Refreshing snap shouldn't need password auth (when no hold is in place)

It appears that updating (refresh) snap requires admin authorization via PolKit. Since, automatic refresh is triggered few times daily, any reason why user initiated updates require password (unless there is a refresh hold in place).

Refer:

• https://discourse.ubuntu.com/t/refreshing-snap-shouldnt-need-password-auth-when-no-hold-is-in-place/49192/1.
• https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2084314.

The snap refresh command can do far more than what an auto-refresh does. Including:

1. Switching which channel is used for a snap.
2. Replace a snap file installed via snap install --dangerous with the version in the store.
3. Ignore certain constraints that would block an automatic refresh.
4. Upgrade a subset of the snaps with available updates.

These are implemented as options on the same snapd API call that would be used for a “safe” refresh. The decision on whether to require a polkit check happens before these options are checked.

This isn’t to say it would be impossible to change: just that it isn’t as simple as removing the existing polkit check. It would likely involve adding a new API, and having the snap refresh client decide when it is appropriate to use instead of the generic API.

Alongside what James said, note that you can always do snap login after which your user is considered authoritative to manage snaps in general and you will not have to use sudo at all anymore (for any command line snap commands that is, I guess GUI tools will probably still pop up polkit, depending how they implement auth)

I would not recommend using snap login unless you fully understand the security trade-offs it entails.

i wish we dont need using password auth when install apps, how fedora (gnome) do that? installing apps on gnome software never need password

Is https://gitlab.gnome.org/GNOME/gnome-software/-/issues/2681#note_2271082 accurate enough ?

Thanks!

I’m not sure a user triggered auto-refresh is safe in all circumstances either, namely, whilst desktop applications will wait for users to close it down and try schedule around them, services don’t.

This could turn regular users into a weapon depending upon timing. Say I have a shared server that multiple students SSH into, and they’re doing an exam. One of my students runs snap refresh, which (in this hypothetical) doesn’t need superuser. Any user using these daemons has now had it removed from under them, possibly losing session status, including any ongoing work.

Sure, this could happen at any time in theory due to autoupdates in general, but snap allows admins to set update schedules at convenient times (separate to hold); either you’d have to make this new API respect that, kind of ruining the point; or you’d need to compensate in other manners, increasing complexity to the point any gains might be lost.

It’s nice that Flatpak can do updates without elevation on per-user-installed software, but, Snap is designed for entire operating systems, snap daemons aren’t unusual.

gnome-software is not the right place to propose this. The polkit prompts are initiated from snapd itself rather than something any one client does.

Any change here would need to start with snapd itself, defining a new API for the purportedly safe refresh variants.

That’s my understanding as well.

Thanks for confirming!