Sign in with

Dear Community User! We are updating our platform to a new system.
Read more: Important information on the platform change.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
SOLVED

App access permissions of unprivileged user within snap context

Go to solution

App access permissions of unprivileged user within snap context

Go to solution
japikas
Established Member

‎12-12-2023 04:23 PM

Hi,

I'm creating a snap for a 3rd party application. This application refuses to run as root. If the application detects it's running with root permissions, it will terminate, thus the application must be executed with unpriviledged user permission within the snap context.

There is a trick how to switch from the default root user to unpriviledged user called snap_daemon inside the snap context: https://snapcraft.io/docs/system-usernames

Now the application accepts to run, but the problem is access to system resource. Snap_daemon does not have permission to bind TCP server socket for listening incoming connections (the port number is outsided of restricted range >1024).

Is there a way allow network bind for unpriviledged user?

Normal application with normal root user would only need 'plugs: network_bind' definition in snapcraft.yaml. For clarity: the problem is not related to permissions of the snap, but permissions of the application inside the snap.

Here are selected relevant parts of my snapcraft.yaml:

system-usernames:
    snap_daemon: shared

apps:
    myapp:
        command: launcher.sh
        plugs: [network, network_bind]

 

0 Likes
Reply
1 REPLY 1

Go to solution
japikas
Established Member

‎12-12-2023 09:24 PM - edited ‎12-12-2023 09:26 PM

Silly me, it's network-bind, not network_bind.

Usually snapcraft is very strict when parsing the snapcraft.yaml file, but for some reason it didn't detected this typo, which is also hard for human to recognize.

I investigated the interfaces of the snap with 'snap connections' command, and wondered why network-bind is missing. That's how I found the typo.

Reply

OK
OK
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist