snapd

can't remove snap with system-usernames if the username is deleted

Bug #1843956 reported by Ian Johnson on 2019-09-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	High	Jamie Strandboge

Bug Description

When installing a snap that declares system-usernames, if you delete the user and/or group that is created for the snap, the snap then becomes unremovable until you re-add that user/group. This is because during the remove change, snapd attempts to disconnect the connections, which fails because the user doesn't exist and snap-seccomp is unable to compile the profile.

See:

```
multipass@spirited-dragonfly:~$ sudo snap install --dangerous postgres_10_amd64.snap
postgres 10 installed
multipass@spirited-dragonfly:~$ grep snap_daemon /etc/passwd
snap_daemon:x:584788:584788::/nonexistent:/bin/false
multipass@spirited-dragonfly:~$ sudo userdel snap_daemon
multipass@spirited-dragonfly:~$ sudo snap remove postgres
error: cannot perform the following tasks:
- Disconnect postgres:network-bind from core:network-bind (cannot setup seccomp for snap "postgres": cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
- Disconnect postgres:network-bind from core:network-bind (cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
multipass@spirited-dragonfly:~$ sudo adduser --system snap_daemon
Adding system user `snap_daemon' (UID 111) ...
Adding new user `snap_daemon' (UID 111) with group `nogroup' ...
Creating home directory `/home/snap_daemon' ...
multipass@spirited-dragonfly:~$ sudo addgroup --system snap_daemon
Adding group `snap_daemon' (GID 115) ...
Done.
multipass@spirited-dragonfly:~$ sudo snap remove postgres
postgres removed
```

the postgres snap above has this for system-usernames in the snapcraft.yaml:
```
passthrough:
system-usernames:
snap_daemon: shared
```

This is with snapd 2.41 from candidate channel

Zygmunt Krynicki (zyga) on 2019-09-18

Changed in snapd:
importance:	Undecided → High
status:	New → Triaged

Jamie Strandboge (jdstrand) on 2019-09-24

Changed in snapd:
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Ian Johnson (anonymouse67) wrote on 2019-09-29:

I discovered when I ran into a similar problem in #1845880 that you can remove a snap in this state by first disabling it then removing it because then snapd doesn't need to do anything with the security backend as the `snap disable` just removes all of the security bits entirely.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.