group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1880085] Re: snap userd's OpenURL method allows sandox escape

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Zygmunt Krynicki <1880085@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Sep 2020 12:31:27 -0000
Reply-to: Bug 1880085 <1880085@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This was released a while ago, the upstream task was stale.

** Changed in: snapd
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1880085

Title:
  snap userd's OpenURL method allows sandox escape

Status in snapd:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in snapd source package in Trusty:
  Won't Fix
Status in snapd source package in Xenial:
  Fix Released
Status in snapd source package in Bionic:
  Fix Released
Status in snapd source package in Eoan:
  Fix Released
Status in snapd source package in Focal:
  Fix Released
Status in snapd source package in Groovy:
  Fix Released

Bug description:
  snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS
  to include a directory controlled by the calling snap before calling
  /usr/bin/xdg-open:

  https://github.com/snapcore/snapd/blob/7f678b92/usersession/userd/launcher.go#L109-L113

  This allows the snap to control how the URL will be opened, including
  having executables provided by the snap run outside of confinement.

  Attached is an example snap demonstrating the exploit.  It works as
  follows:

  1. the snap provides a single command plugging the desktop interface
  that calls "xdg-open help://whatever"

  2. userd invokes the host system /usr/bin/xdg-open with
  $SNAP/usr/share/applications at the start of $XDG_DATA_DIRS.

  3. under $SNAP/usr/share/applications, we have a yelp.desktop file
  whose Exec line points to an "outside-sandbox.sh" script shipped with
  the snap, and a mimeapps.list file to set it as the default handler
  for the "help:" scheme.

  4. the "outside-sandbox.sh" script is executed without confinement and
  writes a file /tmp/foo.txt

  This file can be seen in the host system /tmp rather than the snap's
  private /tmp, demonstrating that it was run outside the sandbox.

  Note that this isn't restricted to the "help:" URI scheme: it's just
  more likely to succeed, since users are unlikely to override the
  default handler.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1880085/+subscriptions