Pkexec: not found (Python GTK/GNOME app)

snapcraft
#1

Hi,

I’m trying to update Snap package for an existing Snap CLI app (auto-cpufreq), which is created using following snapcraft.yaml

name: auto-cpufreq
base: core22
summary: Automatic CPU speed & power optimizer for Linux
description: |
  Automatic CPU speed & power optimizer for Linux based on active
  monitoring of laptop's battery state, CPU usage and system load.
  Ultimately allowing you to improve battery life without making
  any compromises.

license: LGPL-3.0
grade: stable
confinement: strict
adopt-info: auto-cpufreq

compression: lzo

parts:
  auto-cpufreq:
    plugin: python
    python-packages:
       - setuptools
       - wheel
       - requests
    build-packages:
       - gcc
       - python3-dev
    stage-packages:
       - coreutils
       - dmidecode
    source: .
    override-pull: |
      snapcraftctl pull
      snapcraftctl set-version `grep ^VERSION $SNAPCRAFT_PART_SRC/setup.py | sed 's/.*"\(.*\)"/\1/'`

  deploy-scripts:
    plugin: dump
    source: scripts
    organize:
      cpufreqctl.sh: usr/bin/cpufreqctl.auto-cpufreq
      snapdaemon.sh: usr/bin/snapdaemon

  copy-image:
    plugin: dump
    source: images

plugs:
   etc-auto-cpufreq-conf:
    interface: system-files
    write:
    - /etc/auto-cpufreq.conf

apps:
  auto-cpufreq:
    command: bin/auto-cpufreq
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
      - etc-auto-cpufreq-conf

  auto-cpufreq-gtk:
    command: bin/auto-cpufreq-gtk
    extensions: [gnome]
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - desktop
      - desktop-legacy
      - wayland
      - x11
      - cpu-control
      - system-observe
      - hardware-observe

  service:
    command: usr/bin/snapdaemon
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
    environment:
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    daemon: simple

However, after the auto-cpufreq GTK app is run and I click on “install” button (which runs as sudo to install the daemon)

Screenshot from 2023-08-28 19-52-43
Screenshot from 2023-08-28 19-52-43614×533 35.2 KB

I’ll be greeted with following (debug) message:

The following error occured: 
/bin/sh: 1: pkexec: not found

Screenshot from 2023-08-28 19-52-48
Screenshot from 2023-08-28 19-52-48614×533 41.2 KB

I’ve came across another Snap that’s using pkexec where suggestion is to use classic confinement which fixes the problem.

However, due to the fact I use extensions: [gnome] in snapcraft.yaml, as soon as I change confinement: strict to confinement: classic I’ll get the following error:

snapcraft
Extension 'gnome' does not support confinement 'classic'                                                                                                                                                            
Full execution log: '/home/ahodzic/.local/state/snapcraft/log/snapcraft-20230828-201048.785188.log'

Hence, could you please advise me how can I switch to classic confinement with GNOME or have ability not to run into pkexec: not found error while using strict confinement.

Thanks!

Adnan

1 Like
#2

you can not … classic snaps can not use extensions at runtime and can not use interfaces (not 100% sure about layouts (i dont touch classic, it is too hard to package) but i think you can not use them either) …

also note that classic means you need to make very sure the two environments (host and base snap) never leak into each other, so there is a lot of fiddling with the environment involved …

and last, it is very unlikely you will get classic granted for this snap so you will not be able to release it through the store … (it must fit into one of the supported categories here: Process for reviewing classic confinement snaps)

#3

Hi @ogra

Putting going classic confinement path aside, is there any other way to fix this problem:

The following error occured: /bin/sh: 1: pkexec: not found

with strict confinement and as part of my current snapcraft.yaml?

I would hate to have to drop Snap package support for my application after having Snap package in the store for more then 3 years?

#4

If you need pkexec in your snap you need to package pkexec in your snap:

    stage-packages:
       - coreutils
       - dmidecode
       - pkexec
#5

@alan_g thank you for your suggestion!

After making following changes to my snapcraft.yaml I’m facing new issue: pkexec must be setuid root

Screenshot from 2023-08-30 16-46-56
Screenshot from 2023-08-30 16-46-56617×528 17.7 KB

Any idea why this is the case as it seems to be snap related?

#6

The error seems self-explanatory and unrelated to snaps

#7

@alan_g Hello! I am also involved in this project and came to comment on what I know

I encountered this error before when researching how to use pkexec in a Snap. I’ve never encountered this error outside of a Snap so I do believe it is related to Snap’s sandboxing.

The GUI we’ve created has some actions that require privilege escalation, so we’re using pkexec to prompt the user for this, similar to software like GParted. I have found almost nothing online about how to fix this issue

#8

@shadeyg56 I’ve no experience of using PolicyKit from a snap but imagine that it needs some dbus(?) interface plugged so that it can communicate with the desktop agent.

