I’ve not looked at it extensively, but screen is setgid utmp because it is not built with --enable-utempter. If it was (like tmux is) though, then the snap would end up staging libutempter0, which ships a setgid utmp helper.
I don’t understand why screen needs access to password hashes or expiry data in /etc/shadow. It might be related to its use of pam. It doesn’t seem like tmux needs this access. Have you tried?
Assuming that tmux (you did say you didn’t care which you used) doesn’t need access to /etc/shadow, that leaves how to deal with it shipping a setgid binary. The store has the checks for setuid/setgid as a safeguard to ensure basic DAC checks remain in place with typical usage, so while we could add a per-snap override to allow it, I suspect you are really wanting this to be open to anyone through interface connections, which is incompatible with a snap shipping a setgid binary. I see a few ways forward there:
- the core snap ships libutemper0 and tmux/screen snaps do not. They use the libutempter0 on the system. We add an interface that allows using the lib and helper
- the core snap ships tmux itself and we add an interface that allows using it
- the core snap ships a new ‘classic’ interface (name TBD; Classic interface)