Ubuntu
snapd package

snapd not give privileges to squid3

Bug #1585056 reported by vasilisc
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Confirmed
Undecided
Celso Providelo

Bug Description

1) lsb_release -rd
Description: Ubuntu Yakkety Yak (development branch)
Release: 16.10

2) apt-cache policy snapd
snapd:
  Installed: 2.0.2
  Candidate: 2.0.2
  Version table:
 *** 2.0.2 500
        500 http://fi.archive.ubuntu.com/ubuntu devel/main amd64 Packages
        100 /var/lib/dpkg/status

3) squid3 can't open port 3128.

4)
# snap list
Name Version Developer
squid3 3.5.16-2 cprov
ubuntu-core 16.04+20160419.20-55 canonical

# snap interfaces
Slot Plug
:network squid3
:network-bind squid3

# netstat -n|grep squid
empty output
# netstat -n|grep 3128
empty output

# grep 3128 /snap/squid3/current/etc/squid/squid.conf
# Squid normally listens to port 3128
http_port 3128

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: snapd 2.0.2
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
ApportVersion: 2.20.1-0ubuntu4
Architecture: amd64
Date: Tue May 24 08:52:01 2016
InstallationDate: Installed on 2014-04-21 (763 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: snapd
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~cprov/squid/snap
Rejected for merging into lp:~squid/squid/trunk
Alex Rousskov: Needs Fixing
Diff: 204 lines (+188/-0)
3 files modified
parts/plugins/x-squid.py (+81/-0)
snapcraft.yaml (+24/-0)
squid.conf (+83/-0)
Revision history for this message
vasilisc (vasilisc) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :

Indeed, it looks like the squid3 snap is buggy:
```
ubuntu@localhost:~$ sudo squid3
Bad system call
ubuntu@localhost:~$ dmesg |tail -1
[ 2433.369346] audit: type=1326 audit(1464602357.655:49): auid=1000 uid=0 gid=0 ses=2 pid=4425 comm="squid" exe="/snap/squid3/3/sbin/squid" sig=31 arch=c000003e syscall=116 compat=0 ip=0x7f0733603f49 code=0x0
ubuntu@localhost:~$ scmp_sys_resolver 116
setgroups
```

Celso Providelo (cprov)
Changed in snapd (Ubuntu):
assignee: nobody → Celso Providelo (cprov)
status: New → Confirmed
Revision history for this message
Zygmunt Krynicki (zyga) wrote : Re: [Bug 1585056] Re: snapd not give privileges to squid3

Is it expected for snapped applicationto set group IDs?

On Mon, May 30, 2016 at 12:56 PM, Celso Providelo
<email address hidden> wrote:
> ** Changed in: snapd (Ubuntu)
> Assignee: (unassigned) => Celso Providelo (cprov)
>
> ** Changed in: snapd (Ubuntu)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to snapd in Ubuntu.
> https://bugs.launchpad.net/bugs/1585056
>
> Title:
> snapd not give privileges to squid3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1585056/+subscriptions

Revision history for this message
Oliver Grawert (ogra) wrote :

nope

Revision history for this message
Celso Providelo (cprov) wrote :

Thanks for the report, this exploratory work requires a lot more attention from me.

It turns out that squid is offending snap confinement is many different fronts (logging and working dir, on top of the setgid) and I need to investigate what would be the best solution from the squid perspective.

For now, to unblock users and potential contributors, I've republished it as devmode on 16 edge channel (so it's clear that it's not ready for production) with a custom squid.conf that allows it to start (barely):

{{{
$ sudo snap install squid3 --devmode --channel=edge
14.99 MB / 14.99 MB [========================================================>_] 100.00 % 3.07 MB/s

Name Version Rev Developer
squid3 3.5.16-3 5 cprov

$ sudo mkdir -m o+rw /var/snap/squid3/current/logs

$ squid3 -N
...
}}}

Current snapcraft setup and custom configuration can be found at https://code.launchpad.net/~cprov/+git/squid-snap

Sorry for the inconvenience and misleading expectation I've caused.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.