From bdc48e6a3243a7dca78720acfba9fdc0582a644e Mon Sep 17 00:00:00 2001 From: alexzorin Date: Tue, 3 Aug 2021 09:15:46 +1000 Subject: [PATCH] snap: workaround for snapctl crash in plugin hook (#8955) * snap: workaround for snapctl crash in plugin hook * test functionality, not existence --- certbot/CHANGELOG.md | 2 ++ snap/hooks/prepare-plug-plugin | 17 +++++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index f4235b09f..abf12ae81 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -40,6 +40,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). * The Apache authenticator no longer crashes with "Unable to insert label" when encountering a completely empty vhost. This issue affected Certbot 1.17.0. +* Users of the Certbot snap on Debian 9 (Stretch) should no longer encounter an + "access denied" error when installing DNS plugins. More details about these changes can be found on our GitHub repo. diff --git a/snap/hooks/prepare-plug-plugin b/snap/hooks/prepare-plug-plugin index 045299e04..08738a5ae 100644 --- a/snap/hooks/prepare-plug-plugin +++ b/snap/hooks/prepare-plug-plugin @@ -1,8 +1,21 @@ #!/bin/sh -e -if [ "$(snapctl get trust-plugin-with-root)" = "ok" ]; then +# Workaround for a very old snapctl binary on the host connecting to the wrong socket and crashing. +# Prefer an up-to-date snapctl from the core or snapd snaps, if they exist. We ask users to install +# the core snap in the Certbot installation instructions. +# See https://github.com/certbot/certbot/issues/8922, https://bugs.launchpad.net/snapd/+bug/1933392 +SNAPCTL_CORE="/snap/core/current/usr/bin/snapctl" +SNAPCTL_SNAPD="/snap/snapd/current/usr/bin/snapctl" +SNAPCTL="snapctl" +if $SNAPCTL_CORE get x 2>/dev/null; then + SNAPCTL=$SNAPCTL_CORE +elif $SNAPCTL_SNAPD get x 2>/dev/null; then + SNAPCTL=$SNAPCTL_SNAPD +fi + +if [ "$($SNAPCTL get trust-plugin-with-root)" = "ok" ]; then # allow the connection, but reset config to allow for other slots to go through this auth flow - snapctl unset trust-plugin-with-root + $SNAPCTL unset trust-plugin-with-root exit 0 else echo "Only connect this interface if you trust the plugin author to have root on the system."