Hi,
I’ve been fiddling around with base snaps, and I’ve found that the new core16
and core18
base snaps don’t work with the account-control
interface. I have a simple snap which uses useradd
to create a new user on a UC16 system under confinement. When I specify base: core16
or base: core18
, the account fails to be created, while using base: core
the account is created.
The snapcraft.yaml is here: https://github.com/anonymouse64/useradd-base/blob/master/snap/snapcraft.yaml
This is what I see when using the snap (installed locally with --dangerous
and --jailmode
, then manually connecting account-control
with sudo snap connect useradd-base:account-control
):
This is the error I see (note that there are no denials in the syslog when this happens):
anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base: core18
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser
useradd: /var/lib/extrausers/passwd.1548: Read-only file system
useradd: cannot lock /var/lib/extrausers/passwd; try again later.
I will note that running any snaps with core16
doesn’t work out of the box, but if you add the appropriate bits to the snap as I have (see https://github.com/anonymouse64/core16/tree/testing), you get the same result (see the bottom for what happens without these bits in the core16 snap):
anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base: core16-extras
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser3
useradd: /var/lib/extrausers/passwd.2254: Read-only file system
useradd: cannot lock /var/lib/extrausers/passwd; try again later.
Also, if I go into the mount namespace of the snap using sudo snap run --shell useradd-base
and then inspect /var/lib/extrausers/passwd
, I see that the file is empty:
anonymouse67@localhost:~$ sudo snap run --shell useradd-base
root@localhost:/home/anonymouse67# cat /var/lib/extrausers/passwd
root@localhost:/home/anonymouse67#
However the file has the same contents as outside of the snap mount namespace when running with the core snap as it’s rootfs:
anonymouse67@localhost:~$ sudo snap run --shell useradd-base
root@localhost:/home/anonymouse67# cat /var/lib/extrausers/passwd
anonymouse67:x:1000:1000:ian.johnson@canonical.com,PBFpW7J,,:/home/anonymouse67:/bin/bash
nonsystemuser:x:1001:1001:,,,:/home/nonsystemuser:/bin/bash
newsys3:x:999:998::/home/newsys3:
sysbobuser4:x:998:997::/home/sysbobuser4:
Lastly, this is the output from not specifying the base (to effectively use the core
snap as the base):
anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser4
anonymouse67@localhost:~$ cat /var/lib/extrausers/passwd | grep sysbobuser
sysbobuser4:x:998:997::/home/sysbobuser4:
I was asked to ping @mvo about this.
P.S. for completeness, this is what you normally get with core16 from the store:
anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base: core16
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser2
cannot perform operation: mount --rbind /var/snap /tmp/snap.rootfs_IPeINP//var/snap: No such file or directory