Please, review “excom” snap for “classic” confinement


My app excom,, use ssh agent to connect to servers for managing exim. According to Ssh-agent plug request it seems I can’t use ssh-agent. Can you allow --classic, please?

Hello Lars, can you try to use ssh-keys or ssh-public-keys interfaces?

Hi. That worked OK (not great, but ok) for SSH, but I’m unable to run local tasks (exim, mailq, postfix), so I will have to cut out large parts of the app and say “sorry, you’ve installed via snap so this operation is not available to you”.

I guess my app isn’t very suited for sandboxing. Probably because most of my work is creating sysadmin tools and they need deep access. =/

Can you please provide more details re “unable to run local tasks”? Perhaps a solution can be found.

Yes, sorry.

The app manages mail stuck in the local mail queue on Linux. It supports exim and postfix. The queue is usually managed with tedious commands like:

# mailq
61h   329 1oQDOK-001kN6-Rv <root@web.lxd>

61h   327 1oQDOO-001kNP-NH <root@web.lxd>

root@web:~# exim -Mvh 1oQDOK-001kN6-Rv
root 0 0
1661197640 2
-received_time_usec .865720
root@web:~# exiqgrep -r | xargs exim -Mrm 

Here I list out all mail in the queue, then view the header on one of those, then remove all mail for the domain “”. These commands naturally need root access.

When using the app against a server, all commands are sent via SSH, and thus it needs no more access than ssh keys. That works fine. But if you want to use the app to manage the host you are on (localhost), nothing works due to snap sandboxing. A workaround is to ssh back to the machine you are on, but that isn’t always convenient. I.e. SSH is often blocked for the root user.

@lars hey,

Since its been a while since the last comment, I am checking the status of excom. I see its published under strict confinement, is it working as expected?


It’s published and working, but it’s a pretty bad user experience. Unconfined gives lots more value, since it’s a sysadmin tool. Sysadmins need privileged access.

Can you provide more details regarding the issues the snap is facing under strict confinement? In particular dmesg / journalctl output showing and AppArmor DENIAL messages or seccomp violations would be very useful. Note snaps can be run with sudo to give them root privileges as well.

@lars - ping, can you please provide the requested information?

Hi. I will check if I used sudo for this or not.

@lars - ping

let us know if you have more updates on above requested information


@lars ping, can you please provide the requested information?

No, sorry. The app is no longer actively developed as I switched jobs. You can de-list it if you want. Or it can stay as it is.

hey @lars thanks for letting us know, I am then removing this request from our review queue. Regarding the snap listing, maybe @roadmr can help?