How can I enable a daemon running as snap_daemon to set system time / timezone?
I am migrating an application from traditional embedded Linux environment to Core environment.
In our standard env, we created a simple setuid binary for time operations that could be invoked from our less privileged daemon. Setuid isn’t support by snapcraft.
Preference is to avoid running this application as root. Any clever suggestions?
Thanks
while the timezone-control and time-control interfaces give you access to the necessary bits and pieces outside of confinement, they are not changing any of the permissions that are set outside …
i suspect that might need some change in the images or addition to snapd like pre-adding the snap_daemon user to some groups dynamically or integrating with udev ACL (or whatever an architect comes up with … )
Yeah today and the medium term future we won’t be working on the support for this which would probably look like @ogra mentioned where the snap_daemon user gets added to the various groups necessary (or more likely, we would have a specific user for your snap and that user alone gets added to the various groups necessary for this sort of thing).
Today you’ll either need to always run as root, or run some daemon component as root which the part running under snap_daemon sends a message to perform the root necessary bits. Setuid programs are indeed not allowed in snaps by default, though there have been specific programs which we have granted permission to use setuid such as chromium so you could try asking for permission to ship a setuid program and see what the reviewers think. That would probably be best started by uploading a version of your snap that uses a setuid program, it will get denied by the review-tools and then you can go start a forum post in the #store-requests topic and get some feedback as to whether this would be allowed or not. I don’t know off the top of my head what criteria is applied for evaluating setuid programs being included in snaps.
This is a custom app designed for our hardware and we have a private brand store, so I suspect we could get permission for setuid. I did not know that was an option - thanks!
another option is to have a small script that acts as socket activated daemon (and thus runs as root) to act as a proxy for your app …
