they'd have a consumer for Unix socket HTTP if they implemented it. (It seems like a funny thing to miss, we're surely not the first nor the last to want this.)

Thanks

Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
snapd-glib 1.2-0ubuntu2 in zesty: universe/libs -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty amd64: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty arm64: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty armhf: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty i386: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty powerpc: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty ppc64el: universe/libs/optional/100% -> main
gir1.2-snapd-1 1.2-0ubuntu2 in zesty s390x: universe/libs/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty amd64: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty arm64: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty armhf: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty i386: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty powerpc: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty ppc64el: universe/libdevel/optional/100% -> main
libsnapd-glib-dev 1.2-0ubuntu2 in zesty s390x: universe/libdevel/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty amd64: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty arm64: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty armhf: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty i386: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty powerpc: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty ppc64el: universe/libs/optional/100% -> main
libsnapd-glib1 1.2-0ubuntu2 in zesty s390x: universe/libs/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty amd64: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty arm64: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty armhf: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty i386: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty powerpc: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty ppc64el: universe/admin/optional/100% -> main
snapd-login-service 1.2-0ubuntu2 in zesty s390x: universe/admin/optional/100% -> main
29 publications overridden.

Changed in snapd-glib (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.