Accessing /tmp from snaps?

Lin-Buo-Ren · October 27, 2024, 6:06am

For applications that honor the TMPDIR environment variable, you can work around this by forcing the screenshot application to not write into the system /tmp folder.

IMHO the path of the ssh-agent socket shouldn’t be in the /tmp folder in the first place(it should be in the /run folder according to FHS). I would definitely like this issue to be solve in one way or another, though.

msangel · October 27, 2024, 8:15am

Fortunately its not true. ssh-agent provide authentication for anyone who authorized to ask and the communication socket is where it may be accessible by anyone by design. Directly from ssh sources:

github.com

openssh/openssh-portable/blob/master/misc.c#L1856


      
          mktemp_proto(char *s, size_t len)
          {
          	const char *tmpdir;
          	int r;
          
          	if ((tmpdir = getenv("TMPDIR")) != NULL) {
          		r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir);
          		if (r > 0 && (size_t)r < len)
          			return;
          	}
          	r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXXXX");
          	if (r < 0 || (size_t)r >= len)
          		fatal_f("template string too short");
          }
          
          static const struct {
          	const char *name;
          	int value;
          } ipqos[] = {
          	{ "none", INT_MAX },		/* can't use 0 here; that's CS0 */
          	{ "af11", IPTOS_DSCP_AF11 },

Lets be honest. openssh rely heavily on “/tmp” and this TMPDIR env is not respected often:

github.com

openssh/openssh-portable/blob/master/session.c#L209


      
          
          	if (auth_sock_name != NULL) {
          		error("authentication forwarding requested twice.");
          		return 0;
          	}
          
          	/* Temporarily drop privileged uid for mkdir/bind. */
          	temporarily_use_uid(pw);
          
          	/* Allocate a buffer for the socket name, and format the name. */
          	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
          
          	/* Create private directory for socket */
          	if (mkdtemp(auth_sock_dir) == NULL) {
          		ssh_packet_send_debug(ssh, "Agent forwarding disabled: "
          		    "mkdtemp() failed: %.100s", strerror(errno));
          		restore_uid();
          		free(auth_sock_dir);
          		auth_sock_dir = NULL;
          		goto authsock_err;
          	}

and here too: /openssh/openssh-portable/blob/master/session.c#L279

And I believe its by design as it have advantages and no drawbacks.

This is where my ssh-agent PID file is located:

✔ swift3:~> ls /tmp/ssh-*
agent.387988

The question is: can I ask snap to respect mine security requirements? In the end this limitation is making a lot of software not usabe in very unexpected cases. And people think that the issue is with the sofware instead. But its snap fault. And nothing wrong with accessing /tmp as it is designed to be for everyone.

Lin-Buo-Ren · October 27, 2024, 9:01am

I’m pretty sure ssh-agent should be accessed only by the user’s own processes(as it is supposed to provide the user’s decrypted private keys), which makes the proper path to be /run/user/UID/ssh-XXXXXXXXX according to FHS.

The process PID files should also be stored in the /run directory hierarchy, refer to the FHS specification for more info.

I believe the behavior is just for legacy application compatibility rather than security concerns.

And nothing wrong with accessing /tmp as it is designed to be for everyone.

The major design consideration is that applications tend to misuse this directory and place potentially sensitive personal data there, which can be easily stolen by other applications. While I personally agree the access can be more configurable I disagree that allowing the access is the proper way to be done.