Cannot create user data directory: /home/domain/user/snap/skype/118: Permission denied

foghorn_sanitize · March 30, 2020, 12:10pm

I’ve installed snapd and classic Skype and VS Code on my ubuntu 18.04 in corporate network.

However whenever I try to start any of the apps, I’m getting the error, despite permissions are intact:

alderben@v0001exu0000273:~$ skype
cannot create user data directory: /home/mycompany/alderben/snap/skype/118: Permission denied
alderben@v0001exu0000273:~$ cd /home/mycompany/alderben/snap/skype/118
alderben@v0001exu0000273:~/snap/skype/118$ mkdir test
alderben@v0001exu0000273:~/snap/skype/118$ rmdir test 
alderben@v0001exu0000273:~/snap/skype/118$ echo qqq > test.tml
alderben@v0001exu0000273:~/snap/skype/118$ echo qqq > test.tmp
alderben@v0001exu0000273:~/snap/skype/118$ rm test.tm
test.tml  test.tmp  
alderben@v0001exu0000273:~/snap/skype/118$ rm test.tm
test.tml  test.tmp  
alderben@v0001exu0000273:~/snap/skype/118$ rm test.tm*
alderben@v0001exu0000273:~/snap/skype/118$ 
alderben@v0001exu0000273:~/snap/skype/118$ sudo service snapd status
[sudo] password for alderben: 
● snapd.service - Snappy daemon
   Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: en
   Active: active (running) since Wed 2020-03-25 17:16:06 MSK; 4 days ago
 Main PID: 920 (snapd)
    Tasks: 17 (limit: 4915)
   CGroup: /system.slice/snapd.service
           └─920 /usr/lib/snapd/snapd

Warning: Journal has been rotated since unit was started. Log output is incomple

just tried hello-world, it’s all the same.

alderben@v0001exu0000273:~/snap/skype/118$ hello-world

Command 'hello-world' not found, but can be installed with:

sudo snap install hello-world

alderben@v0001exu0000273:~/snap/skype/118$ sudo snap install hello-world
hello-world 6.4 from Canonical✓ installed
alderben@v0001exu0000273:~/snap/skype/118$ hello-world
cannot create user data directory: /home/mycompany/alderben/snap/hello-world/29: Permission denied

Any tips where even to start diagnostics?

lucyllewy · March 30, 2020, 12:48pm

This is because your home folder is not /home/$USER but has an extra path element: /home/company/$USER. The apparmor rules do not account for this so you get denied accesses.

jdstrand · March 30, 2020, 5:27pm

AppArmor is not the real problem here as a properly configured apparmor with @{HOMEDIRS} tunable will work fine. The issue is snap-confine expects things in /home, not /some/where/else and this is not currently supported. There are other topics that discuss this in detail, but the current workaround would be to bind mount /home/company/$USER onto /home/$USER (symlink won’t work).

foghorn_sanitize · March 31, 2020, 6:13am

thanks, unfortunately home path is not my choice, it’s default for PAM.

Anyhow, aside from just bind-mounting, which I’ve done (and this alone didn’t help), I guess I also must update PAM configuration to somehow force using new mount for my home when I log in OR to update home directory path after I’ve logged in.
However an hour of googling around I’ve not found how to do either, or even where is config for PAM users homedir path (I know it’s usually in LDAP, however in my case I need to substitute it somehow without modifying actual LDAP).

P. S. export HOME=/home/mycompany_alderben (with bind mounted dir ofc) deceives bash, but snapd keeps poking original directory.

foghorn_sanitize · March 31, 2020, 7:43am

okay, so I ended up updating /etc/sssd/sssd.conf:

override_homedir = /home/%d_%u

(was /home/%d/%u).

with added /etc/fstab line:

/home/mycompany/alderben /home/mycompany_alderben none defaults,bind 0 0

Now it totally works. Thanks all!