search

bitwarden / clients

Bitwarden client apps (web, browser extension, desktop, and cli).
https://bitwarden.com
Other
9.39k stars 1.26k forks source link

Snap desktop app does not have access rights to NSS Shared DB? #4038

Open nobwyn opened 2 years ago

nobwyn commented 2 years ago

Steps To Reproduce

Trying to login to self-hosted Bitwarden instance (with self-signed certificate) from the Desktop App installed as Snap.

Expected Result

Login should work

Actual Result

Login does not work and "Failed to fetch" error message is displayed.

Screenshots or Videos

No response

Additional Context

I have imported own intermediate CA certificate as described by the documentation:

For our Linux desktop app, accessing the web vault using Chromium-based browsers, and the Directory Connector desktop app, you also need to complete this Linux cert management procedure.

This works when the application is installed "natively" - by installing the Bitwarden-amd64.deb from the website, but does not work when installed as Snap (snap install bitwarden).

Can it be that Snap is missing the rights to read the NSS Shared DB?

user@pc:~$ snap run --shell bitwarden
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

user@pc:/home/user$ cd .pki/
user@pc:/home/user/.pki$ ls   
ls: cannot open directory '.': Permission denied

My guess is that home-interface allows the application to access non-hidden files only, while NSS Shared DB is located under $HOME/.pki/nssdb and would require personal-files-interface configuration?

Operating System

Linux

Operating System Version

Ubuntu 22.10

Installation method

Snap

Build Version

2022.10.1

Issue Tracking Info

Hinton commented 2 years ago

Snap applications are sandboxed. Not sure if there is a way to get the certificates into the snap container.

nobwyn commented 2 years ago

According to the documentation, the path(s) can be whitelisted, like for example:

name: foo
...
plugs:
  dot-config-foo:
    interface: personal-files
    read:
    - $HOME/.config/foo

apps:
  foo:
    plugs:
    - dot-config-foo
    ...

So in my understanding it could be possible to give an access to $HOME/.pki/nssdb. But as I've never build a snap myself - it's just a guess...