fix: access to files needed for user management #220
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR
This change grants write permissions to files, folders, and interfaces required for user management to work on the snap when it's running on Ubuntu classic.
DETAILS
After #218, I realized I was testing in
devmode
where permissions are lax. After switching todangerous
which is strict, I realized that nothing works 😞. This PR should get landscape-client snap's user management working on Ubuntu classic.Here's a laundry list of the issues I played whack-a-mole with along the way (it should also justify choices made with the fixes):
1.
adduser
overwriting$PATH
Trying to run
adduser
inside the snap's shell (essentially whatlandscape.client.user.management.UserManagement
does) led to the following error:The issue here is we're trying to use
/sbin/groupadd
which we don't have access to:Though we already have groupadd inside the snap (from the staged
passwd
package):Digging deeper, we find that the adduser package modifies
$PATH
here:Then it runs
which
with the modified$PATH
here:The fix here is to delete the offending line while building the snap:
2. Access to the kernel's audit interface
Next, we find that
groupadd
can't open the kernel's audit interface:Fixed by adding the netlink-audit interface.
3. Read & write access to
/etc
Next, we find that
groupadd
can't create the/etc/group.lock
lock file to prevent simultaneous updates to/etc/group
.Tried fixing this by plugging the system-files interface with read & write access to the following files:
And it still doesn't work since
groupadd
keeps creating files with random suffixes/etc/group.N
:We also can't use patterns like
/etc/group*
withsystems-files
as they're not supported:So the fix here is to give read & write access to the entire
/etc
folder. But it still doesn't work because the folder structure is all messed up inside the snap since we're mounting/etc
withsystem-files
and also creating a virtual file system/etc
withlayout
:Which means that changes made to files like
/etc/group
do not appear on the host's file system. Getting rid of the/etc/landscape-client.conf
layout fixes this.4. Permission issues writing to
/etc/shadow
&/etc/gshadow
At this point we can write to
/etc/group
but can't write to/etc/gshadow
which means that adding users isn't yet working. If we check thejournalctl
logs, we see:In the
SECCOMP
log, we find that we're attempting to do syscall 93 which is fchown which is being blocked by seccomp/AppArmor. We can confirm this by checking landscape client's AppArmor profile and see that thechown
capability is not enabled/set:Luckily, the account control interface grants us this capability:
from snapd/interfaces/builtin/account_control.go#L99
Which also updates our seccomp profile (
cat /var/lib/snapd/seccomp/bpf/snap.landscape-client.landscape-client.src
):5. Can't create home directories for new users
Next, we realize that we can't create home directories for new users:
Adding the
home
interface still leads to the same error. It seems like we don't have write access even though the folder is loaded asread-write
?If we add
/home
tosystem-files
it still fails due tochown
but we're able to create the user's home directory: