What is needed would be read-only access to certain files, like /etc/passwd, /etc/shadow, /etc/shadow-, /var/lib/extrausers/shadow, … of the system (not the snap). In my case CUPS has unsuccessfully tried to read /etc/shadow and /var/lib/extrausers/shadow when building without PAM support. Am right? Or would we need more?
The problems I see here are the following:
- These files can be different on different distributions, and also different on Snap-only distributions like Core and classic distributions.
- CUPS (or generally the app) in the snap does not read the files by itself but uses a library for that. So probably this library (I do not know which one) and of this library the incarnation in the snap, built for the distribution under which the snap was built, determines which files will be read.
- One would need to have a group where one can add users to so that one can do admin tasks with the web interface. See also here. Such a thing would especially be needed for Core where one does not always have a desktop.