/etc/ld.so.conf.d/conjure-up.conf breaks apt on host system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Invalid
|
Undecided
|
Unassigned | ||
conjure-up (Ubuntu) |
Fix Released
|
Critical
|
Adam Stokes |
Bug Description
update-manager failed to run today on my system. When I investigated, I found this:
$ sudo apt -f install
apt: relocation error: /usr/lib/
_ZN13pkgSourceL
$ ldd -d -r /usr/lib/
$ cat /etc/ld.
/snap/conjure-
$
The conjure-up snap is bundling a copy of libapt-pkg from xenial, which is incompatible with the libapt-private from yakkety.
I see several things wrong with this.
- conjure-up should not be monkeying with the library path of the host system. It appears to have been doing this for some time already before this current version of the snap; it's only the latest version that has added libapt-pkg to the snap and broken things in a way that I noticed, but it was already broken before this for conjure-up to tamper *at all* with the system path.
- this is not the only change that conjure-up makes to the host system from its configure hook. It also creates a file /usr/lib/
- thirdly, and the reason I'm filing this against snappy: I understand classic snaps being unconfined, by definition. But why does this translate to a classic snap having the power to run an unconfined hook? This is ten times worse than a dpkg maintainer script. For maintainer scripts we have policy around what the script may or may not touch on the filesystem, we have a community process governing who is allowed to upload packages to the Ubuntu archive; for classic snaps we are lacking both of these safeguards. My expectation was that a classic snap would modify the host filesystem only under the user's direction. An unconfined configure hook is a whole other matter entirely.
Changed in snappy: | |
importance: | Undecided → Critical |
Changed in conjure-up (Ubuntu): | |
importance: | Undecided → Critical |
assignee: | nobody → Adam Stokes (adam-stokes) |
Changed in conjure-up (Ubuntu): | |
status: | Confirmed → Fix Released |
The confinement of the config hook is a really good idea; we don't want
a general mechanism to deliver bash to a system, we want a general
mechanism to deliver binaries to a system, and the configuration of
those binaries can reasonably be expected to be confined.