Hi,
is it possible to specify services inside the snap to run under non-privileged user? Specifically for services.
not currently (but given that confinement is root-proof you do not actually need to) …
… that said, there is something on the TODO list:
I asked Sergey to raise this issue. My worry is that there is a bug (say in AppArmor) that would allow an attacker to break out (similar to Docker breakouts) that were mostly affected by containers running as root.
Do you have an ETA for this?
The status can be found here: Multiple users and groups in snaps (ie, the feature is designed and on the roadmap, but not currently assigned).