Snappy Confinement and AppArmor
Alexander Sack
asac at canonical.com
Wed Feb 25 14:34:24 UTC 2015
On Wed, Feb 25, 2015 at 10:37 AM, Mark Shuttleworth <mark at ubuntu.com> wrote:
> On 23/02/15 11:17, Oliver Grawert wrote:
>> $SNAPP_APP_USER_DATA_PATH though beware ! if your app runs as root
>> this will be /root/apps/<pkgname>/ by default.
>
> Something in me is as allergic to /root/<app>/ as it is to
> /home/ubuntu/<app>.
>
> Would it make sense to make the home directory for the app point to
> /var/lib/apps/<package> when running as root? My rationale would be that
> anything which is running as a service and writing data that is not
> user-specific should be doing so in /var/lib/apps/<app>/. This is
> equally true for a service running as a non-root, but non-real user, to
> the extent we want to enable those.
Right now we have APP_DATA_PATH which points to exactly that place in
/var/lib/apps/APP/. This is where global services are supposed to put
their global data.
APP_USER_DATA_PATH is only supposed to be used for cases where an app
wants to store stuff that is specific to that user.
For users that have no login shell, we shouldn't set this at all.
Also, I believe it would make sense to not set this for services.
But if I log in as root and run an app interactively, then I kind
expect those apps to have a place to store stuff for me and I would
think having that place somewhere in $HOME makes sense.
So maybe the two things above will do the trick? e.g. not set USER
path for services and for binaries that are run as users without
HOME/login-shell?
>
> Mark
>
>
> --
> snappy-devel mailing list
> snappy-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
More information about the snappy-devel
mailing list