Permission denied error when running apps installed as snap packages - Ubuntu 17.04

Question

I get Permission denied error when running a snap application, where my home directory is mounted on an nfs mount point that does not allow root-write. This is not an unusual configuration, so I consider this a bug.

The error message:

cannot create user data directory: /home/tcumming/snap/vlc/4: Permission denied

Also had the same problem with ubuntu 16.

Some more info as requested:

Using the ubuntu, "Ubuntu Software" I install a snap application (for example, vlc). When I attempt to run it (from the command line), I get the, "Permission denied" message above.

I had just reinstalled Ubuntu on the machine, so there has been no messing around with the OS. I did preserve my uid:gid so I could mount my prior nfs share.

This is not a problem with the mount point, or nfs. Our mount point is not root-writeable for security reasons.

I guess the question is, should I file a bug report? What are my next steps?

Answer 1

I ran into this because my home directory is symlinked from /home/$USER to another mount point. I fixed it with the suggestion from when /home is somewhere else, snaps don't work.

In short, you need to add your non-standard home directory to apparmor's HOMEDIRS variable:

$ sudo dpkg-reconfigure apparmor

or: create a file in /etc/apparmor.d/tunables/home.d/ that points to your home directory's mount point:

@{HOMEDIRS}+=/mnt/hdd/.home/

Then, just for good measure, you should delete apparmor's cache and reboot:

$ sudo rm -f /etc/apparmor.d/cache/* /var/cache/apparmor/snap.*
$ sudo reboot

Answer 2

Same happens in Ubuntu 18.04.

If the user home directory is not under the /home (or /) mount, it not possible to work with snap. My HOMEDIR was on another local SSD disk, but since it was not mounted under /home, every package installed by snap was failing.

Since Canonical is moving to support snap, you will have to loose this kind of nice things, such as HOMEDIRs on other file systems, mounted by NFS, etc.

Maybe snap will be more flexible inthe future, but it is not a priority: https://forum.snapcraft.io/t/how-can-i-use-snap-when-i-dont-use-home-user/3352/6

The workaround right now is to remove snap and install things from *.tar.gz or from *.deb packages.

Answer 3

You can set the permissions of the Snap Application from the Software Store.

The following steps are tested on Ubuntu 20.04 LTS:

• Open Software
• Select the Installed tab. A list of installed software will appear.
• Select the snap package which needs elevated permissions.
• On the detailed view, click the 'Permissions' button.
• Click on the toggle next to 'Read/write files on removable storage devices'.

This method works for mounted harddisks.

References:

• http://www.linuxandubuntu.com/home/snap-application-permissions
• https://forum.obsidian.md/t/configure-snap-for-removable-media/18379

Answer 4

Snap apps are confined to a sandbox by default, for security. If you want snap applications to be able to read/write data in your home directory, you should install them in classic mode. Try:

rclone install --classic vlc

This should work for you.

If application sandboxing is a concern, then you might want to look into firejail.

Answer 5

We use domain with realm, so our path home is not /home, instead /home/MYDOMAINCOMPANY/. I fixed by editing /etc/apparmor.d/tunables/home.d/ubuntu with that line: @{HOMEDIRS}+=/home/MYDOMAINCOMPANY/

After save, just restart some services: systemctl restart apparmor.service snapd.apparmor.service snapd.service snapd.socket

Answer 6

apparmor workaround did not work for me. What worked was these steps for my current home directory "/opt/stack"...

mkdir -p /home/stack
edit /etc/fstab with "/opt/stack /home/stack none defaults,bind 0 0"
mount -a

"mount -a" tells if there are any issues with fstab entries. No need to reboot after making changes to fstab.

Answer 7

I ended up on this AskUbuntu page after getting "Permission denied" (accessing /media) error when trying to open the *.srt file of a movie stored on a USB stick. Unusually, I didn't find a really simple answer here, but then I found this on the Github Subsync page...

sudo snap connect subsync:removable-media

So if I end up here again with the same basic problem I'll be able to figure out for myself how to replace subsync there with [other snap-installed package with same problem].

I don't know if there are any alternatives to removable-media that might also be useful. But if anyone else does know, here would be a good place to put that information - for me, and perhaps others.

Answer 8

All non-privileged users were getting this error with all snaps on Ubuntu 20.04. Adding users to group adm fixed the problem. But that's definitely not a solution. Any ideas why snap apps require that?

Update:

Looks like it was related to my setup. I have the following permissions for /home:

drwxr-x--x 13 root         adm          4096 Sep  1 14:12 /home

And this is permissions for example user home directory:

drwxr-xr-x  7 kubetraining kubetraining 4096 Sep  1 16:39 /home/kubetraining

Apparently, snap tries to list /home, fails, and errors out. But it really shouldn't try to list anything in /home, so it looks like a bug to me.

Answer 9

I experienced the same problem on 20.04 trying to get the github cli (gh) installed via snap to clone a repo over ssh. In the Ubuntu Software entry for gh, I needed to enable ssh-keys: allows reading ssh user configuration and keys. There is also the option to Access files in your home folder.

Answer 10

/tmp was a symlink. Making /tmp not a symlink fixed it for me.

Answer 11

I just wanted to comment on Fabian de Boer's answer, but I do not have enough reputation.

His solution solved my problem where OpenSCAD did not open files on another drive. So there could be this 'Permission denied' problem not only with home directory being elsewhere, but also the working directory being elsewhere.

Anyway the mentioned solution works.