Closed Bug 1473602 Opened 2 years ago Closed 1 year ago

Ubuntu Firefox installed from snap cannot use U2F

Categories

(Release Engineering :: Release Automation: Snap, defect, P5)

defect

Tracking

(firefox67 fixed, firefox68 fixed)

RESOLVED FIXED
Tracking Status
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: bugzilla, Assigned: olivier)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180621125625

Steps to reproduce:

1. Enable Yubikey U2F support by setting the following configs:

security.webauth.webauthn: true
security.webauth.webauthn_enable_softtoken: false
security.webauth.webauthn_enable_usbtoken: true

2. Go to https://demo.yubico.com/u2f or any site that supports U2F.

3. Try to use U2F.



Actual results:

Immediately there is an error. The error from the Yubico demo site is:


Registration failed!

Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)
 
Likewise, trying to use the U2F device at a site where it is already registered also fails.


Expected results:

U2F device registration and usage should work.
If I use Firefox installed via `apt install firefox`, then U2F works correctly.
I tried to test this, but unfortunately we don't have the proper device (U2F) to do that. I think the most suitable component for this is Core DOM: Device Interfaces.
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
Priority: -- → P5
Output from journalctl when Firefox tries to interact with my Yubikey shows:

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:178): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:179): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0
This is going to be an Ubuntu upstream configuration issue somewhere in the package management chain, not something we can fix from Firefox. 

Firefox needs access to the udev hidraw [1] devices of the security tokens.

It might eventually be doable to use non-raw access, but that requires drivers for U2F for Linux, so for now it's raw. 

Anyway, I'd open this on Canonical's tracker, I'm sorry.

[1] https://github.com/jcjones/u2f-hid-rs/blob/master/src/linux/hidraw.rs
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

A u2f-devices interface has been added to snapd [1]. The Chromium snap build now works with U2F devices after connecting the interface to the Chromium plug.

[1] https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1738164

This allows the confined snap to interact with Universal 2nd Factor devices, such as Yubikeys.

I rebuilt the snap package with the u2f-devices plug and verified that this allows accessing my Yubikey in firefox.

Status: RESOLVED → REOPENED
Component: DOM: Device Interfaces → Release Automation: Snap
Ever confirmed: true
Product: Core → Release Engineering
QA Contact: jlorenzo
Resolution: INVALID → ---
Version: 61 Branch → unspecified
Pushed by jlorenzo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f9e3bff5575
Add u2f-devices plug to snap package. r=jlorenzo
Status: REOPENED → RESOLVED
Closed: 2 years ago1 year ago
Resolution: --- → FIXED
Assignee: nobody → olivier

I'm still having this issue when using Firefox installed using snap. I do not have this issue if I install using apt. The u2f part is specifically not working as I am able use it as a input device to fill forms that have a field for a one time password.

I'm on Ubuntu 18.04 running the following version of the Firefox snap:

$ sudo snap list firefox
Name     Version   Rev  Tracking  Publisher  Notes
firefox  69.0.1-1  266  stable    mozilla✓   -

$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Steps to reproduce:

  1. go to https://demo.yubico.com/webauthn-technical/registration
  2. hit next to start prompt for u2f key
  3. insert yubikey and press button after it lights up

Expected result:
u2f authentication successful

Actual result:
nothing happens. u2f protocol does not initiate.

@rccausey: you'll need to manually connect the u2f-devices interfaces for this to work:

snap connect firefox:u2f-devices

Can you confirm that your U2F device is recognized and usable in the firefox snap after doing this and restarting the app?

(In reply to Olivier Tilloy from comment #12)

@rccausey: you'll need to manually connect the u2f-devices interfaces for this to work:

snap connect firefox:u2f-devices

Can you confirm that your U2F device is recognized and usable in the firefox snap after doing this and restarting the app?

Yes, once I do that it works. Is there not something in the snap build file that can specify this connection is required automatically?

According to the documentation, no, this interface can't be auto-connected.

You need to log in before you can comment on or make changes to this bug.