Ubuntu
snapd package

Home directories listed in /etc/passwd should be honoured

Bug #1607710 reported by Dan Watkins
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
New
Undecided
Unassigned
snapd (Ubuntu)
New
Undecided
Unassigned

Bug Description

I'm trying to use a snap as part of a Jenkins job. Jenkins runs its jobs in /var/lib/jenkins/..., which is what home is defined as in /etc/passwd:

$ grep jenkins /etc/passwd
jenkins:x:114:120:Jenkins,,,:/var/lib/jenkins:/bin/bash

However, I get the following error message:

cannot remain in /var/lib/jenkins, please run this snap from another location. errmsg: No such file or directory

Tags: cpc
Dan Watkins (oddbloke)
summary: - Use passwd to determine user home directory
+ Home directories listed in /etc/passwd should be honoured by home
+ interface
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: Home directories listed in /etc/passwd should be honoured by home interface

This is more than just the home interface-- we have AppArmor rules that use the @{HOME} variable in the default template and the launcher/snap-run sets up various environment variables (including HOME).

It would be easy enough for the launcher/snap-run run to determine the home directory of the user and set the env vars appropriately. You can adjust what @{HOME} expands to with AppArmor policy by dropping files in /etc/apparmor.d/tunables/home.d as well. The trick would be keeping /etc/apparmor.d/tunables/home.d up to date for new users that are added after snaps are run. Any options would include snapd managing /etc/apparmor.d/tunables/home.d/snap.* files in some manner, and when changed, regenerate all the security policy.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm going to rephrase the summary of this bug since it really isn't about the home interface.

summary: - Home directories listed in /etc/passwd should be honoured by home
- interface
+ Home directories listed in /etc/passwd should be honoured
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Err... "The trick would be keeping /etc/apparmor.d/tunables/home.d up to date for new users that are added after snaps are" *installed*.

Revision history for this message
Dan Watkins (oddbloke) wrote :

Any advance on this? This is blocking us from snapping up software that we use as part of our existing Jenkins jobs.

Revision history for this message
Michael Vogt (mvo) wrote :

This is because snap-confine will bind-mount /home but not /var/lib. The previous snap-confine that would just bind-mount selected dirs to white-them-out would have worked here. With the new chroot approach this is much more tricky :/

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@mvo: I think what is needed is a combination of generated .fstab files that work for core snap mounts (for those home directories) as well as generated snap.* file(s) in /etc/apparmor.d/tunables/home.d (to access those directories). There is a complication with that since the non-/home directories won't exist in the core snap (ie, /var/lib/jenkins).

As an aside, having snap-confine consult the .fstab files for core snap mounts would also mean we could move things like the /var/log mount into the log-observe and the /usr/src mount into the system-trace interface and have these mounts conditional on interface connection rather than always bind mounting them in.

Dan Watkins (oddbloke)
tags: added: cpc
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.