Nextcloud-snap: Run Nextcloud as non-root user

Created on 27 Feb 2018  路  6Comments  路  Source: nextcloud/nextcloud-snap

It seems to not be possible to set a the snap to run as a certain user, it is always root. There are two problems

  • running services as root unnecessarily is a security risk (although I realise some people diasgree)
  • it makes it really hard to interact with the rest of the system - files created are only modifiable by the root user, so any script that works with nextcloud directories has to have root privileges, which is dangerous

Most helpful comment

running services as root unnecessarily is a security risk (although I realise some people diasgree)

I don't think anyone would disagree in a traditional case. If the service is running as root, and it's exploited to the point of shell access. the attacker is root. That's as bad as it gets. However, this is not the case in a confined snap. Although the user is indeed root, it's still confined. It can't own the system like root typically can. You can test this out yourself by obtaining a shell as root confined with the same profile as one of the apps in the snap, e.g.

$ sudo snap run --shell nextcloud.occ

You'll see pretty quickly that even though you're root, your capabilities are very limited.

it makes it really hard to interact with the rest of the system - files created are only modifiable by the root user, so any script that works with nextcloud directories has to have root privileges, which is dangerous

Have you tried changing the data directory to have a different group? You can even set that to be sticky, in which case files created by Nextcloud should use it as well. Then your external scripts can belong to that group instead of running as root.

Note that design is ongoing for multiple users within snaps. Feel free to participate in the design if you like.

All 6 comments

running services as root unnecessarily is a security risk (although I realise some people diasgree)

I don't think anyone would disagree in a traditional case. If the service is running as root, and it's exploited to the point of shell access. the attacker is root. That's as bad as it gets. However, this is not the case in a confined snap. Although the user is indeed root, it's still confined. It can't own the system like root typically can. You can test this out yourself by obtaining a shell as root confined with the same profile as one of the apps in the snap, e.g.

$ sudo snap run --shell nextcloud.occ

You'll see pretty quickly that even though you're root, your capabilities are very limited.

it makes it really hard to interact with the rest of the system - files created are only modifiable by the root user, so any script that works with nextcloud directories has to have root privileges, which is dangerous

Have you tried changing the data directory to have a different group? You can even set that to be sticky, in which case files created by Nextcloud should use it as well. Then your external scripts can belong to that group instead of running as root.

Note that design is ongoing for multiple users within snaps. Feel free to participate in the design if you like.

You'll see pretty quickly that even though you're root, your capabilities are very limited.

I wish they would be limited. It is scary to see that I have full root access using the snap shell. I can access the /root directory an change /etc/fstab of the host system. Could not find a place where the capabilities are limited.

A df gives:

/dev/sda1                               114G  6.7G  101G   7% /var/lib/snapd/hostfs
/dev/loop0                               90M   90M     0 100% /snap/core/7917
/dev/loop2                               55M   55M     0 100% /snap/core18/1265
/dev/loop1                               90M   90M     0 100% /
/dev/loop3                              218M  218M     0 100% /snap/nextcloud/16402
/dev/loop5                              212M  212M     0 100% /snap/nextcloud/16739
/dev/loop4                               52M   52M     0 100% /snap/ffmpeg/821
/dev/loop6                               55M   55M     0 100% /snap/core18/1223
...

And if I change to /root or /etc a df . points to /dev/sda1. What happens here? Is it reproducible on another system?

@cddf what OS are you on? Ubuntu (and derivative) distros will be fully confined the way I mentioned above, but not all distros are (e.g. Fedora) due to a lack of kernel features. In which case running this snap (or any snap with a daemon) is probably a rather poor idea.

@kyrofa It's a Debian stretch (openmediavault). Not a derivative of Ubuntu...
May an upgrade help (omv is still beta on Debian 10)?

Yeah, Debian falls into that category as well (no apparmor if I recall).

Thank you. Good to know that snap is not really usable on every system.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

RadZaeem picture RadZaeem  路  8Comments

Seferi picture Seferi  路  5Comments

benclark06 picture benclark06  路  7Comments

kyrofa picture kyrofa  路  6Comments

DAMONSTA360 picture DAMONSTA360  路  3Comments