On Tue, 2016-08-16 at 09:53 -0400, Chris Wayne wrote: > Is this something that could be added to the roadmap? We'd really prefer > to not have to call the snap itself with sudo as it creates some > permissions issues (root-owned dirs in $HOME for example) and some other > general flakiness. What would the sudo interface entail, just access to > /usr/bin/sudo and /etc/sudoers.d/snap.mountpoint? > In the bug[1] we're focused on sudo and/or pkexec not working within a devmode snap. With devmode, sudo should work and we can work through how to fix that. Indeed, the conversation has moved to the bug.
Using sudo from within a strict mode snap is fundamentally at odds with what strict mode is meant to accomplish and adding a sudo interface while keeping strong confinement is a very thorny problem. This mailing list discussion veered into that area, but I suggest we focus on devmode. [1]https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1610292 > On Mon, Aug 8, 2016 at 5:27 AM, Oliver Grawert <o...@ubuntu.com> wrote: > > > > > hi, > > Am Montag, den 08.08.2016, 09:36 +0200 schrieb Simon Fels: > > > > > > On 06.08.2016 15:54, Chris Wayne wrote: > > > > > > > > > > > > Hi guys, > > > > > > > > I seem to be having some issues while running anything as sudo from > > > > within a > > > > snap (namely bug https://bugs.launchpad.net/ubuntu/+source/snapd/+b > > > > ug/1610292). > > > If you package sudo within your snap snapcraft will strip the > > > necessary > > > suid bit from it so it wont work anymore. Only way to use sudo is to > > > use > > > the one from the core snap. > > > > > how would you hook into /etc/sudoers (or /etc/sudoers.d/) ? > > snapd would have to install or bind-mount a sudoers file above the one > > from the core snap ... you also need to make sure that your user exists > > in the password db ... both gets very hairy in an all-snap image where > > the core snap is actually the rootfs (and both of the above files are > > required for having the system functional) > > > > i could imagine a sudo interface here (for the binary) and shipping a > > generic /etc/sudoers.d/snapd mountpoint in the core snap where > > snapd/snap-confine could bind-mount a shipped sudoers snippet, but that > > still leaves the passwd db issue open... > > > > ciao > > oli > > -- > > Snapcraft mailing list > > Snapcraft@lists.snapcraft.io > > Modify settings or unsubscribe at: https://lists.ubuntu.com/ > > mailman/listinfo/snapcraft > > > > > -- > Snapcraft mailing list > Snapcraft@lists.snapcraft.io > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/s > napcraft -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
