Snap Application Permissions

We have already written about snaps and its advantages against other packaging application system. If we compare RPM and DEB packages to snaps we can see on snaps automatic background updates allowing up-to-date applications, with bugs fixes more frequently.

A snap app is packaged with all dependencies making the application very big in comparison with other packages. We can add to snap disadvantages the old-style cursor on some applications and configuration or data loss on eclipse – Snapcrafters version (Note that this is not an official release from eclipse.org, if you want an official release, grab it here. But this doesn’t mean that snaps are all disadvantages, below you can see some advantages:

  • Applications always updated disregarding your Distro Version. You just need to have snapd installed on your distro and you are good to go. You can see here if your distro supports snaps
  • The applications are mostly sandboxed (you will understand below why is it mostly and not all), which means if the app has a malware can’t affect the whole system.
  • If your application crashes and you need a previous version you can choose a different, older revision and use it right away and it takes less than 5 seconds to revert to an older version but note that for this to happen you must have updated at least from one version. After a new version of the same app is launched snap-core will jump straight to this new version skipping the version with the problem. Snaps also have many types of application confinements but we will only mention 2 most important:
  • Strict – The application only have permission to its snap folder home location /snap/<appname>, it can’t write to root folder;
  • Classic –  The application works almost like a DEB application with the advantage of automatic updates but, this type of confinement have permission to the whole system (root folder, home folder, etc) with a small difference the files of this type of applications are set as read-only making it difficult for malware to change it.

How to access home folder if my app has only access to it on snap home folder?

snaps have plugs that allow the certain functionality of applications this plugs can be called Permissions and interfaces. These Interfaces are declared in the yaml file when the snap applications are being generated. Some plugs are connected by default, two examples are the plug to connect to home folder and the plug to connect to the network.

There are also some permissions of plugs that have to be connected manually by the users, as an example we have a plug for removable media and printing services or cups-control.

There are times where applications needs auto-connection for plugs that don’t allow auto-connection, on this cases is where snap reviewers come in.

​Manual connection on this type of applications can reduce performance or functionality, snap reviewers analyze if the application really needs to have that special plugs auto-connected and through a  voting method the application can have plugs automatically connected.

Connected interfaces can be viewed through Software Store or through command line allowing a user with permissions to connect or remove plugs.

Below is a Gimp application –

gimp software linux

and these are the permissions  –

gimp snap app

Through the command line, it follows below:

$ snap interfaces gimp
Slot      plug
:home     gimp, gnome-characters, gnome-logs
-         gimp:cups-control
-         gimp:removable-media
-    (...)

The code and image above show that printing and removable media doesn’t have any permissions. To change permission the user needs to allow as a superuser to change the interfaces statutes.

Conclusion

snap applications have come to make our life much easier, we now can install applications with just one click and forget about updates. No PPAs added, don’t have to control if an app has a new version that you missed. Have you used a snap application? Give it a try and leave your thoughts below

SOURCE: https://blog.ubuntu.com/2018/11/01/a-guide-to-snap-permissions-and-interfaces

SHARE THIS POST

MassiveGRID Banner
4 Comments Text
  • I recently downloaded nmap using
    snap install nmap
    on linux ubunto and it created a snap directory on my HOME dir.
    I v tried the folllowing nmap command inside and outside snap/
    nmap -v -sn 192.168.0.0
    and for the same error:
    ————————————
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-03 19:19 EDT
    NSE: Loaded 148 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 19:19
    Completed NSE at 19:19, 0.00s elapsed
    Initiating NSE at 19:19
    Completed NSE at 19:19, 0.00s elapsed
    Initiating Ping Scan at 19:19
    Scanning 172.217.10.35 [2 ports]
    Socket creation in sendConnectScanProbe: Permission denied (13)
    ————————————
    I v also check file permission of snap/ which was read/write for the current
    user (me)
    what can I do next ?
    thank s in advance for your help

  • it is possible to change the permissions from the CLI as follows. This example is for using a mounted unit

    sudo snap connect gimp:removable-media

  • too many annoying errors, and permission denials… using snaps, especially from Snapcrafters.
    Anyway, trying to use snap pkgs are no more secure than ppa’s.
    Flatpak is another can of worms that also bloats itself by using a ridiculous amount of space on your drive.
    sudo apt purge snapd
    sudo rm -rf /snap
    rm -rf ~/smap
    problems solved.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *