Permission denied when trying to access user files


#1

When I test my snap on another machine I get permission denied errors. I tried booting it up in a shell, sudo snap run --shell myapp
In the shell, I can ls /home/, but I get permission denied trying to ls /home/user/
In my snapcraft I have the following plugs in my app: command section:
plugs: [home, unity7, x11, desktop, desktop-legacy]

Does anyone know why I am getting these permission errors and how to fix it?
Thanks.


#2

Is your /home/user linked to an external filesystem?


#3

No I don’t think so.


#4

What is the ownership of your /home/user directory?


#5

The result of df is:

Filesystem 1K-blocks Used Available Use% Mounted on
udev 8124060 0 8124060 0% /dev
tmpfs 1630124 157556 1472568 10% /run
/dev/sda2 106047592 66027216 34610432 66% /
tmpfs 8150616 11832 8138784 1% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 8150616 0 8150616 0% /sys/fs/cgroup
/dev/loop1 90112 90112 0 100% /snap/core/5328
/dev/loop0 89088 89088 0 100% /snap/core/4917
/dev/loop3 89088 89088 0 100% /snap/core/5145
/dev/loop4 202752 202752 0 100% /snap/vlc/365
/dev/loop2 199936 199936 0 100% /snap/vlc/555
/dev/sda1 523248 3496 519752 1% /boot/efi
tmpfs 1630124 84 1630040 1% /run/user/1000
/dev/loop5 98560 98560 0 100% /snap/myapp/12
/dev/loop6 98560 98560 0 100% /snap/myapp/13
/dev/loop7 127104 127104 0 100% /snap/myapp/14
The ownership is drwxr-xr-x

Sorry about the formatting, I don’t know how to use multiple spaces in this.


#6

You’ve probably already checked this, but it happens to me a lot. Is the home plug actually connected? It’s not auto connect strict confinement.


#7

Thank you for the suggestion. When doing snap interfaces | grep home it shows myapp as one of the entries.

Edit: You were right, I think. I didn’t fully understand strict confinement. I guess I need classic confinement. Thank you.
For anyone looking back on this, here are the docs for confinement:
https://docs.snapcraft.io/reference/confinement


#8

Snapd does auto-connect the home interface, so the files under your home directory (with an exception of the hidden files right under it, and the home directory isn’t a symbolic link to other location) should always be accessible.

Here’s the doc for all the interfaces specification: Interfaces


#9

Are there any security denials in journalctl at the time of the denial? If so, please paste them.


#10

Only on non-UbuntuCore systems … when running on top of an UbuntuCore image home does not get auto-connected IIRC