Permissions problem with some of snap packages after updating ubuntu from 20.04 to 22.04

Hi. After upgrading Ubuntu (20.04 -> 22.04), some of packages, and first of all Firefox (whose default package manager was forcedly replaced from apt to snap in the new Ubuntu) get problems with permission rights. For example, I cannot save any downloaded files from Firefox in any directory. Also, I cannot install new extensions (although my settings and extensions from the previous installation have been kept) or cannot choose Firefox as the default browser. Similarly, in telegram-desktop and chrome I cannot upload/download files from default ~/Downloads (although other directories are accessible for these snaps, unlike Firefox). If I create a new system user which did not exist in my system before the upgrade, everything though works ok for that user. Please help

Can you provide the output of snap connections firefox ?

Hi, yes sure.

Interface                 Plug                            Slot                             Notes
audio-playback            firefox:audio-playback          :audio-playback                  -
audio-record              firefox:audio-record            :audio-record                    -
avahi-observe             firefox:avahi-observe           :avahi-observe                   -
browser-support           firefox:browser-sandbox         :browser-support                 -
camera                    firefox:camera                  :camera                          -
content[gnome-3-38-2004]  firefox:gnome-3-38-2004         gnome-3-38-2004:gnome-3-38-2004  -
content[gtk-3-themes]     firefox:gtk-3-themes            gtk-common-themes:gtk-3-themes   -
content[icon-themes]      firefox:icon-themes             gtk-common-themes:icon-themes    -
content[sound-themes]     firefox:sound-themes            gtk-common-themes:sound-themes   -
cups-control              firefox:cups-control            :cups-control                    -
dbus                      -                               firefox:dbus-daemon              -
desktop                   firefox:desktop                 :desktop                         -
desktop-legacy            firefox:desktop-legacy          :desktop-legacy                  -
gsettings                 firefox:gsettings               :gsettings                       -
hardware-observe          firefox:hardware-observe        :hardware-observe                -
home                      firefox:home                    :home                            -
joystick                  firefox:joystick                :joystick                        -
mpris                     -                               firefox:mpris                    -
network                   firefox:network                 :network                         -
network-observe           firefox:network-observe         -                                -
opengl                    firefox:opengl                  :opengl                          -
personal-files            firefox:dot-mozilla-firefox     :personal-files                  -
removable-media           firefox:removable-media         :removable-media                 -
screen-inhibit-control    firefox:screen-inhibit-control  :screen-inhibit-control          -
system-files              firefox:etc-firefox-policies    :system-files                    -
system-packages-doc       firefox:system-packages-doc     :system-packages-doc             -
u2f-devices               firefox:u2f-devices             :u2f-devices                     -
unity7                    firefox:unity7                  :unity7                          -
upower-observe            firefox:upower-observe          :upower-observe                  -
wayland                   firefox:wayland                 :wayland                         -
x11                       firefox:x11                     :x11                             -

The interfaces appear to be connected. Perhaps it’s something with portals again. Maybe @oSoMoN has some ideas.

@mborzecki What do you mean by “something with portals”?

BTW Snap is not doing itself a favor by obscuring these simple access problems. Firefox snap cannot access any dot file or dot directory, except .mozilla/firefox (which can be seen in /snap/firefox/current/snap/snapcraft.yaml). Why is it so hard to find what the access rules are?

The only “solutions” you find on the Internet for this problem is to uninstall firefox snap and go back to deb or install flatpack.

$ snap interface home | grep summary
summary: allows access to non-hidden files in the home directory

i find it pretty precise in its description …

And now something for the hidden files please.

if you can give a single valid reason why any $SNAPPED_GAME from $EVIL_JOHN_DOE should have access to my mom’s thunderbird passwords, browser history or banking data stored in hidden dirs (for a reason !) … i can point you to the personal-files interface that will allow the app you are planning to snap to access select hidden dirs after a long-winded manual security review of your code …

beyond this, what exactly would be the use case to create a highly secured enterprise, medical and industrial ready packaging system to then allow apps to cause havoc, steal other apps data, secrets and whatnot ?

I assumed we were talking about Mozilla Firefox.

Why is it suddenly a problem for firefox to be able to read “hidden” files? And why allow non-hidden files? Don’t they contain sensitive information?

The reason I want my firefox to be able to read hidden files is because Rust has several of its books in the ~/.rustup/toolchains/ tree. Now, if I run the command rustup docs --book I get an “Access to the file was denied” from firefox.

can you please link the bugreport you filed about this on the firefox bugtracker here as well ? we can surely point the firefox snap maintainers to it to speed up its fixing (by probably adding a personal-files interface as described above for the respective dir that you could then manually connect)

After reading the personal-files-interface documentation [1] I have decided to uninstall firefox snap. My alternative choices are: deb PPA package [2], or flatpak [3]. I’m not sure yet which I will install.

well, this is sad, then the bug will never be fixed for anyone … i.e. like the one below just got fixed:

(a fix could long have been committed to the edge channel in the tree days we were discussing here, if you simply had filed it)