The best way to identify missing interfaces is https://snapcraft.io/docs/debug-snaps

However, note that even a root process started in the snap will be restricted by snap confinement.

#9

@alan_g Ok I checked out the link you sent and used snappy_debug and it doesn’t report any missing plugs

As far as I can tell, pkexec needs certain permissions that are not available in the snap. I tried using sudo chmod 04755 /snap/auto-cpufreq//x6/usr/bin/pkexec as somebody recommended in another thread but it doesn’t work since the snap is read-only.

It seems like snap and pkexec just don’t play together well at all. I’m mostly surprised that nobody else has reported this before, as I find it hard to believe that I am the first person to try to use pkexec in a snap package

#10

@alan_g also to add, once .snap is built I install it using --devmode which won’t enforce any security policies and need for any additional plugs wouldn’t be a problem at this point.

It seems to be a problem with snap package which neither I or @shadeyg56 can’t figure out at this point.

Hence any additional help from you or anyone else from Canonical side would be great, thanks!

#11

It is easy to see that you are not:

$ find /snap/*/current/usr/bin -name pkexec
/snap/snap-store/current/usr/bin/pkexec

You can compare plugs with snap-store:

$ snap connections snap-store
Interface                 Plug                                      Slot                            Notes
appstream-metadata        snap-store:appstream-metadata             :appstream-metadata             -
content[gnome-42-2204]    snap-store:gnome-42-2204                  gnome-42-2204:gnome-42-2204     -
content[gtk-3-themes]     snap-store:gtk-3-themes                   gtk-common-themes:gtk-3-themes  -
content[icon-themes]      snap-store:icon-themes                    gtk-common-themes:icon-themes   -
content[sound-themes]     snap-store:sound-themes                   gtk-common-themes:sound-themes  -
dbus                      -                                         snap-store:packagekit-svc       -
dbus                      -                                         snap-store:snap-store           -
desktop                   snap-store:desktop                        :desktop                        -
desktop-legacy            snap-store:desktop-legacy                 :desktop-legacy                 -
fwupd                     snap-store:fwupd                          :fwupd                          -
gsettings                 snap-store:gsettings                      :gsettings                      -
network                   snap-store:network                        :network                        -
network-manager           snap-store:network-manager                -                               -
network-status            snap-store:network-status                 :network-status                 -
opengl                    snap-store:opengl                         :opengl                         -
packagekit-control        snap-store:packagekit-control             :packagekit-control             -
password-manager-service  snap-store:password-manager-service       :password-manager-service       -
personal-files            snap-store:dot-snap-auth-json             -                               -
snapd-control             snap-store:snapd-control                  :snapd-control                  -
system-files              snap-store:hostfs-usr-share-applications  :system-files                   -
system-observe            snap-store:system-observe                 :system-observe                 -
upower-observe            snap-store:upower-observe                 :upower-observe                 -
wayland                   snap-store:wayland                        :wayland                        -
x11                       snap-store:x11                            :x11                            -

I see a couple of “packagekit” mentions there.

#12

@alan_g

As I stated previously, I thought when I install built .snap file using --devmode it wouldn’t enforce any security policies so any potential missing plugs wouldn’t be a problem at this point?

Regardless, I added both packagekit-control and packagekit-svc plugs, but then I would get a warning:

sudo snap install auto-cpufreq_2.0_amd64.snap --devmode
 
2023-09-01T08:52:44+02:00 INFO snap "auto-cpufreq" has bad plugs or slots: packagekit-svc (unknown interface "packagekit-svc")
2023-09-01T08:52:49+02:00 INFO snap "auto-cpufreq" has bad plugs or slots: packagekit-svc (unknown interface "packagekit-svc")
auto-cpufreq 2.0 installed
WARNING: There is 1 new warning. See 'snap warnings'.

Hence I removed packagekit-svc from plugs (kept packagekit-control ) and current snapcraft.yaml contents are as follows:

name: auto-cpufreq
base: core22
summary: Automatic CPU speed & power optimizer for Linux
description: |
  Automatic CPU speed & power optimizer for Linux based on active
  monitoring of laptop's battery state, CPU usage and system load.
  Ultimately allowing you to improve battery life without making
  any compromises.

