The snap install command asks the backend snapd daemon to install the snap on its behalf, the same way the Snap Store app does.
Snapd will process the request if one of the following is true:
- the request came from the root user (using credentials read from the unix socket connection)
- the request included auth data for a Snap Store login created using
sudo snap login(what the other replies are referring to). - polkitd says the request is authorised.
I suspect you’re probably seeing (3). When installing a snap, snapd asks if the caller is authorised to use the io.snapcraft.snapd.manage action. The default policy for this action is auth_admin_keep, which requires the user be an “administrator” and that they enter their own password.
On an Ubuntu system, an administrator is a user who is a member of either the sudo or admin groups (as configured via /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf). You can also override the default policy for how an action is handled. On Ubuntu and Debian systems, this is done via .pkla files. On most other systems it is via JavaScript .rules files.
As for trying to allow users to install only strict confined snaps, we unfortunately don’t separate that out into a separate polkit action. So there is no way to allow one but not the other.