I need to get output of biosdecode from my snap. This requires root permissions. All is OK if I execute the snap from the command line:
sudo hw-probe
But it doesn’t work if I try to run the snap by clicking on the Launch button in Ubuntu Software after installing the snap.
My desktop file is the following:
[Desktop Entry]
Name=Hardware Probe
Comment=Probe for hardware and upload result to the Linux hardware database
Exec=sudo hw-probe
Icon=$SNAP/meta/gui/icon.png
Terminal=true
Type=Application
StartupNotify=true
Categories=System;
Keywords=HW Probe;Hardware;Probe;
The issue is that Exec is missed in the generated file /var/lib/snapd/desktop/applications/hw-probe_hw-probe.desktop. The Exec persists only if I set Exec=hw-probe.
How to solve this? Where should I add sudo command?
For strict confinement snaps the Exec key should always be a valid snap run command, so it should be hw-probe. Not sure about running it as root though.
theoretically you would have to ship sudo inside your snap …
… but practically that can not work since snapcraft will automatically strip the suid bit from all suid binaries included in a snap which in turn renders the shipped sudo useless (beyond the fact that your snap has no access to /etc/sudoers or /etc/sudoers.d of the system) …
also note that sudo in a graphical app will stop working completely as soon as distros default to wayland (wayland does not allow sudo’ed binaries to be displayed by design) …
one option might be to ship yad in your snap and have it display a dialog box when clicking the .desktop file entry, that tells the user about using the terminal and sudo instead … (and then fall back to some degraded operation if the user does still want to use it via the launcher).
Are there any other ways to run biosdecode and dmidecode from the snap executed by launcher? Why physical-memory-observe doesn’t allow access to /dev/mem for non-root apps?
interfaes only allow access outside of the confinement, they do not modify file or device permissions …
/dev/mem is simply only root readable … (and also by the kmem group through binaries that use a setgid bit, but there the same as for sudo would apply … https://wiki.debian.org/SystemGroups)
May be we need to add Launch as Administrator button (by some property in the snapcraft.yaml or a checkbox in the dashboard)? I think this will be useful for apps like gparted.
