snapd

sudoers.d file, /etc/sudoers.d/99-snapd.conf included with snapd is improperly named and limits PATH under sudo (for most users) to /snap/bin

Bug #1899373 reported by Craig Bender on 2020-10-11

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	Low	Unassigned

Bug Description

sudo won't process any names with a ~ or a '.' in them*, so the desired outcome, adding /snap/bin to a sudo user's PATH is not happening due to this file.

$ sudo ls -l /etc/sudoers.d/
total 16
-r--r----- 1 root root 2614 Oct 9 06:19 99-default-user
-r--r----- 1 root root 91 Jul 10 06:59 99-snapd.conf
-r--r----- 1 root root 958 Feb 3 2020 README
-r--r----- 1 root root 666 Sep 26 2019 zfs

You can see that it does not get processed by running `sudo visudo -c`
$ sudo visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/99-default-user: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/zfs: parsed OK

Second issue is that since there's no default "env_keep" configured with sudo, the sudo users path is limited to "/snap/bin" since 99-snapd.conf is one of the last files executed.

$ sudo mv /etc/sudoers.d/99-snapd{.conf,-conf}
snap-test@orangebox20:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
$ sudo -i bash -c 'set|grep "^SUDO|^PATH"'
-bash: bash: command not found

$ sudo su -
sudo: su: command not found
$ sudo -i /usr/bin/bash
bash: groups: command not found
Command 'lesspipe' is available in the following places
* /bin/lesspipe
* /usr/bin/lesspipe
The command could not be located because '/bin:/usr/bin' is not included in the PATH environment variable.
lesspipe: command not found
Command 'dircolors' is available in the following places
* /bin/dircolors
* /usr/bin/dircolors
The command could not be located because '/bin:/usr/bin' is not included in the PATH environment variable.
dircolors: command not found

* /etc/sudoers.d/README explain the parsing of sudoers.d
$ sudo cat /etc/sudoers.d/README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
# #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-10-27:

The incorrect suodoes configuration file was removed in https://github.com/snapcore/snapd/pull/8885 - referencing https://bugs.launchpad.net/snapd/+bug/1882215

It is possible that the file remained across updates as it was likely marked as a conffile. Looking at the snapd.postinst script I do not see any logic removing it.

Changed in snapd:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-10-27:

To be clear, I think this issue is fixed but there is a separate issue that the file may have been left behind on upgrade.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.