Ubuntu
chromium-browser package

[snap] smart card reader no longer works

Bug #1843392 reported by Andreas Pokorny
126
This bug affects 24 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Confirmed
Unknown
chromium-browser (Ubuntu)
In Progress
High
Nathan Teodosio
firefox (Ubuntu)
Confirmed
High
Unassigned

Bug Description

chromium uses the Netscape Cryptographic Module to access smartcards for authentication purposes. This stopped working when switching to the snap version. Chromium would normally access the setup in ~/.pki/nssdb/pkcs11.txt That file would refer to a library used to access the smart card. I.e /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

The problem can be bypassed by manually launching chromium via: /snap/chromium/current/usr/lib/chromium-browser/chrome

See original description
Tags: snap
Paul White (paulw2u)
tags: added: snap
Andreas Pokorny (andreas-pokorny)
description: updated
Revision history for this message
Olivier Tilloy (osomon) wrote :

This is similar to https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471.

You probably already know that, but just in case: running /snap/chromium/current/usr/lib/chromium-browser/chrome directly results in bypassing the snapd sandbox, so it's never a good idea (other than for testing/debugging purposes).

The proposed approach to solve this that was discussed with the security team is:
 - stage common PKCS modules in the snap
 - add a layout for /usr/lib/pkcs11 pointing to a writeable area of the snap (e.g. $SNAP_USER_DATA/.local/lib)
 - on first run, copy the common PKCS modules to that writeable area
 - document that custom modules (and their dependencies?) should be manually copied to that directory
 - create a new interface (not auto-connected, that's okay) for access to /var/run/pcscd/pcscd.comm

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

summary: - [snap] smart card reader no longer works after switching to snap verison
+ [snap] smart card reader no longer works
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Andreas Pokorny (andreas-pokorny) wrote :

My impression was that smart card readers are pretty common and it is the smartcards that keep changing. So USB access to the smart card devices class should be enough there.

Being able to add custom/newer pkcs smartcard support modules sounds like a good idea.

I wonder if that could be something shared across applications? I.e. Firefox / Opera or other Nodejs Desktop applications that reuse chromium, will need something similar.

Revision history for this message
Andreas Pokorny (andreas-pokorny) wrote :

https://github.com/glasen/snap-ausweisapp2-ce/blob/master/snap/snapcraft.yaml

This is another snap that supports smart card readers. It seems to package pcscd...

Revision history for this message
Olivier Tilloy (osomon) wrote :

Well spotted, thanks Andreas!

Revision history for this message
Andreas Pokorny (andreas-pokorny) wrote :

I recently had to switch my company card and it now uses a newer version so it get mis-identified by pcsc-lite from debian - but works fine in the latest release of pcsc-lite. As companies like Atos seem to frequently roll out new versions of their cards it would be nice if we could have opensc (I assume this is also in use - not sure whether it is client or server side) and pcsc-lite in a separate snap built from a more recent source

anneputarunbharadwaj (anneputarunbharadwaj-123)
Changed in chromium-browser (Ubuntu):
assignee: Olivier Tilloy (osomon) → anneputarunbharadwaj (anneputarunbharadwaj-123)
Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
assignee: anneputarunbharadwaj (anneputarunbharadwaj-123) → Olivier Tilloy (osomon)
Revision history for this message
Seifeddine Gamoudi (gamoudis) wrote :

I switched to firefox (non snap version) to avoid this bug.

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

This is a snap-specific issue. It was previously reported in various places:
  - https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471
  - https://forum.snapcraft.io/t/confined-browser-snaps-cant-use-system-libraries-pkcs11-and-native-host-messaging-what-do-we-do/11828
  - https://forum.snapcraft.io/t/access-external-lib-to-use-usb-token-in-firefox/13959
  - https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392

Snapd's strict confinement makes it impossible for the firefox snap to load PKCS#11 security devices from `about:preferences#privacy` ("Security Devices" button in the "Security" section), because it denies access to `/usr/lib/pkcs11` and to `/var/run/pcscd/pcscd.comm`.

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

(from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)

The proposed approach to solve this that was discussed with the Ubuntu security team is:
 - stage common PKCS modules in the snap
 - add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
 - on first run, copy the common PKCS modules to that writeable area
 - document that custom modules (and their dependencies?) should be manually copied to that directory
 - create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Firefox counterpart: https://bugzilla.mozilla.org/show_bug.cgi?id=1734371

Revision history for this message
In , Release-mgmt-account-bot (release-mgmt-account-bot) wrote :

The [Bugbug](https://github.com/mozilla/bugbug/) bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Revision history for this message
In , Dkeeler (dkeeler) wrote :

Seems like it would be easier to allow access to `/usr/lib/pkcs11` and `/var/run/pcscd/pcscd.comm`, but I don't know what options snap has for that.

Revision history for this message
In , W-jan-k (w-jan-k) wrote :

This seems similar: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging
IIUC Firefox and Chrome (as important as systemd) need to be able to start binaries that are defined in certain json files. Those binaries are installed by non-snap packages or scripts and need to run as the regular user. Such a binary can be used to control other applications or to talk to hardware or to flash firmware.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests
> There are three different types of native manifest:
> * Native messaging manifests
> * Managed storage manifests
> * PKCS #11 manifests

> Linux
> For global visibility, store the manifest in either:
> /usr/lib/mozilla/native-messaging-hosts/<name>.json
> /usr/lib/mozilla/managed-storage/<name>.json
> /usr/lib/mozilla/pkcs11-modules/<name>.json
or:
> /usr/lib64/mozilla/native-messaging-hosts/<name>.json
> /usr/lib64/mozilla/managed-storage/<name>.json
> /usr/lib64/mozilla/pkcs11-modules/<name>.json
>
> For per-user visibility, store the manifest in:
> ~/.mozilla/native-messaging-hosts/<name>.json
> ~/.mozilla/managed-storage/<name>.json
> ~/.mozilla/pkcs11-modules/<name>.json

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

Right, so for the pkcs11 browser extension API to work, we will also need to grant the firefox snap read access to `/usr/lib{,64}/mozilla/{native-messaging-hosts,managed-storage,pkcs11-modules}`. Thanks @Darkspirit for this additional piece of information.

For future reference, manual installation and provisioning through the API of PKCS#11 modules is documented here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation.

Revision history for this message
In , W-jan-k (w-jan-k) wrote :

Not only that, the snap would need to parse these json files and allow Firefox&Chrome to start the binary defined in "path" with full access to the system as a regular user. The binary needs to be able to do what it wants. (It's somewhat like allowing Firefox to start pre-defined systemd services.)
If that doesn't happen, users might switch to a potentionally less secure alternative to native messaging, for example, running a local webserver accessible by every website and possibly without proper authentication which then executes commands.

Revision history for this message
In , W-b (w-b) wrote :

Another option could be to create a dbus service to enumerate and/or use PKCS#11 modules that are registered into p11-kit. This would allow any PKCS#11 module to work, not just those that use pcsclite behind the scenes.

That might be a bit more work (the full p11-kit and PKCS#11 API would need to be mapped onto dbus), but it seems to me to be less of a layering violation?

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

As pointed out by several persons in various places, this problem (PKCS#11 modules) and the issue with native messaging share a common denominator: native manifests (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests).

Revision history for this message
In , W-jan-k (w-jan-k) wrote :

> S2 (Serious) Major functionality/product severely impaired and a satisfactory workaround does not exist

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

See https://github.com/flatpak/xdg-desktop-portal/issues/662.

Revision history for this message
In , Douglas E Engert (dengert) wrote :

When apparmor is also used, the PKCS11 module also needs "M" (file_mmap) but this is a first step
I believe the idea of copying the files to a the "doc" is not needed, if "M" and "R" access were available to
/usr/lib/x86_64-linux-gnu/pkcs11 (or equivalent on other systems.) This is where the p11-kit-client.so module (and others) resides.

As an OpenSC developer, this problem as been reported on https://github.com/OpenSC/OpenSC/issues/2552
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632.

Let me know if there is anything I can do to assist is getting smart cards working again with snap.

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?

Revision history for this message
In , Douglas E Engert (dengert) wrote :

> The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?

Maybe. The problem appears to be with the packaging of PKCS11 modules when using SNAP as noted in: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/8

The Debian version of FireFox without SNAP works fine, but Ubuntu in 22.04 packaged FireFox as a SNAP application does not.

