Snap daemon permissions

Hi all,

I want to automate a bunch of smaller scripts and want to bundle them in a snap to deploy on a bunch of customer sites. Basically doing log cleanup, parsing…etc but only in the home directory of an Ubuntu install on site. Log folders can get pretty big so wrote it in python to scrape some info and remove all but today’s logs.

So I made a snapcraft.yaml file that looks like:

name: daily-report-gen
base: core20
summary: Generate daily report templates
description: |
  I have to write reports a lot.
grade: devel
confinement: strict
adopt-info: daily-report-gen

    plugin: python
    source: . 
    parse-info: [] 

    command: bin/
    plugs: [home]
    daemon: simple
    timer: 00:00

If I do a snap run daily-report-gen as user it works perfectly because it’s run as the current user. When it runs as a daemon I don’t have permission to edit the files. First thing I tried for this was just using chown in python to fix it guessing that the snap process itself would have permission to change the permissions but that didn’t work. I tried checking if there was a way to set a daemon to only run as a specific user account but I didn’t find anything that could help with that.

Any suggestions on how to either run that daemon as a user or ensure the permissions can be set correctly in the script level?

secure confinement is managed by the kernel, snapd only utilizes the features it provides … if you run a dameon, that happens as root inside the confinement. per definition the kernel will only allow writes to $SNAP_DATA (/var/snap/snapname/current), $SNAP_COMMON (/var/snap/snapname/common), $SNAP_USER_DATA (~/snap/snapname/current) and $SNAP_USER_COMMON (~/snap/snapname/common) … if you add the home plug you also get access to all non-hidden content in $HOME …

if you run the app as a normal user ~ translates to /home/$USER … if you run as a daemon ~/ translates to /root only … to achieve what you want, the daemon would need to run in the users session, not as system daemon …

have a look at:

Well there are two issues I’m running into, the user directory thing is fine I was able to get around that, I added home to plugs and it was good, that was the first thing I tried with it. Our user’s home folders are all named the same so I don’t have to even figure that out automatically. So the files are writing just the permissions of the files are associated with the user (root for the daemon) but I can’t reassign it even though root should have permission to do so.

I’d guess that’s due to confinement blocking chmod from working but what the question boils down to is, can I write a snap that will be auto started and is run as a user? In that way I wouldn’t have to chmod.

I’m not sure autostart would be what I’m looking for but I could just autostart the script and put a sleep till the time to write the files and in that way it would be run as user but it seems a bit clunky.

we dont have real “user daemons” yet, autostart is the closest i think … but it also requires a logged in user and a session running indeed.

Oh then that’s the answer then, thanks. The user will for sure be logged in so that’s perfect.