can't remove snap with system-usernames if the username is deleted

Bug #1843956 reported by Ian Johnson on 2019-09-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Jamie Strandboge

Bug Description

When installing a snap that declares system-usernames, if you delete the user and/or group that is created for the snap, the snap then becomes unremovable until you re-add that user/group. This is because during the remove change, snapd attempts to disconnect the connections, which fails because the user doesn't exist and snap-seccomp is unable to compile the profile.

See:

```
multipass@spirited-dragonfly:~$ sudo snap install --dangerous postgres_10_amd64.snap
postgres 10 installed
multipass@spirited-dragonfly:~$ grep snap_daemon /etc/passwd
snap_daemon:x:584788:584788::/nonexistent:/bin/false
multipass@spirited-dragonfly:~$ sudo userdel snap_daemon
multipass@spirited-dragonfly:~$ sudo snap remove postgres
error: cannot perform the following tasks:
- Disconnect postgres:network-bind from core:network-bind (cannot setup seccomp for snap "postgres": cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
- Disconnect postgres:network-bind from core:network-bind (cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
multipass@spirited-dragonfly:~$ sudo adduser --system snap_daemon
Adding system user `snap_daemon' (UID 111) ...
Adding new user `snap_daemon' (UID 111) with group `nogroup' ...
Creating home directory `/home/snap_daemon' ...
multipass@spirited-dragonfly:~$ sudo addgroup --system snap_daemon
Adding group `snap_daemon' (GID 115) ...
Done.
multipass@spirited-dragonfly:~$ sudo snap remove postgres
postgres removed
```

the postgres snap above has this for system-usernames in the snapcraft.yaml:
```
passthrough:
  system-usernames:
    snap_daemon: shared
```

This is with snapd 2.41 from candidate channel

Zygmunt Krynicki (zyga) on 2019-09-18
Changed in snapd:
importance: Undecided → High
status: New → Triaged
Changed in snapd:
assignee: nobody → Jamie Strandboge (jdstrand)
Ian Johnson (anonymouse67) wrote :

I discovered when I ran into a similar problem in #1845880 that you can remove a snap in this state by first disabling it then removing it because then snapd doesn't need to do anything with the security backend as the `snap disable` just removes all of the security bits entirely.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers