Replacing Postinst Scripts

Jamie Strandboge jamie at canonical.com
Thu Nov 19 18:53:09 UTC 2015 

On 11/19/2015 12:05 PM, Mark Shuttleworth wrote:
...

>  * users
> 
> Snappy systems are multi-user systems (fred, joe, pete). What's not
> clear is the need for "system" users like the traditional "www-data" and
> "postgres" users. In the olden days of UNIX, users were the only way to
> separate access to files on the system. Today, we use modern kernel
> primitives like apparmor and namespaces to control access to the
> filesystem, for example. Even an app running as your user cannot read
> stuff that apparmor prevents them from seeing.
> 

Yes.

In answering people's question wrt confinement on snappy I recall three reasons
people give in favor of snappy supporting these types of system users:

 1. people are porting a traditional app to Ubuntu Core. I think this is what
    Robert is getting at-- he is using traditional applications that don't
    necessarily (yet) understand the snappy world and so certain code
    modifications need to be made to disable an assumed-to-be-there system
    user
 2. we've stated that confinement shouldn't get in the way of apps within the
    same snap being able to share data, communicate with each other, etc. If we
    consider a really thick snap like a LAMP stack, developers may be concerned
    about 'in-snap security' such as their webserver getting cracked and an
    attacker overwriting files in their database, etc.
 3. Related to '2', some people may want to code for defense in depth and want
    to drop privileges to augment the security snappy provides.

Opting into per-app system users via yaml could ease porting efforts and/or
snapcrafting certain applications. These users could also be a mechanism for
developers to address '2' as well, but alternatively we could refine our
thoughts on 'in-snap security' (eg, expose yaml declarations for who can talk to
what).

I've not really thought this all through/discussed with architects, etc, but my
gut tells me we are doing the right thing wrt 'in-snap security' (ie, we
shouldn't add complexity surrounding snap security policy), but providing some
mechanism to create per-snap users that developers could opt into would provide
some flexibility when the developers want it.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20151119/2a0ce497/attachment.pgp>

More information about the snappy-app-devel mailing list