Security concerns about user data in ~/snap/


#1

Dear all,

I am new to the snap format, but have security concerns: after installing a few snaps I found a pile of stuff (not simply some config files) in and below the ~/snap folder, which is user modifiable. How secure is that, for example can malware pull tricks (elevation…?) via ~/snap/* that will have wider effects than just that user account?

Note: I am aware of the X11 problems (external to snap)

Thanks for thoughts!
BR, Willem


Where is a snap stored and how can I change that?
#2

@willem_b I split your comment into its own topic, as it had nothing (or too little) to do with the topic to which you posted your comment. Double check that the title is what you’d want it to be please.

Thank you.


#3

Ok very good - new to the forum as well… thx!


#4

I suspect @jdstrand will be best placed to answer this.


#5

It is important to understand that while, yes, the files in this directory are user-modifiable, each strict mode snap can only write to its own area in ~/snap, so snaps cannot interfere with each other. Importantly, because these files are in ~/snap, anything that is written out to these areas is not considered by the user’s session (not without very deliberate changes made by the user) and therefore do not provide an avenue for sandbox escape.

Malware shipped as a strict mode snap are thus restricted by the policy of the sandbox and you are right to point out that x11 is a problem (along with other legacy desktop interfaces like gsettings and desktop-legacy) since they provide other means of sandbox escape. You will want to only install snaps that use these legacy interfaces from publishers you trust.

Similarly, while classic snaps have per-snap directories setup in ~/snap, the snaps run effectively unconfined and can do pretty much anything the user invoking the command can do. Likewise, you will want to only install snaps that use classic confinement from publishers you trust.

For more information, see Snap Confinement for more information.