please allow chown for calling user (eg, for files in SNAP_USER_DATA or chowning to root)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Similar to bug 1580018, I'm not sure if the default apparmor profile is not correct, or possibly this bug is invalid and `sed -i.bak` should be denied.
AFAICT, the issue is that sed -i.bak tries a chown syscall on the backup file in the $SNAP_USER_DATA directory, and the apparmor profile does not allow that (perhaps for good reason).
michael@
#! /bin/bash
echo "The quick brown fox jumped over the lazy dog" > $SNAP_USER_
sed 's/quick/fast/' $SNAP_USER_
sed -i.bak 's/quick/fast/' $SNAP_USER_
chown
michael@
The fast brown fox jumped over the lazy dog
/snap/todo-
/snap/todo-
126 michael@
total 12
-rw-rw-r-- 1 michael michael 44 May 13 04:30 sed-output.txt
-rw-rw-r-- 1 michael michael 45 May 13 04:30 sed-test.txt
---------- 1 michael michael 44 May 13 04:30 sedwCnCDY
michael@
[ +39.843825] audit: type=1326 audit(146311385
[ +0.001342] audit: type=1400 audit(146311385
[ +0.000100] audit: type=1400 audit(146311385
michael@
fchown
Changed in snapd (Ubuntu): | |
importance: | Medium → High |
Interestingly, sed is happy to ignore failures on fchown itself:
$ grep chown sed/execute.c -B4 -A2
ignore_ value (fchown (output_fd, -1, input->st.st_gid)); >in_file_ name, input_fd,
output_fd = fileno (output_file.fp);
#ifdef HAVE_FCHOWN
/* Try to set both UID and GID, but if that fails,
try to set only the GID. Ignore failure. */
if (fchown (output_fd, input->st.st_uid, input->st.st_gid) == -1)
#endif
copy_acl (input-