Please, review “excom” snap for “classic” confinement

lars · July 29, 2022, 10:16pm

Hi

My app excom, https://gitlab.com/larsfp/exim-commander, use ssh agent to connect to servers for managing exim. According to Ssh-agent plug request it seems I can’t use ssh-agent. Can you allow --classic, please?

pfsmorigo · August 9, 2022, 9:00pm

Hello Lars, can you try to use ssh-keys or ssh-public-keys interfaces?

lars · August 25, 2022, 7:17am

Hi. That worked OK (not great, but ok) for SSH, but I’m unable to run local tasks (exim, mailq, postfix), so I will have to cut out large parts of the app and say “sorry, you’ve installed via snap so this operation is not available to you”.

I guess my app isn’t very suited for sandboxing. Probably because most of my work is creating sysadmin tools and they need deep access. =/

alexmurray · August 25, 2022, 8:18am

Can you please provide more details re “unable to run local tasks”? Perhaps a solution can be found.

lars · August 25, 2022, 9:07am

Yes, sorry.

The app manages mail stuck in the local mail queue on Linux. It supports exim and postfix. The queue is usually managed with tedious commands like:

# mailq
61h   329 1oQDOK-001kN6-Rv <root@web.lxd>
          lars@liten.no

61h   327 1oQDOO-001kNP-NH <root@web.lxd>
          meg@liten.no
root@web:~# exim -Mvh 1oQDOK-001kN6-Rv
1oQDOK-001kN6-Rv-H
root 0 0
<root@web.lxd>
1661197640 2
-received_time_usec .865720
...
root@web:~# exiqgrep -r liten.no | xargs exim -Mrm

Here I list out all mail in the queue, then view the header on one of those, then remove all mail for the domain “liten.no”. These commands naturally need root access.

When using the app against a server, all commands are sent via SSH, and thus it needs no more access than ssh keys. That works fine. But if you want to use the app to manage the host you are on (localhost), nothing works due to snap sandboxing. A workaround is to ssh back to the machine you are on, but that isn’t always convenient. I.e. SSH is often blocked for the root user.

emitorino · December 16, 2022, 1:30pm

@lars hey,

Since its been a while since the last comment, I am checking the status of excom. I see its published under strict confinement, is it working as expected?

Thanks!

lars · December 16, 2022, 2:34pm

It’s published and working, but it’s a pretty bad user experience. Unconfined gives lots more value, since it’s a sysadmin tool. Sysadmins need privileged access.

alexmurray · February 22, 2023, 6:31am

Can you provide more details regarding the issues the snap is facing under strict confinement? In particular dmesg / journalctl output showing and AppArmor DENIAL messages or seccomp violations would be very useful. Note snaps can be run with sudo to give them root privileges as well.

pfsmorigo · March 16, 2023, 8:08pm

@lars - ping, can you please provide the requested information?

lars · March 20, 2023, 11:26am

Hi. I will check if I used sudo for this or not.