如何保护快照中的代码免遭未经授权的访问?

如何保护快照中的代码免遭未经授权的访问?

我观察到,一旦安装了 snap,所有代码都可以在 /snap/snap_package/current 目录中访问。有没有办法阻止未经授权的用户访问此代码?

答案1

虽然将其转换为 snap 的过程的一部分意味着所有这些文件都以 root 身份拥有,但您仍然可以使用文件模式位。例如snapcraft.yaml

name: not-protected-snap
version: '0.1'
summary: my summary
description: my description

grade: devel
confinement: strict

apps:
  hello:
    command: hello.sh

parts:
  my-part:
    plugin: nil
    build: |
      echo "#!/bin/sh" > $SNAPCRAFT_PART_INSTALL/hello.sh
      echo "echo \"hello world\"" >> $SNAPCRAFT_PART_INSTALL/hello.sh
      chmod a+x $SNAPCRAFT_PART_INSTALL/hello.sh

运行snapcraft它,然后sudo snap install --dangerous <snap>。这是世界可读的,正如你所说:

$ not-protected-snap.hello
hello world
$ cat /snap/not-protected-snap/current/hello.sh
#!/bin/sh
echo "hello world"

请注意如果我们snapcraft.yaml稍微改变一下会发生什么:

name: protected-snap
version: '0.1'
summary: my summary
description: my description

grade: devel
confinement: strict

apps:
  hello:
    command: hello.sh

parts:
  my-part:
    plugin: nil
    build: |
      echo "#!/bin/sh" > $SNAPCRAFT_PART_INSTALL/hello.sh
      echo "echo \"hello world\"" >> $SNAPCRAFT_PART_INSTALL/hello.sh
      chmod 500 $SNAPCRAFT_PART_INSTALL/hello.sh

运行snapcraft它,然后sudo snap install --dangerous <snap>。现在你会看到你所期望的差异:

$ protected-snap.hello 
/snap/protected-snap/x1/command-hello.wrapper: 5: exec: /snap/protected-snap/x1/hello.sh: Permission denied
$ cat /snap/protected-snap/current/hello.sh cat: /snap/protected-snap/current/hello.sh: Permission denied
$ sudo protected-snap.hello
hello world
$ sudo cat /snap/protected-snap/current/hello.sh
#!/bin/sh
echo "hello world"

相关内容