Snaps and the owner Permission

Hello everybody,
Want to know how the Linux kernel enforces the traditional UNIX ‘owner’
permissions to a Snap application. Who is the owner? (The user that installs the application or the root user?) and what is the mechanism used to do that?

Ali Baghernejad

“Owner” is kind of a misleading term here, ownership of files is managed by your underlying filesystem, if you install a snap this happens as root since snapd needs to put files in places only root can write to (/var/lib/snapd … etc).

If your snap contains services, these are also executed as root …
If your snap contains apps, they run as the user who executed them (i.e. you) …

the kernel manages filesystem access of snap binaries via apparmor, only files and directories that are listed in the apparmor profile can be accessed, the profile also defines if you can read, write or execute something in a directory (this is true even for the root user).
on top of this the normal unix filesystem permissions apply, so if you run an app, it will first of all only be able to access the apparmor defined places … but secondly the normal filesystem permissions define if you can read or write … i.e. if you as normal user can not write to /var/lib, the app you are executing can’t either.

1 Like

@ogra, Thank you for your clarification.
From Ubuntu Core Security Whitepaper:

Future versions of Ubuntu Core will allow snaps to optionally request snap-specific,
non-root users and groups for services.

What about this feature?