I’m currently building a kiosk app, that needs both browser-support and the daemon feature.
With my latest build now scheduled for manual review because of this, I still wanted to ask a few questions and hopefully get more feedback as it is my first project on the snap store.
My application gets deployed on raspberry pi’s via ubuntu-core and then plugged into screens around our office and community area so it’s not a system users ever interact with directly.
I read though, that any application using both daemon features and
browser_support should drop their privileges to the snap_daemon system user. I implemented this but would request that someone more knowledgeable in this regard than me has a look at it. ( The review-tools snap still complains about the permission thing, but I guess it’s because it’s not tracking dropping privileges yet right ?)
The repository is open source so you can have a look: ozone
@jkruckenberg the current implementation re dropping privileges looks sane - thanks. +1 from me for the use of this - note, the use of daemon and browser_support is still privileged and so requires publisher vetting to be granted if the vote carries.
@reviewers can we please get some more votes on this request?
+1 for me for the use of
daemon. This is a kiosk app and the snap uses
system-usernames to drop privileges. Also
allow-sandbox is unspecified so it defaults to false.
As @alexmurray mentioned, this is a privileged interface and thus requires publisher vetting. @jkruckenberg: can you state that you intend to not change your snap to run a command which plugs
browser-support under the root user (ie, you will keep using the
snap_daemon with any commands/daemons that plugs
browser-support)? This way we can proceed with the vetting process.
Thanks at @emitorino ! Just so understand you correctly, you mean running anything that requires the ’browser-support’ interface before privileges are dropped right?
If so, then yes I do not intend to change this, I also cannot think of a situation where I might have to change this so we should be good.
Anything else you need me to do?
@jkruckenberg: yes, thanks for your answer.
@advocacy - can you please perform vetting?
+1 from me, I verified the publisher.
@jkruckenberg: a review-tools update is needed for this to take effect automatically in the store. I need to manually approve this meanwhile we have this update available. Could you please either request a manual review or upload a new revision so I can go and approve it?
@jkruckenberg ping, can you please either request a manual review or upload a new revision so we can proceed with approving your snap and have it published? Thanks!
@jkruckenberg ping, are you still willing to move fw with this request? Thanks
Sorry for the late reply, in these wild times this project I was working and requesting permission on was put on hold, that’s why I didn’t respond.
At this point however, I’m trying to switch the app from electron itself to use the chromium-mir-kiosk snap for several reasons. As this would make this request pretty mute, consider it closed for now. I will submit a new request or open this up again if I don’t succeed.
Thanks for your effort though!
Ok thanks for letting us know @jkruckenberg