I would hope that Mozilla developers could could work with Ubuntu SNAP developers to resolve the issue. Either to get it to work with SNAP or talk Ubuntu in to not making the default FireFox be the SNAP version.
As best as I can tell every PKCS11 module would have to be configured for SNAP and that does not look easy.

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

For the proposal of a PKCS#11 portal to stand a reasonable chance of being accepted and implemented, I think we need to wait for the WebExtensions portal to prove itself (this is in a fairly advanced state, the portal is already available in Ubuntu 22.04, and integration in Firefox is complete and I'm hoping it'll land soon).

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

(In reply to deengert from comment #13)
> > The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?
>
> Maybe. The problem appears to be with the packaging of PKCS11 modules when using SNAP as noted in: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/8

Thanks, it's detailed, having a quick look it seems like it's already properly documented as distro-level packaging issue then ?

Revision history for this message
In , Douglas E Engert (dengert) wrote :

Yes it looks like distro-level packaging issue. But to end user it looks like a regression of FireFox and/or smartcard support which is important to only a small percentage of FireFox users. So distro maybe slow to do anything about it. A few words to the distro from Mozilla might help get this fixed.

Revision history for this message
Peter Lavender (peter-lavender) wrote :

Has there been progress on this matter?

Manjaro works fine as it's not using snap, firefox and chromium don't on LTS 2204.

Revision history for this message
In , L-bugzilla (l-bugzilla) wrote :

(In reply to Olivier Tilloy from comment #1)
> (from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu security team is:
> - stage common PKCS modules in the snap
> - add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
> - on first run, copy the common PKCS modules to that writeable area
> - document that custom modules (and their dependencies?) should be manually copied to that directory
> - create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`
>
> I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Why can't the snap package be configured to just let access to /var/run/pcscd/pcscd.comm?
The PKCS#11 libs are normally platform/distribution dependent, so you can't just include it in a snap package hoping this will works anywhere.
Dependencies are more platform dependent, 1 over all: libpcsclite.so.1 library shall match the protocol version of his server, you can't just bring it in the snap packages and hope it works.
It looks like Snap is by now very immature technology to run the default version of FF on Ubuntu.

Wouter Verhelst (wouter-debian)
no longer affects: firefox (Ubuntu)
Revision history for this message
Wouter Verhelst (wouter-debian) wrote :
Download full text (3.7 KiB)

Whoops, sorry, I didn't mean to do that :)

Basically though, this is causing issues for users in, e.g., Belgium, who want to do their tax declaration using Ubuntu and their electronic ID card. We are currently guiding users to use a non-snap browser (see https://eid.belgium.be/en/faq/why-it-not-possible-use-eid-software-snap-andor-flatpak#7636), and that's just sad.

Comment #1 mentions a proposal to possibly resolve this. Since it explicitly asks for feedback, here is some (belated) feedback:

First, PKCS#11 is about more than just smartcards. While allowing access to the pcscd socket from within the confined environment might allow some PKCS#11 modules to work, using this as a solution assumes all PKCS#11 modules use PC/SC as a backend API, and that's a wild assumption which is probably not true for everything. PKCS#11 is a generic cryptographic plug-in API, which allows hardware crypto modules of any kind (e.g., USB tokens, Networked HSMs, PCI(e) crypto accelerator boards, TPM modules, etc etc) to be plugged into anything. libnss uses it mostly for smartcards, and all browsers on Linux do so as well, but it can also be used by libreoffice and evolution to sign documents, it is extensively used by OpenDNSSEC for its crypto operations (going so far as providing a "SoftHSM" pkcs#11 module and not having native crypto), OpenSSH has had PKCS#11 code for a while to read and use certificates, and there are ways to hook PKCS#11 up to OpenSSL allowing for a large number of other applications to use HSMs.

PKCS#11 modules could possibly access the hardware that they're written for using PC/SC (which this proposal could possibly work for, as long as the libpcsclite.so inside the snap and the pcscd outside the snap are sufficiently in sync), but this would not help PKCS#11 modules for USB tokens, TPM modules, PCI crypto accelerators, or possibly networked systems (depending on how the host application is confined).

Apart from hardware, PKCS#11 modules may sometimes need to do other things as well. E.g., the Belgian eID middleware needs to occasionally show certain messages to the user, for which it uses the GnuPG pinentry framework to show a dialog box that integrates with the user's UI. Unless this is explicitly allowed by the snap, this won't work. There might be other similar issues with other PKCS#11 modules, which means that running them in a confined environment might just not work.

