you’d have to run a separate daemon that does not drop the privs inside your snap and then talk to it from the binary with dropped privileges through a socket or dbus or some such …
I’d like some input here from the security team (@alexmurray?): Would adding code to drop privileges help get electron snaps approved?
Dropping privileges does reduce the exposure to the electron process, but there would still a need for a security review and an exception based on trusting the publisher.
As noted by @ogra above, there may need to be “a separate daemon that does not drop the privs” (that may not need browser-support though).
That is what I did. I ran into other issues, though they were quite specific to what I was trying to do.
Did you test utilizing serial devices or a camera with your previous electron implementation by chance?
Yes, like @ogra said I had to run a separate daemon and open a socket with generous permissions.
Then you can listen on the socket in your electron app.
This was only a crude implementation. There may be a better, more secure way.
1 Like
It is the combination of browser-support with daemon as the root user (which is what is done by default for snaps) that is the issue - essentially this combination allows a snap to take ownership of a device - which is why we then require vetting of the publisher etc. However, even if a snap drops permission to the snap_daemon user there is nothing stopping the publisher from removing such functionality in the future, hence why even if the snap_daemon user is used we still do the publisher vetting.
In general though, if the privileges can either be reduced by having the daemon within the snap run as the snap_daemon user - or by splitting these between two different processes within the snap - one that runs as root but does not have browser-support and one that runs as snap_daemon with browser-support - then that seems reasonable and the security review seems tractable in either case (this is still better than having the whole thing run as root with browser-support).
@alexmurray Would there be a way to release our app on a dev channel or temporarily on some sort of public channel (That’s not a brand store) while this gets worked out? We are trying to test creating an ubuntu core image for a large client and need to include our app in the image assertion.
ignoring the fact that the snapd team is under heavy load and understaffed currently, i wonder if long term we could not take away the pain from the packager by having the snapd side handle the privilege dropping instead so that not the packager has to apply hacks and scripts to drop privs but simply can just define something like daemon: unprivileged in the snapcraft.yaml …
@flightknight22 I understand there is some urgency for you. And you can help progress things.
- For the security team to approve your snap it needs, among other things, to drop permission
- You can see an example of doing this: You can try that logic and see if it works for you
If it works, it would be nice if you can share the solution by proposing changes to the example. I would be able to review that earlier and faster than working out the changes myself.
I can implement the example that @jaydensmith provided, but it won’t be a valid solution for our situation either as we will run into the same hardware interfacing issues.
Are there other electron app on the snap store currently?
I added $SNAP/bin/drop-snap-daemon.sh to the wrapper script along with the drop-snap-daemon.sh from @jaydensmith to the build directory. Is there anything else required?
You will have to update the drop-snap-daemon.sh file to include your app name not pcds. You’d also have to add it to your command chain in snapcraft.yaml
Is there a way to test if the privileges have been dropped properly? Thanks for all your work. @jaydensmith
@jaydensmith is there a setpriv script missing from the example repo you provided? Also, do you happen to know how to test for dropped privileges?
It isn’t doing anything in your repo though, as you have not added drop-snap-daemon.sh to your command chain.
I have just noticed it in your wrapper, it won’t work like that though. You need to add it to the command chain.
@flightknight22 apologies for the delay in getting back to you on this request - given the difficulties in trying to make a electron based snap use the snap_daemon user we are trying to find a way forward for your snap to potentially be published as a regular root daemon and still use browser-support. If you are able to get snap_daemon working that is even better but I just wanted to let you know that we hope to be able to find a way forward regardless. Please let me know if you do get snap_daemon working in the meantime.
Hey @alexmurray! Any progress on this? I haven’t been successful getting out app to run with dropped privileges.