Useradd within snap with strict confinement

seanl · August 4, 2025, 6:59pm

We’re building an ubuntu-core snap, and we’re trying to get our snap from devmode to strict confinement. As part of our setup process of Ubuntu Core, we try to automate creating a non “Ubuntu One” user account using useradd with the --extrauser argument. This works in devmode, but we are unable to get it to work in strict confinement. And the error we get is:

cannot open audit interface - aborting

Is it possible to get access to the audit interface in strict confinement? It was my understanding that devmode was just strict with all things allowed - so presumably anything that can be done in devmode can be done in strict if you can find the appropriate interfaces and plugs and things to configure.

Thanks!

mborzecki1 · August 5, 2025, 5:58am

Have you tried to use account-control interface? https://snapcraft.io/docs/account-control-interface

ogra · August 5, 2025, 10:28am

In general you should install snappy-debug and run the tool alongside your snap on the Ubuntu Core device, that should give you proper suggestions what interfaces you will need to connect (i.e. the error above would likely end up in a suggestion to use and connect the account-control interface like already suggested by mborzecki1 )

seanl · August 5, 2025, 12:51pm

Thanks for the replies. We are running with snappy-debug - it’s not providing much help with regard to this specific issue. It has helped us sort through the rest of our issues, but this one seems different.

And yes, we have tried using the account-control interface. We are still using it currently because we believe we need it - however it does not allow us to run useradd with the --extrausers argument.

For context, here is a snippet of our snapcraft.yaml showing the interfaces and plugs we have defined:

layout:
  /var/log:
    bind: $SNAP_DATA/var/log
  /etc/iproute2:
    bind: $SNAP_DATA/etc/iproute2
  /etc/login.defs:
    symlink: $SNAP_DATA/etc/login.defs
  /etc/default/useradd:
    symlink: $SNAP_DATA/etc/default/useradd
plugs:
  projectname-write-system-files:
    interface: system-files
    write:
      - /var/log/configure-project.log
      - /home/user/.project-configured
      - /home/user
      - /etc/sudoers.d/create-user-user
      - /mnt/project
      - /mnt/projectdata
  projectname-read-system-files:
    interface: system-files
    read:
      - /var/log/configure-project.log
      - /home/user
  projectname-mount-control:
    interface: mount-control
    mount:
      - what: projectdata
        where: /mnt/projectdata
        type: [zfs]
        options: [rw, sync, user_xattr]
      - what: /dev/sda2
        where: /mnt/project
        type: [ext4]
        options: [ro]
apps:
  projectname:
    command: scripts/configure-project.sh
    daemon: simple
    plugs:
      - projectname-write-system-files
      - projectname-read-system-files
      - projectname-mount-control
      - network
      - lxd
      - lxd-support
      - system-observe
      - ssh-keys
      - snapd-control
      - kvm
      - hostname-control
      - home
      - block-devices
      - account-control
      - firewall-control
      - network-control
      - network-observe

You can see account-control is in there, along with tons of other interfaces. This snap is a system setup snap, so it needs a lot of access to bring in and instantiate a few LXD VMs and containers as well as setup a non-Ubuntu-One account “user” that can be ssh’d into.

Based on the error we’re getting: cannot open audit interface - aborting - I was hoping to find an audit interface of some kind that I could add to the plugs - but I don’t see one that has anything to do with audit.

I see that account-control SHOULD work - based on it’s description - however it also says this:

Due to the privileged nature of access enabled by this interface, its use is reserved exclusively for “management snaps” from brand stores.

Which is something we are not. We are an offline, self-signed snap that we bundle into a customer ubuntu-core image.

ogra · August 5, 2025, 1:46pm

Well, for security reasons you will not be able to use either of these solutions without a valid brand store …

The account-control interface as well as snapd-control which both could be used for adding a user (the latter with a valid system-user assertion signed by the brand store owner, the former in a slightly more lax way via useradd to add something to the extrausers DB) are closely bound to the key owners of the brand account …

I fear with “self signed snaps” (whatever this is supposed to be, there is only one gpg key in snapd that is valid and only the store has the private keys to this) you wont really find a secure way to crate any users that is not a gross hack …

seanl · August 5, 2025, 1:57pm

I would love a gross hack if you have any ideas. For now we’re happy running in devmode and everything works fine.

The issue with signing and all that is simply that we can’t upload our snap or our custom ubuntu core image to any internet host - so we can’t be “online” with this. I know there’s an internet connection requirement to setup Ubuntu Core on first boot, but we have a bypass for that as long as we can create the user account we’re trying to make. Which we can do, assuming we leave the snap devmode…which may be the solution.

Thanks again.

ogra · August 5, 2025, 2:00pm

Right, beyond buying a brand store (Canonical offers on-prem offline solutions for this, so that no internet will be needed in production) I suspect devmode (which I’d call one of the gross hacks here) or manually connecting the interface are your only two options …