1

Is there something where I can change the user/group id of Snap installed applications? I would like to secure what folders/files they have access to on my machine.

Similar to

sudo -H -u "$USER" -g "$GROUP" /bin/command

or like systemd

[Service]
Type=simple
User=john
Group=admins
ExecStart=/bin/command
TimeoutStartSec=0
RemainAfterExit=yes
Josh
  • 95
  • Does this answer your question? How to give snaps access to /somedir – Pablo Bianchi May 07 '22 at 05:27
  • No, I more-so want to block off part of my system incase the application was breached remotely. – Josh May 07 '22 at 05:36
  • 2
    Snaps are designed to be sandboxed/secured by default, and without connections, cannot reach anything. So perhaps indicate more clearly and specifically what your really want to achieve. Further increase security of snaps? – vanadium May 07 '22 at 06:53
  • I'm under the impression some applications can be fuzzed remotely where code is written to ram to create a shell... if an application starts with a certain uid and the shell is created.. It will be stuck with that uid.. Making it an extra challenge for the attacker to gain root. -- But maybe snap is secure enough? – Josh May 07 '22 at 07:06
  • Snap applications are supervised by AppArmor, which has a list of rules (permitted actions) for each application included with the Snap. AppArmor will override and deny actions that are not on the list, including launching other applications -- including shells. If you discover any loopholes in the AppArmor supervision of a particular Snap, or if you discover a bug in AppArmor, or if you discover any application that can be exploited to gain remote access, please report it to the appropriate bug tracker! For folks interested in security, I recommend https://ubuntusecuritypodcast.org/ – user535733 May 07 '22 at 11:21

0 Answers0