The home interface and sudo

snapd
1

Hey folks. I find myself in the situation of thinking something used to work, and now it doesn’t, and I’m questioning my sanity a little. Can someone shed some light on this?

Let’s take a snap with the home plug connected. I initially discovered this because my CI started failing when using the review-tools snap, so let’s use that as an example.

In my CI process, I build a snap in docker, running as root. Which results in a snap on disk that is owned by root, within the CI user’s home directory (which is not root). For all of my recent memory my CI process has been running sudo review-tools.snap-review <snap> with success. However, that has recently started failing with permission errors, and I can duplicate it locally. I think it really stems down to the fact that, when running a snap app as sudo, I can no longer access the invoking user’s home directory; only root’s:

$ snap run --shell review-tools.snap-review <<< 'ls /home/kyrofa/'
 Desktop
 Documents
 <snip>

$ sudo snap run --shell review-tools.snap-review <<< 'ls /home/kyrofa/'
ls: cannot open directory '/home/kyrofa/': Permission denied

Am I right that this behavior has changed recently, or did something else in my CI process break on me?

2

Huh, I really can’t get it to work in CI regardless of the combination (try without sudo, chown the snap to $USER and try without sudo, or with sudo). All of them end up giving me this traceback from the review tools:

Caught exception (setting rc=1 and continuing):
Traceback (most recent call last):
  File "/snap/review-tools/1284/bin/snap-review", line 103, in _run_module_checks
    module, self.pkg_fn, overrides=overrides, report_type=report_type
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/modules.py", line 94, in init_main_class
    ob = init_object(pkg_file, overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_declaration.py", line 34, in __init__
    SnapReview.__init__(self, fn, "declaration-snap-v2", overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_common.py", line 304, in __init__
    Review.__init__(self, fn, review_type, overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 233, in __init__
    UNPACK_DIR = unpack_pkg(fn)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 747, in unpack_pkg
    if is_squashfs(pkg):
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 755, in is_squashfs
    with open(filename, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/home/circleci/nextcloud-snap/nextcloud_16.0.7snap2+git12.36bbeac_amd64.snap'
Caught exception (setting rc=1 and continuing):
Traceback (most recent call last):
  File "/snap/review-tools/1284/bin/snap-review", line 103, in _run_module_checks
    module, self.pkg_fn, overrides=overrides, report_type=report_type
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/modules.py", line 94, in init_main_class
    ob = init_object(pkg_file, overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_functional.py", line 33, in __init__
    SnapReview.__init__(self, fn, "functional-snap-v2", overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_common.py", line 304, in __init__
    Review.__init__(self, fn, review_type, overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 233, in __init__
    UNPACK_DIR = unpack_pkg(fn)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 747, in unpack_pkg
    if is_squashfs(pkg):
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 755, in is_squashfs
    with open(filename, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/home/circleci/nextcloud-snap/nextcloud_16.0.7snap2+git12.36bbeac_amd64.snap'
Caught exception (setting rc=1 and continuing):
Traceback (most recent call last):
  File "/snap/review-tools/1284/bin/snap-review", line 103, in _run_module_checks
    module, self.pkg_fn, overrides=overrides, report_type=report_type
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/modules.py", line 94, in init_main_class
    ob = init_object(pkg_file, overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_lint.py", line 42, in __init__
    SnapReview.__init__(self, fn, "lint-snap-v2", overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_common.py", line 304, in __init__
    Review.__init__(self, fn, review_type, overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 233, in __init__
    UNPACK_DIR = unpack_pkg(fn)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 747, in unpack_pkg
    if is_squashfs(pkg):
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 755, in is_squashfs
    with open(filename, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/home/circleci/nextcloud-snap/nextcloud_16.0.7snap2+git12.36bbeac_amd64.snap'
Caught exception (setting rc=1 and continuing):
Traceback (most recent call last):
  File "/snap/review-tools/1284/bin/snap-review", line 103, in _run_module_checks
    module, self.pkg_fn, overrides=overrides, report_type=report_type
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/modules.py", line 94, in init_main_class
    ob = init_object(pkg_file, overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_security.py", line 47, in __init__
    SnapReview.__init__(self, fn, "security-snap-v2", overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/sr_common.py", line 304, in __init__
    Review.__init__(self, fn, review_type, overrides=overrides)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 233, in __init__
    UNPACK_DIR = unpack_pkg(fn)
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 747, in unpack_pkg
    if is_squashfs(pkg):
  File "/snap/review-tools/1284/lib/python3.6/site-packages/reviewtools/common.py", line 755, in is_squashfs
    with open(filename, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/home/circleci/nextcloud-snap/nextcloud_16.0.7snap2+git12.36bbeac_amd64.snap'
nextcloud_16.0.7snap2+git12.36bbeac_amd64.snap: RUNTIME ERROR

@jdstrand, do you see any clues in that?

3

I don’t know that this necessarily changed recently, but I can confirm that most snaps using the home interface cannot read user’s home directories as root. This is by design, and snaps that need to access user files in $HOME, etc. as root, should use the read: all attribute for the home interface. See Home access as root from confined snaps

Also, fun fact, you can use -c ... instead of <<< here:

$ snap run --shell hello-world -c "echo shells are fun"
shells are fun
4

Ah ha, I knew I remembered something about this! Thank you for the pointer. Just this moment I looked closer at my failure logs and noticed that Circle CI was still running them on Trusty. On a whim I set the option to run on Xenial, and all of a sudden my tests started passing again, no other changes necessary. So I still have no clue why things fell apart on me, but I’m no longer blocked.

Fun fact indeed! Does it pass all the args onto the shell, then?

5

Indeed it does:

$ snap run --shell hello-world --version
GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
1 Like