Ubuntu
snapd package

Snap installed with --devmode can't use sudo

Bug #1610292 reported by Chris Wayne
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Invalid
Undecided
Unassigned
snapd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When installing a snap that has scripts that call sudo (in this case, checkbox-snappy, available in the store on edge channel), any call to sudo fails with "pkexec must be setuid root" when run on a classic 16.04 or 16.10 system. Calling the snap itself with sudo fixes the issue, but for other reasons we would prefer to elevate to sudo only on scripts where it is required.

snapd: 2.11+16.10
snap-confine: 1.0.38-3
Ubuntu 16.04 + 16.10

Expected results:

A snap installed with --devmode should be able to run sudo

Actual results:

Any call to sudo fails with the error "pkexec must be setuid root"

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: snapd 2.11+16.10
ProcVersionSignature: Ubuntu 4.4.0-33.52-generic 4.4.15
Uname: Linux 4.4.0-33-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.3-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Aug 5 11:08:14 2016
InstallationDate: Installed on 2015-04-24 (468 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: snapd
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Chris Wayne (cwayne) wrote :
Chris Wayne (cwayne)
summary: - Snap installed with --devmode can't use sudo (pkexec must be setuid
- root)
+ Snap installed with --devmode can't use sudo
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

A devmode snap should be able to use sudo. I think the error stems from this:

'Any call to sudo fails with the error "pkexec must be setuid root"'

pkexec is not part of the core snap. sudo itself doesn't call pkexec for anything. Is checkbox using 'sudo something.that.eventually.calls.pkexec'?

Jamie Strandboge (jdstrand)
Changed in snappy:
status: New → Incomplete
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is not true:

 any call to sudo fails with "pkexec must be setuid root"

This is plainbox attempting to use pkexec after failing to use sudo.

Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote :

It was indeed plainbox calling pkexec (the one from the snap). I've landed a change to lower the score of the pkexec execution controller when snappy is detected to always use sudo when we have to run job commands as root.

The updated plainbox is available on pypi: https://pypi.python.org/pypi/plainbox/0.30.post1

I've rebuilt our checkbox snap and with --devmode, we can now run jobs as root without having to call our app with sudo.

I'm setting this as Invalid for snapd.

Thanks a lot for your help and pointers to diagnose this bug.

Changed in snapd (Ubuntu):
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for reporting back Sylvain! :)

Changed in snappy:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.