Using base snaps with account-control doesn't work as intended

Hi,

I’ve been fiddling around with base snaps, and I’ve found that the new core16 and core18 base snaps don’t work with the account-control interface. I have a simple snap which uses useradd to create a new user on a UC16 system under confinement. When I specify base: core16 or base: core18, the account fails to be created, while using base: core the account is created.

The snapcraft.yaml is here: https://github.com/anonymouse64/useradd-base/blob/master/snap/snapcraft.yaml

This is what I see when using the snap (installed locally with --dangerous and --jailmode, then manually connecting account-control with sudo snap connect useradd-base:account-control):

This is the error I see (note that there are no denials in the syslog when this happens):

anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap 
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base:         core18
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control 
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser
useradd: /var/lib/extrausers/passwd.1548: Read-only file system
useradd: cannot lock /var/lib/extrausers/passwd; try again later.

I will note that running any snaps with core16 doesn’t work out of the box, but if you add the appropriate bits to the snap as I have (see https://github.com/anonymouse64/core16/tree/testing), you get the same result (see the bottom for what happens without these bits in the core16 snap):

anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap 
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base:         core16-extras
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control 
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser3
useradd: /var/lib/extrausers/passwd.2254: Read-only file system
useradd: cannot lock /var/lib/extrausers/passwd; try again later.

Also, if I go into the mount namespace of the snap using sudo snap run --shell useradd-base and then inspect /var/lib/extrausers/passwd, I see that the file is empty:

anonymouse67@localhost:~$ sudo snap run --shell useradd-base
root@localhost:/home/anonymouse67# cat /var/lib/extrausers/passwd
root@localhost:/home/anonymouse67# 

However the file has the same contents as outside of the snap mount namespace when running with the core snap as it’s rootfs:

anonymouse67@localhost:~$ sudo snap run --shell useradd-base
root@localhost:/home/anonymouse67# cat /var/lib/extrausers/passwd
anonymouse67:x:1000:1000:ian.johnson@canonical.com,PBFpW7J,,:/home/anonymouse67:/bin/bash
nonsystemuser:x:1001:1001:,,,:/home/nonsystemuser:/bin/bash
newsys3:x:999:998::/home/newsys3:
sysbobuser4:x:998:997::/home/sysbobuser4:

Lastly, this is the output from not specifying the base (to effectively use the core snap as the base):

anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap 
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control 
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser4
anonymouse67@localhost:~$ cat /var/lib/extrausers/passwd | grep sysbobuser
sysbobuser4:x:998:997::/home/sysbobuser4:

I was asked to ping @mvo about this.

P.S. for completeness, this is what you normally get with core16 from the store:

anonymouse67@localhost:~$ sudo snap install --dangerous --jailmode useradd-base_0.1_amd64.snap 
useradd-base 0.1 installed
anonymouse67@localhost:~$ snap info useradd-base --verbose | grep "base:"
base:         core16
anonymouse67@localhost:~$ sudo snap connect useradd-base:account-control 
anonymouse67@localhost:~$ sudo useradd-base --system sysbobuser2
cannot perform operation: mount --rbind /var/snap /tmp/snap.rootfs_IPeINP//var/snap: No such file or directory
2 Likes

Thanks for this! I’m looking into the issues now.

1 Like

The fixes for the issues reported are mostly fixed now in edge. The following PRs that add regression tests are pending review:

1 Like