Snappy

snappy install --allow-unauthenticated changes ownership of snap

Bug #1438420 reported by Jamie Strandboge on 2015-03-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
High
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

snappy install --allow-unauthenticated /tmp/test-snap.jdstrand_1.2.3_all.snap changes the owner of the snap to clickpkg:clickpkg.

Eg:
$ ls -l /tmp
total 12240
-rwxr-xr-x 1 ubuntu ubuntu 12498600 Mar 30 20:04 snappy
-rw-rw-r-- 1 ubuntu ubuntu 31422 Mar 30 20:04 test-snap.jdstrand_1.2.3_all.snap

$ sudo snappy install --allow-unauthenticated /tmp/test-snap.jdstrand_1.2.3_all.snap
Installing /tmp/test-snap.jdstrand_1.2.3_all.snap
2015/03/30 20:05:15 Signature check failed, but installing anyway as requested
snappy package not found ########### what is this?

$ ls -l /tmp
total 12240
-rwxr-xr-x 1 ubuntu ubuntu 12498600 Mar 30 20:04 snappy
-rw-rw-r-- 1 clickpkg clickpkg 31422 Mar 30 20:04 test-snap.jdstrand_1.2.3_all.snap

Note that test-snap.jdstrand_1.2.3_all.snap is now owned by 'clickpkg:clickpkg.

Related branches

lp:~chipaca/snappy/fix-1438420
Michael Vogt: Approve on 2015-04-14
Diff: 264 lines (+74/-38)
6 files modified
clickdeb/deb.go (+35/-17)
clickdeb/deb_test.go (+15/-10)
cmd/snappy/cmd_internal_unpack.go (+8/-6)
snappy/build.go (+6/-1)
snappy/click.go (+7/-3)
snappy/click_test.go (+3/-1)
Michael Vogt (mvo) on 2015-03-31
Changed in snappy-ubuntu:
status: New → Triaged
importance: Undecided → High
James Hunt (jamesodhunt) wrote :

Note that --allow-unauthenticated is not required to see this behaviour.

James Hunt (jamesodhunt) wrote :

The attached is sufficient to fix the problem. However, I'd like to know the original reason for chowning the snap. Is it simply an oversight, or maybe it was added to ensure that local .snap's that are root:root 0640 install successfully? If the latter, the attached patch is insufficient.

John Lenton (chipaca) wrote : Re: [Bug 1438420] Re: snappy install --allow-unauthenticated changes ownership of snap

why keep the loop at all?

On 9 April 2015 at 14:48, James Hunt <email address hidden> wrote:
> The attached is sufficient to fix the problem. However, I'd like to know
> the original reason for chowning the snap. Is it simply an oversight, or
> maybe it was added to ensure that local .snap's that are root:root 0640
> install successfully? If the latter, the attached patch is insufficient.
>
> ** Patch added: "bug-1438420.patch"
> https://bugs.launchpad.net/snappy-ubuntu/+bug/1438420/+attachment/4370475/+files/bug-1438420.patch
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to snappy-ubuntu.
> https://bugs.launchpad.net/bugs/1438420
>
> Title:
> snappy install --allow-unauthenticated changes ownership of snap
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snappy-ubuntu/+bug/1438420/+subscriptions

James Hunt (jamesodhunt) wrote :

Sure - this isn't a MP, just a "proof-of-concept" until we understand how the bug was introduced :-)

John Lenton (chipaca) wrote :

While we figure out how it was introduced (hint: there are no tests for this), I've pushed an MP to fix it.

John Lenton (chipaca) on 2015-04-23
Changed in snappy-ubuntu:
status: Triaged → Fix Released
Michael Terry (mterry) on 2015-05-18
affects: snappy-ubuntu → snappy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers