LDAP user cannot run snap application

When trying to diagnose a problem with a fresh installation of LXD using snap, I tried a simpler snap app and had the same problem. I did the following:

  1. sudo snap install hello-world
  2. As local user run: hello-world (success)
  3. As LDAP user run: hello-world (received the following)
    cannot create user data directory: /home/ldapuser/snap/hello-world/29: Permission denied

I noticed the following in /var/log/syslog:
May 18 12:47:18 [myhost] kernel: [263369.012491] audit: type=1400 audit(1589820438.818:50): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/ldapuser/" pid=8173 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=50224 ouid=50224

Can anyone direct me to the likely problem? Thanks.

John

Hi,

it looks like those log messages have been edited to elide some details. Unfortunately that means we cannot be certain that the edits aren’t obscuring the actual error. Can you re-paste the log messages without editing them, please?

The snap-confine policy has @{HOME}/ r,. Did you update something in /etc/apparmor.d/tunables/home or /etc/apparmor.d/tunables/home.d? Please provide the output of:

$ apparmor_parser -p /etc/apparmor.d/usr.lib.snapd.snap-confine* | grep HOME

Thank you for replying. @lucyllewy, yes, I changed the host hostname, the home directory of the user (it was more like /home/primarygroup/username), and the uid numbers (not actually knowing what was valuable to obfuscate). But that was it.

@jdstrand, I hadn’t updated anything (manually) in /etc/apparmor.d/tunables. I simply installed Ubuntu Server 20.04, installed libpam-ldap using apt (and configured it to work with our LDAP system), and configure LXD (sudo lxd init), which I had done many time before, but not on 20.04.

I did change nsswitch.conf to replace:
passwd: files systemd
group: files systemd
shadow: files
with:
passwd: files ldap
group: files ldap
shadow: files ldap

I will certainly admit that I don’t understand how snap interacts with the system, so it’s a mystery to me.

Here’s the output you requested:

$ apparmor_parser -p /etc/apparmor.d/usr.lib.snapd.snap-confine* | grep HOME
# @{HOME} is a space-separated list of all user home directories. While
@{HOME}=@{HOMEDIRS}/*/ /root/
# @{HOMEDIRS} is a space-separated list of where user home directories
@{HOMEDIRS}=/home/
# @{HOMEDIRS}.
# here are appended to @{HOMEDIRS}.  See tunables/home for details. Eg:
#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
#@{HOMEDIRS}+=
# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
    # - for $HOME on NFS
    # - for $HOME on encrypted media
    @{HOMEDIRS}/ r,
    @{HOME}/ r,
    @{HOME}/snap/{,*/,*/*/} rw,
    # encrypted ~/.Private and old-style encrypted $HOME
    @{HOME}/.Private/ r,
    @{HOME}/.Private/** mrixwlk,
    # new-style encrypted $HOME
    @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
1 Like

This is the issue. Please see Support for non /home homedirs

1 Like

Yes! Thank you. That’s a lesson for me regarding my attempts at obfuscation.

1 Like

So everything is working now, thank you very much.

I am curious is I should be concerned about the output after reloading the profiles with:

$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*

which was this:

Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.activate (/var/lib/snapd/apparmor/profiles/snap.lxd.activate line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.benchmark (/var/lib/snapd/apparmor/profiles/snap.lxd.benchmark line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.check-kernel (/var/lib/snapd/apparmor/profiles/snap.lxd.check-kernel line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.buginfo (/var/lib/snapd/apparmor/profiles/snap.lxd.buginfo line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.daemon (/var/lib/snapd/apparmor/profiles/snap.lxd.daemon line 588): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.hook.remove (/var/lib/snapd/apparmor/profiles/snap.lxd.hook.remove line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.lxc (/var/lib/snapd/apparmor/profiles/snap.lxd.lxc line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.lxc-to-lxd (/var/lib/snapd/apparmor/profiles/snap.lxd.lxc-to-lxd line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.migrate (/var/lib/snapd/apparmor/profiles/snap.lxd.migrate line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
Warning from /var/lib/snapd/apparmor/profiles/snap.lxd.lxd (/var/lib/snapd/apparmor/profiles/snap.lxd.lxd line 540): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.

That is a good question but ‘no’. The lxd-support interface which is reserved for only the lxd snap requires the use of ‘ux’ for the exec transition to ‘aa-exec’. For this snap, it is normal but if you were writing your own apparmor policy (ie, for non-snapped applications) you would want typically want to avoid this (see ‘man apparmor.d’ for details).

Hi everyone,

As I understand it, making a mount bind should fix the issue.
Unfortunately I can’t make it work even with the fix.
Maybe I missed an option of some sort?

My (mis)step:

$ sudo mkdir /home/userdir
$ sudo mount --bind /home/local/orgdir/userdir /home/userdir
$ hello-world
cannot create user data directory: /home/local/orgdir/userdir/snap/hello-world/29: Permission denied

Thanks

As your home directory is under /home it should be possible to get things working.

As it isn’t a direct subdirectory of /home, it doesn’t work out of the box. You will probably need to edit /etc/apparmor.d/tunables/home.d/site.local to add the parent of your home directory.

You will probably need to uninstall and reinstall the snap in order to regenerate the AppArmor security policy after this change.

2 Likes

It works!

This is the only step required (with a reboot).

Thanks :slight_smile: