Replacing Postinst Scripts
Jamie Strandboge
jamie at canonical.com
Thu Nov 19 15:08:24 UTC 2015
On 11/18/2015 10:22 PM, Ted Gould wrote:
> On Wed, 2015-11-18 at 17:06 -0800, robert_joslyn at selinc.com wrote:
>> Is there a good way to handle debian postinst scripts in Snappy? I have
>> some debs that create users and setup configuration files during the
>> postinst stage, and I would like to include these debs in a larger snap.
>> How do I handle user creation and placing configuration files into
>> $SNAP_APP_DATA_PATH? Is my application expected to do this on first run?
>> Can I specify user creation and the user a service will run as in the
>> package.yaml (or snapcraft.yaml)?
>
> There isn't a way to have a script run at install time currently. I haven't
> heard any discussion of that, but the snaps I've built do any init they need on
> first run.
>
> I'm not sure what you're using extra users for, but generally speaking the
> individual snap confinement makes using users for privilege separation not
> needed in most cases. I don't believe that we have a permission to allow a snap
> to create users today, so it would have to be unconfined.
>
The current security policy does not allow creating users because that violates
application isolation.
The plan has always been that at some point we should expose the (optional) yaml
declaration for per-app user(s) (based on the package name to preserve app
namespacing/isolation) then snappy install would create these. In addition to
that, the launcher needs to implement seccomp argument filtering (for chown,
setuid calls, etc to that user) and security policy generation updated to allow
these. Perhaps during the 16.04 cycle we can nail down the yaml and get the work
scheduled (it is currently in the snappy team's backlog).
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20151119/534e8c15/attachment.pgp>
More information about the snappy-app-devel
mailing list