Snap package cannot read .ssh/authorized_keys file

[DavidGregory084]

Description

Gitea is unable to open and edit the /home/<user>/.ssh/authorized_keys file from within snap confinement, so it is always empty.

This means that snap users must use the built-in SSH server, or they will experience SSH authorisation failures.

Doctor output:

dgregory@mina-gitea:~$ sudo runuser -u git -- gitea \
>   --config /mnt/mina-gitea-data/custom/conf/app.ini \
>   --work-path /mnt/mina-gitea-data/ \
>   --custom-path /mnt/mina-gitea-data/custom/ \
>   doctor
ERROR: Unable to write logs to provided file due to permissions error: doctor.log
       failed to create sublogger (doctor): open doctor.log: permission denied
WARN: Logging will be disabled
       Use `--log-file` to configure log file location
[1] Check paths and basic configuration
 - [I] Configuration File Path:    "/mnt/mina-gitea-data/custom/conf/app.ini"
 - [I] Repository Root Path:       "/mnt/mina-gitea-data/data/gitea-repositories"
 - [I] Data Root Path:             "/mnt/mina-gitea-data/data"
 - [I] Custom File Root Path:      "/mnt/mina-gitea-data/custom/"
 - [I] Work directory:             "/mnt/mina-gitea-data/"
 - [I] Log Root Path:              "/mnt/mina-gitea-data/log"
OK
[2] Check Database Version
 - [I] Expected database version: 244
OK
[3] Check if user with wrong type exist
OK
[4] Check if OpenSSH authorized_keys file is up-to-date
 - [C] Unable to open authorized_keys file. ERROR: open /home/git/.ssh/authorized_keys: permission denied
ERROR
[5] Synchronize repo HEADs
 - [I] All 1 repos have their HEADs in the correct state
OK

Note that the doctor command can't write its own log file within snap confinement either.

Directory permissions:

dgregory@mina-gitea:~$ sudo ls -al /home/git/
total 32
drwxr-x--- 5 git  git  4096 Jun  6 11:43 .
drwxr-xr-x 4 root root 4096 Jun  6 11:40 ..
-rw-r--r-- 1 git  git   220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 git  git  3771 Jan  6  2022 .bashrc
-rw-r--r-- 1 git  git     0 Apr 17 14:07 .cloud-locale-test.skip
drwx------ 3 git  git  4096 Jun  6 11:43 .gnupg
-rw-r--r-- 1 git  git   807 Jan  6  2022 .profile
drwx------ 3 git  git  4096 Jun  6 11:43 snap
drwx------ 2 git  git  4096 Jun  6 11:43 .ssh

dgregory@mina-gitea:~$ sudo ls -al /home/git/.ssh
total 8
drwx------ 2 git git 4096 Jun  6 11:43 .
drwxr-x--- 5 git git 4096 Jun  6 11:43 ..
-rw------- 1 git git    0 Jun  6 11:43 authorized_keys

Following the advice for Debugging snaps:

dgregory@mina-gitea:~$ sudo journalctl --since=-1m | grep audit
Jun 06 12:33:36 mina-gitea audit[2871]: AVC apparmor="DENIED" operation="mknod" profile="snap.gitea.gitea" name="/var/lib/snapd/void/doctor.log" pid=2871 comm="gitea" requested_mask="c" denied_mask="c" fsuid=1001 ouid=1001
Jun 06 12:33:36 mina-gitea kernel: audit: type=1400 audit(1686054816.669:66): apparmor="DENIED" operation="mknod" profile="snap.gitea.gitea" name="/var/lib/snapd/void/doctor.log" pid=2871 comm="gitea" requested_mask="c" denied_mask="c" fsuid=1001 ouid=1001
Jun 06 12:33:36 mina-gitea audit[2871]: AVC apparmor="DENIED" operation="open" profile="snap.gitea.gitea" name="/home/git/.ssh/authorized_keys" pid=2871 comm="gitea" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Jun 06 12:33:36 mina-gitea kernel: audit: type=1400 audit(1686054816.737:67): apparmor="DENIED" operation="open" profile="snap.gitea.gitea" name="/home/git/.ssh/authorized_keys" pid=2871 comm="gitea" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001

It seems that gitea is denied access to the authorized_keys file by AppArmor.

I think that the snap package needs the ssh-keys or ssh-public-keys interfaces to be added to the snapcraft.yml plugs.

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.34.1

Operating System

Ubuntu 22.04

How are you running Gitea?

The Gitea server is provisioned using cloud-init and gitea is started using the systemd unit file.

The unit file has been overridden to specify the data paths and user:

[Service]
ExecStart=
ExecStart=/usr/bin/snap run gitea.web --config /mnt/mina-gitea-data/custom/conf/app.ini --work-path /mnt/mina-gitea-data --custom-path /mnt/mina-gitea-data/custom
User=git

It has been given the removable-media permission via snap connect gitea:removable-media before launching.

The gitea app.ini contains the following config for SSH_ROOT_PATH in the [server] section:

SSH_ROOT_PATH = /home/git/.ssh

Otherwise it tries to use /home/git/snap/gitea/<some number>/.ssh/authorized_keys, which is not shared with the OpenSSH server.

Database

SQLite

[TheFriendlyCoder]

I hit something similar with my deployment as well. I worked around it by creating a symlink to the default SSH folder used by Gitea in the users home folder, something like:

ln -s /home/git/snap/gitea/current/.ssh /home/git/.ssh

Even though both the source and target folders have THE EXACT SAME PERMISSIONS, Gitea seems to struggle with folder permissions for some reason.

NOTE: Inverting that sym link doesn't work either:

ln -s /home/git/.ssh /home/git/snap/gitea/current/.ssh

[TheFriendlyCoder]

This may relate to #27420