snapd gives all users access to system logs

Thanks for the report!

John, can you take a look at this? I think you need to lookup the user/group from the cred on the socket and verify the user has the permissions to view the logs.

I've tentatively assigned this to John, but please feel free to reassign. I think this needs a CVE. Please don't discuss in public or make public commits until the security team comments further on this bug.

I discussed this with the security team and mvo and we decided that this will be assign 'low' priority in terms of the CVE, but that the fix should be in 2.29. Because it is 'low' priority, we can forego embargo and let the snapd team work and discuss this issue in public as they see fit.

It does mean that the 2.29 SRU will need to be built in the security ppa and get a USN. The timing can still be controlled by the SRU process though. Eg, give me the source package, I sponsor it into the security ppa, when built, we copy it to -proposed to undergo normal validation, when validated, it goes to both -updates and -security, when to -security, we issue the USN.

Gah!

Note this happens when you have no snaps with services installed :-(

I can confirm this btw:

$ id
uid=1001(jamie-test) gid=1001(jamie-test) groups=1001(jamie-test)

$ journalctl
Hint: You are currently not seeing messages from other users and the system.
      Users in the 'systemd-journal' group can see all messages. Pass -q to
      turn off this notice.
No journal files were opened due to insufficient permissions.

$ curl -s --unix-socket /run/snapd.socket http://localhost/v2/logs|jq
{
  "timestamp": "2017-11-09T13:00:10.409213Z",
  "message": "UDEV [47902.395905] remove /kernel/slab/:t-0000512/cgroup/kmalloc-512(5427:snap-repair.service) (cgroup)",
  "sid": "test-udevadm.udevadm-monitor",
  "pid": "4375"
}

Thinking of cross-distro, IMO the snapd team should help distros that have 2.27 update to the fixed 2.29 with high priority when you deem it is ready.

This has been assigned CVE-2017-14178.

https://github.com/snapcore/snapd/pull/4194

This is assuming that showing *snap service* logs to all users is OK. If that's not the case, we can make logs require auth.

PR updated to make logs require admin, after some discussion on IRC.

This was fixed in 2.29.3 upstream and 2.29.4.2 in all Ubuntu releases.

Unfortunately because of the problems surrounding the 2.29 snapd release, the snapd package was not built in the security ppa so no USN was issued. Now that 2.30 and 2.31 snapd SRUs are happening and because this is a 'low' issue, we'll forego the USN. We want to improve our process going forward however to make sure security issues in snapd get USNs.