Mechanism to create system groups
LXD's main security mechanism for local users is done through group membership.
The LXD snap assumes the existence of a "lxd" group and makes the lxd unix socket owned by that group. That way only members of that group (or root) may access LXD.
snapd interfaces work great to prevent other snaps from talking to LXD, but do not help restricting access from other applications (on classic).
For the time being, the LXD snap simply assumes that the "lxd" group exists. If it doesn't the daemon will fail to start.
This bug is to track both a temporary workaround (as suggested by Mark in comments below) to just have snapd always create the "lxd" system group if it doesn't exist.
And to discuss what the right mechanism to manage groups would be moving forward.
- Interfaces for LXD
+ LXD bits
- LXD bits
+ Mechanism to create system groups
|Changed in snappy:|
|status:||New → Confirmed|