snap-confine

/var/lib/extrausers is wrong in all-snap

Bug #1630492 reported by Zygmunt Krynicki
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snap-confine
Fix Released
Critical
Zygmunt Krynicki
snap-confine 1.0.43
snap-confine (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

On an all-snap system the /var/lib/extrausers directory contains additional system users that augment the read-only database in /etc/.

Snap-confine contains a quirk system that is meant to run only on classic systems. The quirk system constructs an artificial copy of /var/lib/ that contains data from the core snap as well as arbitrary data from the classic filesystem (e.g. the /var/lib/lxd directory).

The code should not run on an all-snap system because it makes no sense and because it actually collides with the already correctly set up /var/lib/extrausers.

See original description
Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: New → In Progress
assignee: nobody → Zygmunt Krynicki (zyga)
milestone: none → 1.0.43
importance: Undecided → Critical
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is being fixed by the following pull request: https://github.com/snapcore/snap-confine/pull/163

Zygmunt Krynicki (zyga)
description: updated
Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand)
Changed in snap-confine:
status: Fix Committed → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Zygmunt, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.43-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snap-confine (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1

---------------
snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
    LXD containers (LP: #1630789)

 -- Jamie Strandboge <email address hidden> Thu, 06 Oct 2016 12:29:59 +0000

Changed in snap-confine (Ubuntu):
status: New → Fix Released
Revision history for this message
Leo Arias (elopio) wrote :

This bug and fix don't affect snap-confine in a classic system, and zyga already verified it in an all-snaps system.

So I'm going to mark it as verified. Thanks Andy.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1

---------------
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * Backport from 16.10 (LP: #1630040)

snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
    LXD containers (LP: #1630789)

snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium

  * allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
    symlink

snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium

  * add mmap to AppArmor policy for snap-confine for running snap-confine
    under LXD on 4.8 kernels

snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium

  * New upstream release
  * Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)

snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium

  * add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
    kernels older than 3.19 (LP: #1625565)

snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.41
  * Drop all patches (included upstream).
  * Add version to apparmor run-time dependency.

snap-confine (1.0.40-1) unstable; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.40
  * Drop apparmor profile from the debian/ directory and install it straight
    from upstream package. This is now automatically consistent with package
    configuration prefix.
  * Drop patch: prctl-compatibility.patch(applied upstream)
  * Add directory /var/lib/snapd/void to snap-confine
  * Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
    fixes make check due to a mistake upstream.
  * Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)

snap-confine (1.0.39-1) unstable; urgency=medium

  * New upstream release.
  * Remove d/patches/01_lp1606277.patch, applied upstream.

snap-confine (1.0.38-3) unstable; urgency=medium

  * debian/patches/prctl-compatibility.patch: add shadow definitions for
    compatibility with older kernel headers.
  * drop build-dependency on shellcheck, which is not used at build time
    and doesn't exist in trusty.
  * make ubuntu-core-launcher "arch:any" to workaround an issue in
    rm_conffile which does not deal with changing architectures
  * fix log-observer interface regression (LP: #1606277)

snap-confine (1.0.38-2) unstable; urgency=medium

  * Fix invocations of rm_conffile.
  * Update d/usr.lib.snapd.snap-confine to the latest upstream version to
    ensure content-sharing fully works.

snap-confine (1.0.38-1) unstable; urgency=medium

  * New upstream release.

 -- Jamie Strandboge <email address hidden> Thu, 06 Oct 2016 14:51:26 +0000

Changed in snap-confine (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for snap-confine has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.