Does anyone know if is possible to change users within a snap? My snap works as it should when running in devmode but when I switch to strict mode I get a “su permission error”. Is there a plug that I can add to help with this?
Which user do you need to switch to?
A user that I already created let’s say bob and I’m trying to switch to bob within the snap.
There are some interfaces but we don’t yet have a generic way to let a snap run as an dedicated user. There were some roadblocks before but perhaps now we could explore adding that with seccomp argument filtering.
OK, so it’s it possible to do it with interfaces or seccomp right now and if so how? Or should I just wait and keep running my snap in devmode?
There are two issues here:
- filtering system calls that switch to a given user by user ID (e.g. 1004 or 67)
- creating unprivileged snap users
If we add argument filtering we need to do it by number. To make the number meaningful we’d have to create a user inside snapd and have snap-confine resolve that at runtime. Unless I’m missing something we cannot do one without the other. @jdstrand can probably correct me if I’m wrong.
We want to add a feature where installing a snap creates a specific unprivileged system user (or uses an existing one). This will always be tied to an interface, probably to a specific interface.
Btw, can you tell me what is the
bob user you mentioned? I realize it was just an example but if you have something specific in mind it might be easier to discuss.
Sure, the user is rabbitmq. I created a snap for rabbitmq but I’m having issues once it start because it fails to switch to the rabbitmq user.
I think this should be handled by an interface for rabbitmq then. I’m sure there’s a small set of interesting snaps that will require this.
I figured that an interface would be the way to go but I just don’t know enough about creating a custom interface. Could you point me to some resources that I can learn from?
I think there’s some plumbing that we need do first to allow creating users. I’ll try to make a quick experiment to see what it might look like and I will update the forum when that is ready.
, Thanks for your help.
@julio - I’ve been meaning to add a forum post on this topic and will be doing so this week. There are several related use cases and what you have described is https://bugs.launchpad.net/snappy/+bug/1619888. I’ll add a comment to this post once I’ve added the forum topic so people can watch it.
, thank you