How to use the system-files interface correctly?

mlaml · June 17, 2019, 12:27pm

Hi,

inspired by ogra’s comment [1] I tried to build a configuration snap to handle the SSH configuration. To be able to write to /etc/ssh/sshd_config, I intended to use the system-files interface [2].

The following snippet shows a very simple snapcraft.yaml description which I used to test the functionality before integrating it into our management snap:

name: systemfiles base: core18 version: 0.0.1

summary: | Test system-files interface description: | Test system-files interface grade: devel confinement: strict

parts: wrappers: plugin: dump source: wrappers

apps: dotest: command: bin/dotest plugs: - read-ssh - write-ssh

plugs: read-ssh: interface: system-files read: - /etc/ssh/ssh_host_ecdsa_key write-ssh: interface: system-files write: - /etc/ssh/sshd_config

To test it locally, the snap was installed with “snap install <…> --dangerous” The “dotest” binary is a simple shell script- it tries to read the ssh_host_ecdsa_key file and to write to sshd_config:

#!/bin/bash ARG=$1

case $ARG in read) cat /etc/ssh/ssh_host_ecdsa_key ;; write) echo “Test” >> /etc/ssh/sshd_config ;; *) echo “Usage: dotest (read|write)” ;; esac

Reading as well as writing both fail (“Permission denied”). I tested the Snap on the following system:

Ubuntu Core:

snap 2.39+git48.g1ae2fb7 snapd 2.39+git48.g1ae2fb7 series 16 kernel 4.15.0-51-generic

Is there something I am doing wrong? Did I understand the functionality of the system-files interface wrong? If so, is there an alternative method?

Kind regards, Michael

[1] Customized Image + configuration and update of the OS - #9 by ogra [2] The system-files interface

sergiusens · June 19, 2019, 10:05am

Hi there, given the broad permissions this opens, the interface is not auto-connected so after installing, running snap connect ... would be required. Have you done that?

@jdstrand might be able to help more with regards to guidance on using this specific interface.

mlaml · June 19, 2019, 12:39pm

Hi Sergio, yes, I tried it with snap connect <…>.

In the meantime, I tried another approach which works for my specific use case. This is the solution that I came up with: snapcraft.yaml:

[…] write-sshd-config: interface: system-files write: - /etc/ssh/sshd_config

interface hook (connect-plug-write-sshd-config):

[…] echo “AllowGroups sshuser” >> /etc/ssh/sshd_config

When I connect the hook, the sshd_config file is written.

Nevertheless, I am a little bit confused with the behavior - I would have expected that both variants work. And I still don’t have a solution if I have a use case in the future in which I want to change a system file within an application in my snap.

Kind regards, Michael

jdstrand · June 21, 2019, 8:46pm

Your initial paste lost all whitespace formatting so it is difficult to say authoritatively what when wrong. If I add the spaces I expect:

apps:
  dotest:
    command: bin/dotest
    plugs:
    - read-ssh
    - write-ssh

plugs:
  read-ssh:
    interface: system-files
    read:
    - /etc/ssh/ssh_host_ecdsa_key
  write-ssh:
    interface: system-files
    write:
    - /etc/ssh/sshd_config

If I create a test snap with the above, it all works:

$ snap connections snap-example
system-files  snap-example:read-ssh      -              -
system-files  snap-example:write-ssh     -              -

$ sudo snap connect snap-example:read-ssh
$ sudo snap connect snap-example:write-ssh

Now the apparmor profile has the policy:

# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/ssh_host_ecdsa_key{,/,/**}" rk,

# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/sshd_config{,/,/**}" rwkl,

ogra · June 24, 2019, 11:34am

just a side-note since nobody mentioned it yet, there is an explicit ssh-keys interface that should allow you to read the keys without specifically tinkering with system-files for reading (only leaving you with the “write” portion, perhaps making things a bit simpler)

mlaml · July 4, 2019, 2:19pm

Hi,

@ jdstrand: This is really strange. I will test it again, maybe I made a mistake somewhere… I will run some tests and give you an update!

@ogra: You’re right, I just wanted to test the system-files interface against some arbitrary file on the system and the first file I came up with by coincidence was the ssh key. If I really needed access to this specific file then your solution would be the better one.

Kind regards, Michael