So while this may be a solution for some PKCS#11 modules, it will not be a solution for all.

Additionally, the PKCS#11 modules need to be installed and registered in host applications. For NSS-based applications, this means they need to be installed using "modutil". Chrome doesn't even *have* any UI to install PKCS#11 modules; Firefox does, but it's so basic and confusing to users that I developed a "browser.pkcs11" add-on API for Firefox to allow modules to be registered using an add-on. These work with native manifests (intentionally similar to native messaging manifests) and expect the PKCS#11 module to be in the location as specified by the manifest. Libreoffice just gave up and looks for a Firefox, Thunderbird, or Chromium configuration directory and reuses ...

Read more...

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

(In reply to Olivier Tilloy from comment #1)
> (from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu security team is:
> - stage common PKCS modules in the snap
> - add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
> - on first run, copy the common PKCS modules to that writeable area
> - document that custom modules (and their dependencies?) should be manually copied to that directory
> - create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`
>
> I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Is this still a plan ? Is anybody on Canonical side working on that ?

Revision history for this message
In , Olivier Tilloy (osomon) wrote :

Not currently, but it is on my short-term to-do list.

Revision history for this message
miguelquiros (mquiros) wrote :

I have been hit by this issue, in my case using firefox, but basically is the same thing. The possibility of loading a security device is fully eliminated. And there are also other functionalities that have been severely damaged by moving firefox to a snap with the inherent restrictions in accessing information in the hard disk. For example, I cannot load an html file located somewhere in the file system. When downloading something from the web, the program suggests me the obscure location /run/user/500/... (instead of, for example ~/Download) which is quite confusing (apparently there is some kind of mapping with regular user folders). Something that I have noticed, when starting from a terminal, is that the program complains about not finding libcanberra-gtk-module (it is installed in the system but apparently not present inside the snap, nothing can be done to avoid the warning but, fortunately, it does not seem to affect program performance).

I can circumvent these inconveniences by executing firefox outside the sandbox (as suggested above for chromium), the command is (I have defined an alias for avoiding keying it in full every time):
 /snap/firefox/current/usr/lib/firefox/firefox
This creates the old .mozilla folder with all the information, I can export certificates, bookmarks, ... from the firefox started within the sandbox and import them in firefox started out of the sandbox.
I guess it is probably not a good idea to execute the program in such an unorthodox way but, for the moment being, this workaround seems to work for me with firefox "out-of-the-sandbox" behaving the old way.
I do not know if all these problems may be qualified as a bug or perhaps they are just the consequences of the wrong (in my opinion) decision, of moving firefox and chromium to snap which implies a lot of restrictions in the use of the information in the disk and in the way of interacting with other libraries or programs of the system.
For the moment being, for anyone being affected by any of this issues, the recommendation could be, as told above, to uninstall snap firefox and install the program from firefox website instead of from ubuntu repo.

Nathan Teodosio (nteodosio)
Changed in firefox (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in chromium-browser (Ubuntu):
assignee: Olivier Tilloy (osomon) → nobody
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Confirmed
Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Nathan Teodosio (nteodosio)
status: Confirmed → In Progress
Revision history for this message
Pascal Dal Farra (pdalfarr) wrote :

Hi,
Can I kindly ask you the status of the resolution of this issue?

Thanks.

PS:
I think I incidentally removed the 'duplicate' tag on this bug and I don't know how to undo that / reset the 'duplicate' tag'. Sorry about that :/

Revision history for this message
Nathan Teodosio (nteodosio) wrote : Re: [Bug 1843392] Re: [snap] smart card reader no longer works

Hi, Pascal. The snap with the new pcscd interface is awaiting approval
from the Snapcraft team.

Once that is done I'll post here so that someone can attempt to verify
the fix.

> I think I incidentally removed the 'duplicate'

Don't worry, it remains logged in the full activity log page (link at
the end of comment section), so I just added it back, thanks for the
heads up.

Revision history for this message
Pascal Dal Farra (pdalfarr) wrote :

Thanks for the update.
I'll be glad to test the fix.

Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Hi Pascal, not sure you receive notifications for the duplicate, but in LP:1967632 I have released a tentative fix with a test case.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.