Add a dotfiles / hidden files interface

Bug #1607067 reported by Leon on 2016-07-27
This bug affects 15 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)

Bug Description

It would be nice to have an interface to allow accessing hidden files / dotfiles.

tags: added: snapd-interface
Christian Dywan (kalikiana) wrote :

It would seem pointless to have this restriction on "home" if it was only another interface away to get to those files: as I understand it, dot files are assumed to contain sensitive information and therefore excluded, so I can sleep well knowing that nothing would read my .ssh for example just because it's using the "home" interface.

That said, I did run into this, and had to tweak some environment variables because things like .config and .bash_history are not readable. And it's not a huge problem - it's mainly an issue of discoverability. Users of my snap need to know where to find or put files.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapd (Ubuntu):
status: New → Confirmed
Matthew Williams (mattyw) wrote :

This bug was mentioned in this thread on the list

It's not strictly snappy related, but is snap related. It's hard to write snaps for editors like vim/ emacs etc as these would be expected to have access to all files in home, even hidden files

I think it's reasonable to have parameters on the home interface, which
allow us to expand the range of files to which particular snaps have access.


Tom Haddon (mthaddon) wrote :

This would be useful also for codetree as we need to be able to read git and bazaar credentials that the user may have so it codetree can be used for non-public code.

Changed in snappy:
status: New → Confirmed
Leo Arias (elopio) on 2017-06-02
tags: added: isv
Jamie Strandboge (jdstrand) wrote :

Gustavo, what are your thoughts on this?

affects: snappy → snapd
Juergen Smolka (jsmolka) wrote :

It is pretty common to have hidden (dotted) config files in the user's home.

+++ I think the home interface should deal with that! +++

hackel (hackel) wrote :

This bug is nearly 2 years and and severely limiting the usability of snap packages. Since I know Canonical is pushing snaps crazy hard, I would have expected some movement on this sooner. This needs to be a priority.

You can't expect average desktop users to know how to either install a snap in devmode, or symlink their dotfiles from the snap app's directory. For the rest of us, this is just tedious and unnecessary.

Perhaps a better solution for things like SSH keys would be to deny access to 600 mode files or something?

Zygmunt Krynicki (zyga) wrote :

Hello. Sorry for the lag, we have a few bugs and feature requests and just a handful of hands to make them all fixed. We have added one pair of interfaces, specifically for ssh keys (public and private) as a pair of interfaces. I don't think we will add a generic "this dot file" interface but we can easily add a dedicated one (for a specific dot file) because this has measurable security impact and can be appropriately gated.

I would prefer to close this bug and open one for a specific new interface. Such interface can be implemented and tested in about an hour.

Josh Holland (anowlcalledjosh) wrote :

> I don't think we will add a generic "this dot file" interface but we can easily add a dedicated one (for a specific dot file) because this has measurable security impact and can be appropriately gated.

Even if you disregard text editors, how are you expecting for tools like Shellcheck[1] to be able to function as snaps? I'd like to check various files (.bashrc, .bash_profile, .profile, .bash_logout, and those are just the relatively standard ones) with Shellcheck, but if I use the snap, I can't, and it sounds like you're not interested in changing this.

Should I just not be using the Shellcheck snap?


Gustavo Niemeyer (niemeyer) wrote :

There's some further discussion about the topic of this PR here:

Josh, we're are researching about a way to solve problems similar to the ones you describe. It's still not ready for prime time, but I believe we should be able to address that.

Michael Vogt (mvo) wrote :
Changed in snapd:
status: Confirmed → In Progress
Changed in snapd (Ubuntu):
status: Confirmed → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers