Using sudo from within a snap
jamie at canonical.com
Tue Aug 16 15:59:43 UTC 2016
On Tue, 2016-08-16 at 09:53 -0400, Chris Wayne wrote:
> Is this something that could be added to the roadmap? We'd really prefer
> to not have to call the snap itself with sudo as it creates some
> permissions issues (root-owned dirs in $HOME for example) and some other
> general flakiness. What would the sudo interface entail, just access to
> /usr/bin/sudo and /etc/sudoers.d/snap.mountpoint?
In the bug we're focused on sudo and/or pkexec not working within a devmode
snap. With devmode, sudo should work and we can work through how to fix that.
Indeed, the conversation has moved to the bug.
Using sudo from within a strict mode snap is fundamentally at odds with what
strict mode is meant to accomplish and adding a sudo interface while keeping
strong confinement is a very thorny problem. This mailing list discussion veered
into that area, but I suggest we focus on devmode.
> On Mon, Aug 8, 2016 at 5:27 AM, Oliver Grawert <ogra at ubuntu.com> wrote:
> > hi,
> > Am Montag, den 08.08.2016, 09:36 +0200 schrieb Simon Fels:
> > >
> > > On 06.08.2016 15:54, Chris Wayne wrote:
> > > >
> > > >
> > > > Hi guys,
> > > >
> > > > I seem to be having some issues while running anything as sudo from
> > > > within a
> > > > snap (namely bug https://bugs.launchpad.net/ubuntu/+source/snapd/+b
> > > > ug/1610292).
> > > If you package sudo within your snap snapcraft will strip the
> > > necessary
> > > suid bit from it so it wont work anymore. Only way to use sudo is to
> > > use
> > > the one from the core snap.
> > >
> > how would you hook into /etc/sudoers (or /etc/sudoers.d/) ?
> > snapd would have to install or bind-mount a sudoers file above the one
> > from the core snap ... you also need to make sure that your user exists
> > in the password db ... both gets very hairy in an all-snap image where
> > the core snap is actually the rootfs (and both of the above files are
> > required for having the system functional)
> > i could imagine a sudo interface here (for the binary) and shipping a
> > generic /etc/sudoers.d/snapd mountpoint in the core snap where
> > snapd/snap-confine could bind-mount a shipped sudoers snippet, but that
> > still leaves the passwd db issue open...
> > ciao
> > oli
> > --
> > Snapcraft mailing list
> > Snapcraft at lists.snapcraft.io
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/
> > mailman/listinfo/snapcraft
> Snapcraft mailing list
> Snapcraft at lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/s
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the Snapcraft