inspired by ogra’s comment [1] I tried to build a configuration snap to handle the SSH configuration. To be able to write to /etc/ssh/sshd_config, I intended to use the system-files interface [2].
The following snippet shows a very simple snapcraft.yaml description which I used to test the functionality before integrating it into our management snap:
name: systemfiles
base: core18
version: 0.0.1
summary: |
Test system-files interface
description: |
Test system-files interface
grade: devel
confinement: strict
To test it locally, the snap was installed with “snap install <…> --dangerous” The “dotest” binary is a simple shell script- it tries to read the ssh_host_ecdsa_key file and to write to sshd_config:
#!/bin/bash
ARG=$1
case $ARG in
read)
cat /etc/ssh/ssh_host_ecdsa_key
;;
write)
echo “Test” >> /etc/ssh/sshd_config
;;
*)
echo “Usage: dotest (read|write)”
;;
esac
Reading as well as writing both fail (“Permission denied”). I tested the Snap on the following system:
Ubuntu Core:
snap 2.39+git48.g1ae2fb7
snapd 2.39+git48.g1ae2fb7
series 16
kernel 4.15.0-51-generic
Is there something I am doing wrong? Did I understand the functionality of the system-files interface wrong? If so, is there an alternative method?
Hi there, given the broad permissions this opens, the interface is not auto-connected so after installing, running snap connect ... would be required. Have you done that?
@jdstrand might be able to help more with regards to guidance on using this specific interface.
When I connect the hook, the sshd_config file is written.
Nevertheless, I am a little bit confused with the behavior - I would have expected that both variants work. And I still don’t have a solution if I have a use case in the future in which I want to change a system file within an application in my snap.
# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/ssh_host_ecdsa_key{,/,/**}" rk,
# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/sshd_config{,/,/**}" rwkl,
just a side-note since nobody mentioned it yet, there is an explicit ssh-keys interface that should allow you to read the keys without specifically tinkering with system-files for reading (only leaving you with the “write” portion, perhaps making things a bit simpler)
@ jdstrand: This is really strange. I will test it again, maybe I made a mistake somewhere… I will run some tests and give you an update!
@ogra: You’re right, I just wanted to test the system-files interface against some arbitrary file on the system and the first file I came up with by coincidence was the ssh key. If I really needed access to this specific file then your solution would be the better one.