can't remove snap with system-usernames if the username is deleted

Bug #1843956 reported by Ian Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Triaged
High
Jamie Strandboge

Bug Description

When installing a snap that declares system-usernames, if you delete the user and/or group that is created for the snap, the snap then becomes unremovable until you re-add that user/group. This is because during the remove change, snapd attempts to disconnect the connections, which fails because the user doesn't exist and snap-seccomp is unable to compile the profile.

See:

```
multipass@spirited-dragonfly:~$ sudo snap install --dangerous postgres_10_amd64.snap
postgres 10 installed
multipass@spirited-dragonfly:~$ grep snap_daemon /etc/passwd
snap_daemon:x:584788:584788::/nonexistent:/bin/false
multipass@spirited-dragonfly:~$ sudo userdel snap_daemon
multipass@spirited-dragonfly:~$ sudo snap remove postgres
error: cannot perform the following tasks:
- Disconnect postgres:network-bind from core:network-bind (cannot setup seccomp for snap "postgres": cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
- Disconnect postgres:network-bind from core:network-bind (cannot compile /var/lib/snapd/seccomp/bpf/snap.postgres.postgres.src: error: cannot parse line: cannot parse token "g:snap_daemon" (line "setgid g:snap_daemon"): group: unknown group snap_daemon)
multipass@spirited-dragonfly:~$ sudo adduser --system snap_daemon
Adding system user `snap_daemon' (UID 111) ...
Adding new user `snap_daemon' (UID 111) with group `nogroup' ...
Creating home directory `/home/snap_daemon' ...
multipass@spirited-dragonfly:~$ sudo addgroup --system snap_daemon
Adding group `snap_daemon' (GID 115) ...
Done.
multipass@spirited-dragonfly:~$ sudo snap remove postgres
postgres removed
```

the postgres snap above has this for system-usernames in the snapcraft.yaml:
```
passthrough:
  system-usernames:
    snap_daemon: shared
```

This is with snapd 2.41 from candidate channel

Zygmunt Krynicki (zyga)
Changed in snapd:
importance: Undecided → High
status: New → Triaged
Changed in snapd:
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Ian Johnson (anonymouse67) wrote :

I discovered when I ran into a similar problem in #1845880 that you can remove a snap in this state by first disabling it then removing it because then snapd doesn't need to do anything with the security backend as the `snap disable` just removes all of the security bits entirely.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.