I recently discovered that the home interface for a snap can allow processes running as root to read non-root files through the read: all property. I would like to enable this for the docker snap, and so I build the snap locally with this, installed it with --dangerous and --jailmode, then connected all the interfaces and this worked. However, when publishing this version to the store and installing it fresh, the home interface is disconnected initially and I can’t connect the interface at all, even manually:
$ sudo snap connect docker:home core:home
error: cannot perform the following tasks:
- Connect docker:home to core:home (connection denied by slot rule of interface "home")
I presume that this is because the snap declaration from the store hasn’t been updated to reflect the read: all parameter for the docker snap’s home interface plug. If this is the case, I would like to request that the snap declaration be updated.
Additionally, is there a way that I view a snap’s store declaration to see auto-connections and such and ensure that I don’t break anything with this? Luckily I haven’t released the snap to stable, but it would be nice to be able to see what a snap’s declaration is before I change any of the interfaces it plugs or attributes it sets, etc.
For systems where a user installs the snap and doesn’t create the docker group and add their normal user to it, they are only allowed to use docker as sudo, in which case they can only build containers using sudo docker build when run inside root’s home directory, which is inconvenient for most folks to do.
Additionally, this is a feature which isn’t consistent with other distributions of docker, and so users often think that the docker snap is broken because they can’t use
If there is no docker group, how can they use docker at all without sudo? The socket is meant to not be world read/write. If it is, that is a huge security hole in the snap since it means any user can trivially take own the device.
You’re correct if there’s no docker group, then they have to use sudo.
My point being that when a user is in that situation where they have to use docker as sudo, they can only use files from /root/Dockerfile etc. which isn’t clear that’s the case and we get reports that the docker snap is broken because they can’t use sudo docker .... as I said before.