license: LGPL-3.0
grade: stable
confinement: strict
adopt-info: auto-cpufreq

compression: lzo

parts:
  auto-cpufreq:
    plugin: python
    python-packages:
       - setuptools
       - wheel
       - requests
    build-packages:
       - gcc
       - python3-dev
    stage-packages:
       - coreutils
       - dmidecode
       - pkexec
    source: .
    override-pull: |
      snapcraftctl pull
      snapcraftctl set-version `grep ^VERSION $SNAPCRAFT_PART_SRC/setup.py | sed 's/.*"\(.*\)"/\1/'`

  deploy-scripts:
    plugin: dump
    source: scripts
    organize:
      cpufreqctl.sh: usr/bin/cpufreqctl.auto-cpufreq
      snapdaemon.sh: usr/bin/snapdaemon

  copy-image:
    plugin: dump
    source: images

plugs:
   etc-auto-cpufreq-conf:
    interface: system-files
    write:
    - /etc/auto-cpufreq.conf

apps:
  auto-cpufreq:
    command: bin/auto-cpufreq
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
      - etc-auto-cpufreq-conf

  auto-cpufreq-gtk:
    command: bin/auto-cpufreq-gtk
    extensions: [gnome]
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
      - desktop
      - desktop-legacy
      - wayland
      - x11
      - packagekit-control

  service:
    command: usr/bin/snapdaemon
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
    environment:
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    daemon: simple

However, I still get the same error when I try to install the daemon: The following error occured: /bin/sh: 1: pkexec: not found. Again, I’m still baffled by what is missing or what the problem is exactly.

I also pushed this latest built snap to auto-cpufreq beta channel hoping it could give you more insight, but it was also flagged for human review:

snapcraft upload auto-cpufreq_2.0_amd64.snap --release beta
Issues while processing snap:ew                                                                                                                                                                                     
- human review required due to 'allow-installation' constraint (bool)                                                                                                                 
Full execution log: '/home/ahodzic/.local/state/snapcraft/log/snapcraft-20230901-091009.105226.log'
#13

That’s correct

By “install the daemon” you mean installing the snap? “/bin/sh: 1: pkexec: not found” means what one expects - the executable is not on $PATH. Above, I suggested that was because you didn’t include it in your snap. I thought that was resolved:

But, if you’re getting “not found” again, maybe you’re doing something weird with $PATH?

One way to investigate is to use snap run --shell ... to get a shell with the environment your app runs. You can then examine $PATH and experiment.

You should focus on getting more insight yourself. I’ve already told you that what you are doing is outside my experience. All I can do is suggest the things I would look at were I in your situation.

I’m not surprised that using pkexec would require approval from the store team. If it helps, there’s a review-tool snap that can run the checks locally for faster feedback.

#14

@alan_g I made a mistake in my last reply where I pointed the old problem. After last changes to snapcraft.yaml (as presented in my previous post), problem is not pkexec: not found anymore, new problem is: “pkexec must be setupid root”

image
image615×534 15.2 KB

Do you have any ideas what this might be related to as it seems Snap specific?

1 Like
#15

@alan_g @ogra on top of this, my upload to beta channel of auto-cpufreq with - packagekit-control listed as one of the plugins got rejected. I’m not sure if I should move this to snapcrat-requests at this point because ideally I would like to make snap work as expected before requesting anything.

I also found out that pkexec must be setuid root during install with --devmode for local testing could be a snap related bug?

Again, any pointers would be of great help because this problem pkexec must be setuid root does not happen on regular non snap install.

For reference, latest version of snapcraft.yaml looks like:

name: auto-cpufreq
base: core22
summary: Automatic CPU speed & power optimizer for Linux
description: |
  Automatic CPU speed & power optimizer for Linux based on active
  monitoring of laptop's battery state, CPU usage and system load.
  Ultimately allowing you to improve battery life without making
  any compromises.

license: LGPL-3.0
grade: stable
confinement: strict
adopt-info: auto-cpufreq

compression: lzo

parts:
  auto-cpufreq:
    plugin: python
    python-packages:
       - setuptools
       - wheel
       - requests
    build-packages:
       - gcc
       - python3-dev
    stage-packages:
       - coreutils
       - dmidecode
       - pkexec
    source: .
    override-pull: |
      snapcraftctl pull
      snapcraftctl set-version `grep ^VERSION $SNAPCRAFT_PART_SRC/setup.py | sed 's/.*"\(.*\)"/\1/'`

  deploy-scripts:
    plugin: dump
    source: scripts
    organize:
      cpufreqctl.sh: usr/bin/cpufreqctl.auto-cpufreq
      snapdaemon.sh: usr/bin/snapdaemon

  copy-image:
    plugin: dump
    source: images

plugs:
   etc-auto-cpufreq-conf:
    interface: system-files
    write:
    - /etc/auto-cpufreq.conf

apps:
  auto-cpufreq:
    command: bin/auto-cpufreq
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
      - etc-auto-cpufreq-conf

  auto-cpufreq-gtk:
    command: bin/auto-cpufreq-gtk
    extensions: [gnome]
    environment:
      PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
      - desktop
      - desktop-legacy
      - wayland
      - x11
      - packagekit-control

  service:
    command: usr/bin/snapdaemon
    plugs:
      - cpu-control
      - system-observe
      - hardware-observe
    environment:
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
      PKG_MARKER: SNAP
    daemon: simple