Permission denied on launch


#1

Hi there,

having a look at some of the snap packages available.

I was havign a go with the vscode snap, and on launch I’m getting permissions errors:

cannot create user data directory: $HOME/snap/vscode/10: Permission denied

I had a look at the permissions in there, and my user definitely owns. Is there something snap specific I’m missing with permissions?


Support for snapctl stop/start/restart services
#2

Thanks for this report! What distribution/version/architecture are you using (snap version will give a lot of useful information)? When you get the “permission denied” errror, do you see an apparmor denial in your “dmesg” output (please run: dmesg|grep DENIED) right after you get the error.

Fwiw, the error seems to come from snap-confine:setup_user_data(). I suspect the issue is https://bugs.launchpad.net/snapcraft/+bug/1620771 - is your homedir in an unusual location maybe?


#3

I’m on Ubuntu Budgie 17.04, x64.

snap version
snap    2.25+17.04
snapd   2.25+17.04
series  16
ubuntu  17.04
kernel  4.10.0-21-generic

And yes, the home dir is in an odd location (sort of). The machine is active directory integrated, and it creates the home folder at /home/tld/domain/username rather than /home/username/. Do it is in the home directory, but 2-3 levels down.

I just tried the snap on my home computer and the app launched without issue.


#4

Hey!

Can you please check if $HOME/snap/ is owned by root by any chance? If so, can you sudo chown -R $USER.$USER $HOME/snap and report if that fixes it for you?

EDIT: Ah, I read subsequent post where you say it uses non-standard home layout. For that you need something else… let me find it and I will update this post with instructions.

Ok, so you want to look at https://bugs.launchpad.net/snapcraft/+bug/1620771 - one comment there has the relevant hint

Or drop a file into /etc/apparmor.d/tunables/home.d that has:
@{HOMEDIRS}+=/media/Dane/.home/

So edit `/etc/apparmor.d/tunables/home.d/ and include your layout there. Then reboot (for simplicity) to see if this fixes the issue for you.


#5

Hey Zyga,

I just circled back to this, and the fixes described at the link did not resolve the issue. I had forgotten it as I was not using snaps on my work machine, but was circling back on a fresh build. Do not that my home directory is still in the /home folder, but nested a little deeper in the /home/local/DOMAIN/user format.


#6

What did you change? What denials did you see? Did you reload the profiles after making the change?

I would expect you to create /etc/apparmor.d/tunables/home.d/my-modifications with:

@{HOMEDIRS}+=/home/local/DOMAIN/

then you can run: sudo rm -f /var/cache/apparmor/snap.* ; sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.*

The rm makes sure that on reboot the cache files will be regenerated by the system and the parser command makes sure your changes take effect immediately.


#7

Hello @jdstrand.

I had done exactly what you had just outlined. I had even some the cache removal and reboot a few times to be safe. Birth times I encountered the same error as originally reported.

Out of curiosity, I relocated my home directory to the traditional location, reinstalled the snap, and all worked fine.

So the home directory is the issue for sure (confirmed) on my system.


#8

I realize your system is not using the broken location any more, but if/when you go back to it, can you perform all the steps I mentioned, try to launch vscode, then if you get a permission denied error, report back the output of ‘grep DEN /var/log/syslog’?


#9

Hello, I seem to have the same problem, I have a box where I put the home directories on another filesystem shared with other uses. So /home still exists but my personal home directory and some other ones I’ve placed under /space/home. I installed the golang snap and like the other reported when I try to run it I get:

smally$ go build
cannot create user data directory: /space/home/jbj1/snap/go/1016: Permission denied

In dmesg:
[ 566.610253] audit: type=1400 audit(1517043966.386:41): apparmor=“DENIED” operation=“open” profile="/snap/core/3887/usr/lib/snapd/snap-confine" name="/space/" pid=2341 comm=“snap-confine” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

Also the data directory above does actually exist–I may have created it when I tried before. Looking at the above message though it seems the executable is attempting to open the top-level directory for some reason.

I tried the steps you outline, I’m using ubuntu 16.04 and I used dpkg-reconfigure and now have

# cat /etc/apparmor.d/tunables/home.d/ubuntu 
# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
@{HOMEDIRS}+=/space/home/

Subsequent to doing that I also did the rm … and reparse you recommended in addition to rebooting. Still get the same error. Here’s my snap version info:

$ snap version
snap    2.30
snapd   2.30
series  16
ubuntu  16.04
kernel  4.4.0-112-generic

#10

@jensbjorgensen - please see this other topic which has more up to date information: How can I use snap when I don't use /home/$USER?


#11

Thanks very much, I used a bind mount for /home to get it to work. I feel like this is definitely a workaround though–one is meant to be able to flexibly place home directories anywhere, not just as /home/$USER. On the other hand I get that snap needs to lock down access and simplifies it. I would think at a minimum though the documentation should be updated so you don’t have the impression that it will work, better the documentation just say “you can only use snap if your home directory is either /root or /home/$USER”.


#12

@jensbjorgensen Can you please explain clearly how we can solve this issue.I am new to snap facing same problem.So please help me with this.Thanks in advance


#13

@jeganmsd so first understand the specific problem here was that the user’s home directory didn’t appear under /home/$USER. The only solution I’m aware is to directly remedy that, ie. make the home director /home/$USER. Because I am using home directories on another filesystem my workaround was to create a bind mount so that /home exists on the other filesystem and then update /etc/passwd so that the user home dir is /home/$USER.

To put things a bit more concretely, let’s say that when I began I had a filesystem mounted on a different device as /other_device. On that other device I had not only home directories but all kinds of stuff. But let’s say that in that setup my user account joeuser was configured in /etc/passwd as /other_device/home/joeuser. Under that setup snaps won’t run. So I had to create a bind mount entry in /etc/fstab like this:

/other_device/home /home none bind 0 1

Then I had to modify /etc/passwd so joeuser’s home directory is /home/joeuser. After that log out and log back in and snaps will run.


#14

I will look into adding detection of non-standard home directory. We could easily point people towards a page with the workaround.