[Desktop-packages] [Bug 1987945] Re: [snap] chromium does not read root-owned files, but reports useless errors

[Walter]

Outside snap:

--

$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg 
(no output, files are equal)

--

Inside Chromium snap confinement:

--

[snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg 
cmp: Junk/rode_muur_root.jpg: Permission denied

--

[snap]$ stat Junk/rode_muur_root.jpg 
  File: Junk/rode_muur_root.jpg
  Size: 64773           Blocks: 128        IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 11017147    Links: 1
Access: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-08-29 21:39:39.249598358 +0200
Modify: 2022-08-27 18:08:23.703069049 +0200
Change: 2022-08-27 18:08:28.839077299 +0200
 Birth: -

--

[snap]$ diff -pu <(stat Junk/rode_muur.jpg) <(stat Junk/rode_muur_root.jpg)
--- /dev/fd/63  2022-08-29 21:42:55.718167721 +0200
+++ /dev/fd/62  2022-08-29 21:42:55.722167732 +0200
@@ -1,8 +1,8 @@
-  File: Junk/rode_muur.jpg
+  File: Junk/rode_muur_root.jpg
   Size: 64773          Blocks: 128        IO Block: 4096   regular file
-Device: fd01h/64769d   Inode: 11017139    Links: 1
-Access: (0664/-rw-rw-r--)  Uid: ( 1000/  walter)   Gid: ( 1000/  walter)
-Access: 2022-08-29 21:39:47.185621370 +0200
-Modify: 2022-08-27 18:08:17.979060004 +0200
-Change: 2022-08-27 18:08:17.979060004 +0200
+Device: fd01h/64769d   Inode: 11017147    Links: 1
+Access: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)
+Access: 2022-08-29 21:39:39.249598358 +0200
+Modify: 2022-08-27 18:08:23.703069049 +0200
+Change: 2022-08-27 18:08:28.839077299 +0200
  Birth: -

--

Can't tell from stat that I'm disallowed. In fact, if I have group read
perms, I still cannot read it:

--

[snap]$ id
uid=1000(walter) gid=1000(walter) 
groups=1000(walter),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),30(dip),46(plugdev),113(lpadmin),128(sambashare),139(docker)

--

[snap]$ ls -l Junk/rode_muur*
-rw-rw-r-- 1 walter walter 64773 aug 27 18:08 Junk/rode_muur.jpg
-rw-rw-r-- 1 root   root   64773 aug 27 18:08 Junk/rode_muur_root.jpg
-rw-rw-r-- 1 root   walter 64773 aug 27 18:08 Junk/rode_muur_rootuser.jpg

--

[snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_rootuser.jpg 
cmp: Junk/rode_muur_rootuser.jpg: Permission denied

--

[snap]$ stat Junk/rode_muur_rootuser.jpg
  File: Junk/rode_muur_rootuser.jpg
  Size: 64773           Blocks: 128        IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 11017142    Links: 1
Access: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: ( 1000/  walter)
Access: 2022-08-29 21:39:39.249598358 +0200
Modify: 2022-08-27 18:08:23.703069049 +0200
Change: 2022-08-29 21:47:17.446925673 +0200
 Birth: -

--

FYI, /etc has different confinement, where root files _can_ be read:

--

[snap]$ ls -lda /etc
drwxr-xr-x 179 root root 12288 aug 28 16:49 /etc

--

[snap]$ ls /etc/
ls: cannot open directory '/etc/': Permission denied

--

[snap]$ ls -l /etc/hostname
-rw-r--r-- 1 root root 20 jun 16  2020 /etc/hostname

--

[snap]$ cat /etc/hostname
walter-tretton.kiwi

--

Versions:

--

$ snap version
snap    2.56.2+22.04ubuntu1
snapd   2.56.2+22.04ubuntu1
series  16
ubuntu  22.04
kernel  5.15.0-41-generic

--

$ snap list | grep chrom
chromium            104.0.5112.79               2051   latest/stable  
canonical**  -

--

$ namei -l /home/walter/Junk/rode_muur_root.jpg 
f: /home/walter/Junk/rode_muur_root.jpg
drwxr-xr-x root   root   /
drwxr-xr-x root   root   home
drwx------ walter walter walter
drwxr-xr-x walter walter Junk
-rw-rw-r-- root   root   rode_muur_root.jpg

--

I don't think I have anything exotic here. My homedir is 0700, but
changing that to 0755 did not change anything.

The files are all on the same / ext4 filesystem (encrypted lvm).

--

Firefox in Snap appears to suffer from the same problem:

--

$ snap run --shell firefox

--

[snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg 
cmp: rode_muur_root.jpg: Permission denied

--

Let me know if I can get you any other info. I have 0 clue how the
confinement rules are configured in snap, so I don't know how to list
that.

Walter

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1987945

Title:
  [snap] chromium does not read root-owned files, but reports useless
  errors

Status in chromium-browser package in Ubuntu:
  Incomplete

Bug description:
  Today, I literally spent hours trying to figure out why I cound't
  upload a large file.

  Of course I thought the problem was the size of the file.

  It wasn't. The problem was that Chromium in Snap for some reason is
  confined so that it can SEE file-owned-by-root.zip, but NOT READ file-
  owned-by-root.zip.

  I tried to upload the big file onto a PsiTransfer webpage. And it
  simply stalled. The apache2 backend reported 400-errors and I got no
  useful info out of that.

  Chromium itself reported this in the Networking tab:

    PATCH https://PSITRANSFER_HOST/path  net::ERR_FAILED

  Which is totally useless. In no way could I expect that the ultimate
  cause was that the local file was not owned by me.

  _If I can see the file, and I have read-permissions on it, I expect
  that I can upload the file._

  Another example:

  $ ls -l ~/Junk/rode_muur*
  -rw-rw-r-- 1 walter walter 64773 aug 27 18:08 /home/walter/Junk/rode_muur.jpg
  -rw-rw-r-- 1 root   root   64773 aug 27 18:08 
/home/walter/Junk/rode_muur_root.jpg

  Trying to upload rode_muur_root.jpg to e.g.
  https://www.filestack.com/fileschool/html/html-file-upload-tutorial-
  example/ yields this error-page:

    This site can’t be reached
    The webpage at 
https://www.filestack.com/fileschool/html/html-file-upload-tutorial-example/fileupload.php
 might be temporarily down or it may have moved permanently to a new web 
address.
    ERR_ACCESS_DENIED

  That does not tell me that there is a problem with the local file.
  That looks like a remote problem, am I right?

  What would be the fix?

  - Either don't show the file, if you're not letting me access it;
  - or let me access the file;
  - or, if that isn't possible, give me a reasonable error message. Having to 
look in journalctl [1] as root to find out why a client application is 
misbehaving is just not acceptable.

  
  [1] # journalctl -t audit -n1 -o cat
  AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" 
name="/home/walter/Junk/rode_muur_root.jpg" pid=768825 comm="ThreadPoolForeg" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0


  (I know that I'll be complaining to deaf ears. You have your reasons
  for putting all the browsers in snap. But from a user's perspective,
  this whole snap thing has been One Giant Disappointment. I'm actually
  considering moving to alternative distros after more than 10 perfectly
  satisfactory years on Ubuntu.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1987945/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp