Auto-connect system-files and personal-files for the feroxbuster snap

epi052 · October 26, 2020, 10:18am

Good morning,

I’d like to distribute feroxbuster as a snap package.

feroxbuster is a tool designed to perform Forced Browsing.

Forced browsing aims to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.

feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc…

In order to provide different levels of configuration, feroxbuster searches for a config file in the following locations:

/etc/feroxbuster/
CONFIG_DIR/ferxobuster/
The same directory as the feroxbuster executable
The user’s current working directory

CONFIG_DIR is defined as the following:

$XDG_CONFIG_HOME or $HOME/.config i.e. /home/bob/.config

With no way of knowing which config location a user has chosen based on previous installs (all are simultaneously valid and have an order precedence), I’m requesting auto-connect permission for the two narrowly scoped directories /etc/feroxbuster and /home/.config/feroxbuster.

Below is an excerpt from my snapcraft.yaml

plugs:
  etc-config:
    interface: system-files
    read:
    - /etc/feroxbuster
  dot-config:
    interface: personal-files
    read:
    - $HOME/.config/feroxbuster

This is my first time creating a snap/requesting an access like this. Thank you for your time and patience!

alexmurray · October 28, 2020, 12:44am

Since feroxbuster is the clear owner of these directories, and we are looking at just read access, +1 from me for both.

@epi052 can you please change the name used for these interfaces so they are more descriptive and follow the standard pattern:

 plugs:
  etc-feroxbuster:
    interface: system-files
    read:
    - /etc/feroxbuster
  dot-config-feroxbuster:
    interface: personal-files
    read:
    - $HOME/.config/feroxbuster

epi052 · October 28, 2020, 2:10am

@alexmurray thank you for taking a look!

I updated my snapcraft.yaml with your suggested changes. I rebuilt the snap and submitted a new revision.

I’m not entirely sure if that’s what was supposed to happen, so if anything else needs done on my end, please let me know.

Thank you!

alexmurray · October 28, 2020, 2:52am

Thanks - it seems you also need to update the names used in the plugs section under apps as well.

Now we just need to wait for other reviewers to vote during the voting period as per Process for aliases, auto-connections and tracks

epi052 · October 28, 2020, 11:01am

Thank you. I tried to just make the change and push it before laying down. Both sections are updated and actually reflect each other now.

Thanks again for your help!

epi052 · November 4, 2020, 12:56pm

Good morning!

Reading through the Process for aliases, auto-connections and tracks, it looks like the request needs a minimum of two votes to pass. Is that what we’re waiting on at this point?

Thanks!

emitorino · November 10, 2020, 10:34pm

@epi052 thanks for your patience. You are correct, a minimum of two votes is required to get this approved.

Since feroxbuster is the clear owner of these directories, and we are looking at just read access, +1 from me for both.

+2 votes for, 0 votes against. Granting the requested use and auto-connections. This is now live.

emitorino · November 10, 2020, 10:38pm

@epi052 could you please either request a manual review or upload a new revision so these changes take effect?

epi052 · November 10, 2020, 10:57pm

@emitorino will do, thank you very much!

emitorino · November 15, 2020, 6:05pm

Hey @epi052 I see latest revisions of feroxbuster successfully published.

Let us know if you have any further question!

Thanks

epi052 · November 18, 2020, 1:19am

Thank you very much @emitorino, will do!