Snappy

snappy install --allow-unauthenticated changes ownership of snap

Bug #1438420 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
High
Unassigned

Bug Description

snappy install --allow-unauthenticated /tmp/test-snap.jdstrand_1.2.3_all.snap changes the owner of the snap to clickpkg:clickpkg.

Eg:
$ ls -l /tmp
total 12240
-rwxr-xr-x 1 ubuntu ubuntu 12498600 Mar 30 20:04 snappy
-rw-rw-r-- 1 ubuntu ubuntu 31422 Mar 30 20:04 test-snap.jdstrand_1.2.3_all.snap

$ sudo snappy install --allow-unauthenticated /tmp/test-snap.jdstrand_1.2.3_all.snap
Installing /tmp/test-snap.jdstrand_1.2.3_all.snap
2015/03/30 20:05:15 Signature check failed, but installing anyway as requested
snappy package not found ########### what is this?

$ ls -l /tmp
total 12240
-rwxr-xr-x 1 ubuntu ubuntu 12498600 Mar 30 20:04 snappy
-rw-rw-r-- 1 clickpkg clickpkg 31422 Mar 30 20:04 test-snap.jdstrand_1.2.3_all.snap

Note that test-snap.jdstrand_1.2.3_all.snap is now owned by 'clickpkg:clickpkg.

Related branches

lp:~chipaca/snappy/fix-1438420
Michael Vogt (community): Approve
Diff: 264 lines (+74/-38)
6 files modified
clickdeb/deb.go (+35/-17)
clickdeb/deb_test.go (+15/-10)
cmd/snappy/cmd_internal_unpack.go (+8/-6)
snappy/build.go (+6/-1)
snappy/click.go (+7/-3)
snappy/click_test.go (+3/-1)
Michael Vogt (mvo)
Changed in snappy-ubuntu:
status: New → Triaged
importance: Undecided → High
Revision history for this message
James Hunt (jamesodhunt) wrote :

Note that --allow-unauthenticated is not required to see this behaviour.

Revision history for this message
James Hunt (jamesodhunt) wrote :

The attached is sufficient to fix the problem. However, I'd like to know the original reason for chowning the snap. Is it simply an oversight, or maybe it was added to ensure that local .snap's that are root:root 0640 install successfully? If the latter, the attached patch is insufficient.

Revision history for this message
John Lenton (chipaca) wrote : Re: [Bug 1438420] Re: snappy install --allow-unauthenticated changes ownership of snap

why keep the loop at all?

On 9 April 2015 at 14:48, James Hunt <email address hidden> wrote:
> The attached is sufficient to fix the problem. However, I'd like to know
> the original reason for chowning the snap. Is it simply an oversight, or
> maybe it was added to ensure that local .snap's that are root:root 0640
> install successfully? If the latter, the attached patch is insufficient.
>
> ** Patch added: "bug-1438420.patch"
> https://bugs.launchpad.net/snappy-ubuntu/+bug/1438420/+attachment/4370475/+files/bug-1438420.patch
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to snappy-ubuntu.
> https://bugs.launchpad.net/bugs/1438420
>
> Title:
> snappy install --allow-unauthenticated changes ownership of snap
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snappy-ubuntu/+bug/1438420/+subscriptions

Revision history for this message
James Hunt (jamesodhunt) wrote :

Sure - this isn't a MP, just a "proof-of-concept" until we understand how the bug was introduced :-)

Revision history for this message
John Lenton (chipaca) wrote :

While we figure out how it was introduced (hint: there are no tests for this), I've pushed an MP to fix it.

John Lenton (chipaca)
Changed in snappy-ubuntu:
status: Triaged → Fix Released
Michael Terry (mterry)
affects: snappy-ubuntu → snappy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.