many: try to clear up the uid/gid thing when run as snap

Meulengracht · Feb 14, 2025 · 3854fbe · 3854fbe
1 parent 120d3d7
commit 3854fbe
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 4 deletions.
diff --git a/libs/containerv/linux/utils.c b/libs/containerv/linux/utils.c
@@ -214,7 +214,7 @@ int containerv_switch_user_with_capabilities(uid_t uid, gid_t gid)
         return status;
     }
 
-    if (getgid() == 0 || getegid() == 0) {
+    if (gid != 0 && (getgid() == 0 || getegid() == 0)) {
         VLOG_ERROR("containerv[child]", "failed to drop the root capabilities, aborting\n");
         return status;
     }

diff --git a/libs/platform/osutils/linux/getuserdir.c b/libs/platform/osutils/linux/getuserdir.c
@@ -20,11 +20,28 @@
 #include <pwd.h>
 #include <string.h>
 
+#ifdef CHEF_AS_SNAP
+#include <stdlib.h>
+unsigned int __get_snap_uid(void)
+{
+    char* uidstr = getenv("SNAP_UID");
+    if (uidstr == NULL) {
+        // fallback
+        return getuid();
+    }
+    return (unsigned int)atoi(uidstr); 
+}
+#endif
+
 int platform_getuserdir(char* buffer, size_t length)
 {
     struct passwd* pw;
-
+
+#ifdef CHEF_AS_SNAP
+    pw = getpwuid(__get_snap_uid());
+#else
     pw = getpwuid(getuid());
+#endif
     if (pw == NULL) {
         return -1;
     }

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -9,6 +9,7 @@ description: |
 base: core22
 grade: stable
 confinement: strict
+assumes: [snap-uid-envvars]
 
 apps:
   bake:

diff --git a/tools/bake/main.c b/tools/bake/main.c
@@ -189,6 +189,19 @@ static int __file_exists(const char* path)
     return platform_stat(path, &stats) == 0 ? 1 : 0;
 }
 
+#ifdef CHEF_AS_SNAP
+#include <stdlib.h>
+unsigned int __get_snap_uid(void)
+{
+    char* uidstr = getenv("SNAP_UID");
+    if (uidstr == NULL) {
+        // fallback
+        return getuid();
+    }
+    return (unsigned int)atoi(uidstr); 
+}
+#endif
+
 int main(int argc, char** argv, char** envp)
 {
     struct command_handler*     command = &g_commands[2]; // build step is default
@@ -201,17 +214,25 @@ int main(int argc, char** argv, char** envp)
 #if __linux__
     // make sure we're running with root privileges
     if (geteuid() != 0 || getegid() != 0) {
-        VLOG_ERROR("kitchen", "should be executed with root privileges, aborting.\n");
+        fprintf(stderr, "bake: should be executed with root privileges, aborting.\n");
         errno = EPERM;
         return -1;
     }
 
     // make sure we're not actually running as root
+#ifdef CHEF_AS_SNAP
+    if (__get_snap_uid() == 0) {
+        fprintf(stderr, "bake: should not be run as root, aborting.\n");
+        errno = EPERM;
+        return -1;
+    }
+#else
     if (getuid() == 0 || getgid() == 0) {
-        VLOG_ERROR("kitchen", "should not be run as root, aborting.\n");
+        fprintf(stderr, "bake: should not be run as root, aborting.\n");
         errno = EPERM;
         return -1;
     }
+#endif
 #endif
 
     // first argument must be the command if not --help or --version