Hello,
I’m working on packaging log-user-session, which provides a tamper-proof log of commands run during an SSH session. It’s useful for running on a bastion host and is not currently packaged.
To do it’s job, it needs to observe commands run by users. I’ve started to create a snapcraft.yaml
file for it, but it fails when it gets to the step where the binary would be chown
ed with the setuid bit.
I’m guessing this should be replaced with a plug
in snap
, perhaps of type system-observe
, but I’m not sure. The source code is linked above is if someone is able to help confirm. It’s a short bit of C.
Assuming there’s a correct “plug” to help with this, do I use override-build
to strip out the chown
command then?
Thanks.
I’m not sure that the application will work in a snap as-is, unless you are granted the ability to use classic
mode, which means your snap will only work on normal distros (not all-snap distros like Ubuntu Core, e.g.). This is because setuid is not permitted by the rules of the snap store.
The alternative is to rewrite the application into a client-server pair where the user-level process (cilent) ships it’s logs to a daemon (server) running as root to save those logs to disk.
1 Like
@lucyllewy,
If the snap only works on Ubuntu, that’s fine with me. I’m a user of the app, not the author and am not a position to rewrite it. What would need to happen if I only want the snap to work on normal distros?
I don’t think setuid (nor fscaps) are allowed in non-base snaps, never mind their confinement.
1 Like