How to use the system-files interface correctly?

Hi,

inspired by ogra’s comment [1] I tried to build a configuration snap to handle the SSH configuration. To be able to write to /etc/ssh/sshd_config, I intended to use the system-files interface [2].

The following snippet shows a very simple snapcraft.yaml description which I used to test the functionality before integrating it into our management snap:

name: systemfiles
base: core18
version: 0.0.1

summary: |
Test system-files interface
description: |
Test system-files interface
grade: devel
confinement: strict

parts:
wrappers:
plugin: dump
source: wrappers

apps:
dotest:
command: bin/dotest
plugs:
- read-ssh
- write-ssh

plugs:
read-ssh:
interface: system-files
read:
- /etc/ssh/ssh_host_ecdsa_key
write-ssh:
interface: system-files
write:
- /etc/ssh/sshd_config

To test it locally, the snap was installed with “snap install <…> --dangerous” The “dotest” binary is a simple shell script- it tries to read the ssh_host_ecdsa_key file and to write to sshd_config:

#!/bin/bash
ARG=$1

case $ARG in
read)
cat /etc/ssh/ssh_host_ecdsa_key
;;
write)
echo “Test” >> /etc/ssh/sshd_config
;;
*)
echo “Usage: dotest (read|write)”
;;
esac

Reading as well as writing both fail (“Permission denied”). I tested the Snap on the following system:

Ubuntu Core:

snap 2.39+git48.g1ae2fb7
snapd 2.39+git48.g1ae2fb7
series 16
kernel 4.15.0-51-generic

Is there something I am doing wrong? Did I understand the functionality of the system-files interface wrong? If so, is there an alternative method?

Kind regards,
Michael

[1] Customized Image + configuration and update of the OS
[2] The system-files interface

Hi there, given the broad permissions this opens, the interface is not auto-connected so after installing, running snap connect ... would be required. Have you done that?

@jdstrand might be able to help more with regards to guidance on using this specific interface.

Hi Sergio, yes, I tried it with snap connect <…>.

In the meantime, I tried another approach which works for my specific use case. This is the solution that I came up with:
snapcraft.yaml:

[…]
write-sshd-config:
interface: system-files
write:
- /etc/ssh/sshd_config

interface hook (connect-plug-write-sshd-config):

[…]
echo “AllowGroups sshuser” >> /etc/ssh/sshd_config

When I connect the hook, the sshd_config file is written.

Nevertheless, I am a little bit confused with the behavior - I would have expected that both variants work. And I still don’t have a solution if I have a use case in the future in which I want to change a system file within an application in my snap.

Kind regards,
Michael

Your initial paste lost all whitespace formatting so it is difficult to say authoritatively what when wrong. If I add the spaces I expect:

apps:
  dotest:
    command: bin/dotest
    plugs:
    - read-ssh
    - write-ssh

plugs:
  read-ssh:
    interface: system-files
    read:
    - /etc/ssh/ssh_host_ecdsa_key
  write-ssh:
    interface: system-files
    write:
    - /etc/ssh/sshd_config

If I create a test snap with the above, it all works:

$ snap connections snap-example
system-files  snap-example:read-ssh      -              -
system-files  snap-example:write-ssh     -              -

$ sudo snap connect snap-example:read-ssh
$ sudo snap connect snap-example:write-ssh

Now the apparmor profile has the policy:

# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/ssh_host_ecdsa_key{,/,/**}" rk,

# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/ssh/sshd_config{,/,/**}" rwkl,

just a side-note since nobody mentioned it yet, there is an explicit ssh-keys interface that should allow you to read the keys without specifically tinkering with system-files for reading (only leaving you with the “write” portion, perhaps making things a bit simpler)

Hi,

@ jdstrand: This is really strange. I will test it again, maybe I made a mistake somewhere… I will run some tests and give you an update!

@ogra: You’re right, I just wanted to test the system-files interface against some arbitrary file on the system and the first file I came up with by coincidence was the ssh key. :slight_smile: If I really needed access to this specific file then your solution would be the better one.

Kind regards,
Michael

1 Like