Problem running command with setpriv

rodrigo · March 14, 2021, 8:09pm

After installing my snap, I cannot run a command from it.

% snap run my-snap.cmd status

This results in the following error:

setpriv: setresuid failed: Operation not permitted

The command in my Snapcraft is defined as such:

  cmd:
    command: usr/bin/wrapper.sh
    command-chain:
      - bin/runtime-helpers/drop-snap-daemon.sh
      - bin/runtime-helpers/snapcraft-preload 
    environment:
      SNAPCRAFT_PRELOAD_REDIRECT_ONLY_SHM: 1    
    plugs:
      - network
      - network-bind

My wrapper (wrapper.sh) looks like:

#!/bin/bash -e
$SNAP/usr/bin/setpriv --clear-groups --reuid snap_daemon --regid snap_daemon -- "$@"

This is the snapd log I could obtain but honestly I could not find any hint.

ubuntu@aurea-ubuntu-dev:~$ snap run my-snap.cmd status

2021/03/14 19:57:55.129836 tool_linux.go:204: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2021/03/14 19:57:55.220022 cmd_run.go:407: DEBUG: SELinux not enabled
2021/03/14 19:57:55.220541 tracking.go:44: DEBUG: creating transient scope snap.my-snap.cmd
2021/03/14 19:57:55.220772 tracking.go:176: DEBUG: session bus is not available: cannot find session bus
2021/03/14 19:57:55.220826 cmd_run.go:1162: DEBUG: snapd cannot track the started application
2021/03/14 19:57:55.220922 cmd_run.go:1163: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.my-snap.cmd
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/11115/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/my-snap.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope my-snap, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: my-snap
DEBUG: setting up device cgroup
DEBUG: no devices tagged with snap_my-snap_cmd, skipping device cgroup setup
DEBUG: forked support process 2529
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core18, revision 1990 is 7:5
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: block device of the root filesystem is 7:5
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace my-snap
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: my-snap
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: moved process 2511 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.my-snap.cmd
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 2529)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: DEBUG: helper process exitingwaiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: set_effective_identity uid:1000 (change: yes), gid:1000 (change: yes)
DEBUG: creating user data directory: /home/ubuntu/snap/my-snap/x1
DEBUG: requesting changing of apparmor profile on next exec to snap.my-snap.cmd
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.my-snap.cmd
DEBUG: read 8376 bytes from /var/lib/snapd/seccomp/bpf//snap.my-snap.cmd.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG: argv[1] = my-snap.cmd
DEBUG: argv[2] = status
DEBUG: umask restored to 02
DEBUG: working directory restored to /home/ubuntu
setpriv: setresuid failed: Operation not permitted

Any idea where the problem is?

ogra · March 15, 2021, 7:39am

does it work using sudo ?

the snap_daemon user kind of requires root … (given it was designed to drop privileges, not to elevate them …)

rodrigo · March 15, 2021, 10:26pm

Yes, it works with sudo. That’s not exactly what we wanted but I guess we can live with it. Thanks @ogra!