snapd

Behavior difference with file permissions between focal and jammy

Bug #1981546 reported by Alberto Donato
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Confirmed
High
Unassigned

Bug Description

With the maas 3.2 snap (core20-based) we noticed a difference in behavior when running on a focal and jammy (tested in containers).

The snap has the `home` plug. On focal (20.04 LTS), an app running as root can read root-owned files in other users' homes, while when running on jammy (22.04 LTS), that's not possible anymore:

# echo test > /home/ubuntu/testfile
# echo test > /home/ubuntu/testfile2
# chown ubuntu.ubuntu /home/ubuntu/testfile2
# ls -l /home/ubuntu/testfile*
-rw-rw-r-- 1 ubuntu ubuntu 5 Jul 12 13:44 /home/ubuntu/testfile
-rw-rw-r-- 1 root root 5 Jul 12 13:44 /home/ubuntu/testfile2
# snap install maas --channel=3.2

# focal host
root@f:~# snap run --shell maas -c 'cat /home/ubuntu/testfile'
cat: /home/ubuntu/testfile: Permission denied
root@f:~# snap run --shell maas -c 'cat /home/ubuntu/testfile2'
test

# jammy host
root@j:~# snap run --shell maas -c 'cat /home/ubuntu/testfile'
cat: /home/ubuntu/testfile: Permission denied
root@j:~# snap run --shell maas -c 'cat /home/ubuntu/testfile2'
cat: /home/ubuntu/testfile2: Permission denied

See original description
Adam Collard (adam-collard)
description: updated
Revision history for this message
Sergio Cazzolato (sergio-j-cazzolato) wrote :

Thanks for raising it.

Changed in snapd:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Sergio Cazzolato (sergio-j-cazzolato) wrote :

change in progress: https://github.com/snapcore/snapd/pull/12810

Revision history for this message
Alex Murray (alexmurray) wrote :

I suspect this is due to the private home dirs in Ubuntu 22.04 https://ubuntu.com/blog/private-home-directories-for-ubuntu-21-04 that is then in 22.04 - I am not sure there is much snapd can / should try and do about this.

Revision history for this message
Michael Vogt (mvo) wrote :

@alex Thanks for your comment here. Does that means that on "focal" when switching /home/ubuntu in the scenario that Adam describes we see the same DENIAL?

I guess it's unclear to me how "owner" interacts with the /home permissions here, is there something I can read up on?

Revision history for this message
Alex Murray (alexmurray) wrote :

The other thing to look at here would be using home with read: all - https://snapcraft.io/docs/home-interface - since I now suspect this may be a lack of capability dac_override / owner etc in the apparmor profile - however what I am not sure about is why this would have changed between focal and jammy - but if maas can try changing its home plug to include read: all that would be interesting to know if it helps.

Revision history for this message
Alberto Donato (ack) wrote :

@Alex, is this done by just setting:

plugs:
 - home:
     read: all
 - ...

in the snapcraft.yaml?

Also, in that link it's mentioned that this way the plug wouldn't autoconnect. Can the autoconnect still be granted by the store?

Revision history for this message
Samuele Pedroni (pedronis) wrote :

@ack

is the issue still present?

> Also, in that link it's mentioned that this way the plug wouldn't autoconnect. Can the autoconnect still be granted by the store?

yes

Revision history for this message
Alberto Donato (ack) wrote :

Sorry for the delay.

I tested again and the behavior persist.

I also tested building a snap with the `read: all` config on the home plug, but it seem to make a difference, the behavior is the same as initially described.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.