Working on injecting snapcraft into LXD containers I need to fetch .snap files, push them into the container and install them. I ran into a surprising issue the other day where the permissions are different depending on how a snap was installed.
Installed from the store
root read-write
root read
other read
Side-loaded with --dangerous
root read-write
root none
other none
In the latter case I need to employ sudo to access the files. This seems unexpected because everything in /snap/ is readable for everyone anyway.
Is this a bug? Or are there plans to restrict access to .snap files or mounted snap contents?
2 Likes
Any updates about this, guys?
We hit the same problem and our use case is that we want to push a .snap file which is locally installed with --dangerous --classic on the AWS EC2 instance. But the locally installed snap has different file permission mode than others which are installed from the store.
test@ap-southeast:/var/lib/snapd/snaps $ ls -al
total 774240
drwxr-xr-x 3 root root 4096 8月 21 15:45 .
drwxr-xr-x 17 root root 4096 8月 21 15:50 ..
-rw------- 1 root root 18960384 8月 21 15:45 test-tools_x1.snap
-rw-r--r-- 2 root root 5152768 8月 7 09:55 canonical-livepatch_41.snap
-rw-r--r-- 2 root root 5156864 8月 16 20:02 canonical-livepatch_42.snap
-rw-r--r-- 1 root root 91115520 6月 20 08:01 core_4830.snap
-rw-r--r-- 1 root root 91099136 7月 3 07:03 core_4917.snap
-rw-r--r-- 1 root root 91160576 8月 6 23:01 core_5145.snap
-rw-r--r-- 2 root root 47452160 6月 28 21:11 documentation-builder_36.snap
-rw-r--r-- 1 root root 41885696 7月 19 09:11 documentation-builder_37.snap
-rw-r--r-- 1 root root 41795584 8月 21 04:57 documentation-builder_38.snap
-rw-r--r-- 1 root root 20480 12月 12 2017 hello-world_27.snap
-rw-r--r-- 1 root root 55033856 6月 7 11:33 juju_4423.snap
-rw-r--r-- 2 root root 55275520 7月 3 17:04 juju_4587.snap
-rw-r--r-- 2 root root 55300096 7月 26 10:09 juju_4768.snap
-rw-r--r-- 1 root root 94785536 6月 7 12:05 multipass_200.snap
-rw-r--r-- 1 root root 98590720 6月 29 03:59 multipass_334.snap
drwxr-xr-x 2 root root 4096 12月 1 2017 partial
1 Like
This affects me, too. I’m working on a way to make snaps available for offline install from a USB drive, and I can’t copy over certain snaps without employing sudo. I just installed two snaps: hello-world (via $ snap download hello-world, $ snap ack …, $ snap install …) and gnome-mines (via $ snap install gnome-mines). Both end up with “600 root:root” permissions and ownership.
$ ll /var/lib/snapd/snaps
total 2131252
drwxr-xr-x 3 root root 4096 Oct 5 17:39 ./
drwxr-xr-x 19 root root 4096 Oct 5 17:39 …/
-rw-r–r-- 1 root root 150441984 Aug 31 21:32 chromium_458.snap
-rw-r–r-- 1 root root 141643776 Sep 13 13:26 chromium_471.snap
-rw-r–r-- 1 root root 141651968 Sep 16 20:50 chromium_490.snap
-rw-r–r-- 1 root root 91160576 Aug 6 17:50 core_5145.snap
-rw-r–r-- 1 root root 92164096 Aug 29 22:27 core_5328.snap
-rw-r–r-- 1 root root 92119040 Oct 2 20:52 core_5548.snap
-rw-r–r-- 1 root root 146841600 Apr 26 19:31 gnome-3-26-1604_59.snap
-rw-r–r-- 1 root root 146276352 May 24 21:21 gnome-3-26-1604_64.snap
-rw-r–r-- 1 root root 147722240 Jul 11 08:41 gnome-3-26-1604_70.snap
-rw------- 2 root root 3465216 Oct 5 17:27 gnome-mines_27.snap
-rw------- 2 root root 36323328 Sep 13 13:23 gtk-common-themes_319.snap
-rw-r–r-- 1 root root 44183552 Sep 15 09:39 gtk-common-themes_701.snap
-rw------- 1 root root 20480 Oct 5 17:39 hello-world_27.snap
-rw-r–r-- 1 root root 40521728 Jun 25 11:02 minetest-luk3yx_14.snap
drwxr-xr-x 2 root root 4096 Apr 16 10:41 partial/
-rw-r–r-- 1 root root 148230144 Sep 6 21:23 signal-desktop_83.snap
-rw-r–r-- 1 root root 148238336 Sep 19 04:14 signal-desktop_86.snap
-rw-r–r-- 1 root root 151310336 Sep 23 06:06 signal-desktop_90.snap
-rw-r–r-- 2 root root 148160512 Aug 14 10:32 skype_51.snap
-rw-r–r-- 1 root root 144732160 Sep 12 06:55 skype_54.snap
-rw-r–r-- 1 root root 148623360 Sep 26 21:18 skype_57.snap
-rw-r–r-- 1 root root 5656576 Jul 25 02:47 syncthing_269.snap
-rw-r–r-- 1 root root 6381568 Sep 11 17:02 syncthing_281.snap
-rw-r–r-- 1 root root 6483968 Oct 2 14:11 syncthing_296.snap
I’m sorry, I hadn’t spotted this topic before for some reason.
The permissions of snap files were, indeed, different depending on whether you’d installed it from the store, or installed it from a local file.
This has been fixed on master, and git tells me that change is part of 2.35.4. As of this change, both install paths result in files that are 0600 (-rw-------).
1 Like
