should not remove suid/guid from binaries when confinement is devmode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snapcraft |
New
|
Undecided
|
Unassigned |
Bug Description
Use case: I’m building a snap for webbrowser-app, which embeds oxide (https:/
Removing suid/guid from /build/
This effectively prevents oxide from functioning correctly:
[0705/173002:
While the issue will need to be addressed properly, I think that when building the snap in devmode, snapcraft shouldn’t remove the suid/guid from the binary, as it would be useful for testing the resulting package unconfined.
Thank you for filing a bug. I think this is the wrong way to handle this with the current implementation since snaps are created with -all-root and therefore any suid/sgid files would automatically be root. An implementation that supports suid/sgid unconditionally in snaps that worked meaningfully for the snaps would need very careful design.
I think the proper solution would be to not use the setuid sandbox but instead use the userns sandbox once it is supported (bug #1586547). Using the userns sandbox will allow the snap to work in devmode today. To make the snap work in strict mode today (ie, while 1586547 remains open), you can disable the chromium sandbox and rely on snapd's security policy.