Outside snap: --
$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg (no output, files are equal) -- Inside Chromium snap confinement: -- [snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg cmp: Junk/rode_muur_root.jpg: Permission denied -- [snap]$ stat Junk/rode_muur_root.jpg File: Junk/rode_muur_root.jpg Size: 64773 Blocks: 128 IO Block: 4096 regular file Device: fd01h/64769d Inode: 11017147 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-08-29 21:39:39.249598358 +0200 Modify: 2022-08-27 18:08:23.703069049 +0200 Change: 2022-08-27 18:08:28.839077299 +0200 Birth: - -- [snap]$ diff -pu <(stat Junk/rode_muur.jpg) <(stat Junk/rode_muur_root.jpg) --- /dev/fd/63 2022-08-29 21:42:55.718167721 +0200 +++ /dev/fd/62 2022-08-29 21:42:55.722167732 +0200 @@ -1,8 +1,8 @@ - File: Junk/rode_muur.jpg + File: Junk/rode_muur_root.jpg Size: 64773 Blocks: 128 IO Block: 4096 regular file -Device: fd01h/64769d Inode: 11017139 Links: 1 -Access: (0664/-rw-rw-r--) Uid: ( 1000/ walter) Gid: ( 1000/ walter) -Access: 2022-08-29 21:39:47.185621370 +0200 -Modify: 2022-08-27 18:08:17.979060004 +0200 -Change: 2022-08-27 18:08:17.979060004 +0200 +Device: fd01h/64769d Inode: 11017147 Links: 1 +Access: (0664/-rw-rw-r--) Uid: ( 0/ root) Gid: ( 0/ root) +Access: 2022-08-29 21:39:39.249598358 +0200 +Modify: 2022-08-27 18:08:23.703069049 +0200 +Change: 2022-08-27 18:08:28.839077299 +0200 Birth: - -- Can't tell from stat that I'm disallowed. In fact, if I have group read perms, I still cannot read it: -- [snap]$ id uid=1000(walter) gid=1000(walter) groups=1000(walter),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),30(dip),46(plugdev),113(lpadmin),128(sambashare),139(docker) -- [snap]$ ls -l Junk/rode_muur* -rw-rw-r-- 1 walter walter 64773 aug 27 18:08 Junk/rode_muur.jpg -rw-rw-r-- 1 root root 64773 aug 27 18:08 Junk/rode_muur_root.jpg -rw-rw-r-- 1 root walter 64773 aug 27 18:08 Junk/rode_muur_rootuser.jpg -- [snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_rootuser.jpg cmp: Junk/rode_muur_rootuser.jpg: Permission denied -- [snap]$ stat Junk/rode_muur_rootuser.jpg File: Junk/rode_muur_rootuser.jpg Size: 64773 Blocks: 128 IO Block: 4096 regular file Device: fd01h/64769d Inode: 11017142 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 0/ root) Gid: ( 1000/ walter) Access: 2022-08-29 21:39:39.249598358 +0200 Modify: 2022-08-27 18:08:23.703069049 +0200 Change: 2022-08-29 21:47:17.446925673 +0200 Birth: - -- FYI, /etc has different confinement, where root files _can_ be read: -- [snap]$ ls -lda /etc drwxr-xr-x 179 root root 12288 aug 28 16:49 /etc -- [snap]$ ls /etc/ ls: cannot open directory '/etc/': Permission denied -- [snap]$ ls -l /etc/hostname -rw-r--r-- 1 root root 20 jun 16 2020 /etc/hostname -- [snap]$ cat /etc/hostname walter-tretton.kiwi -- Versions: -- $ snap version snap 2.56.2+22.04ubuntu1 snapd 2.56.2+22.04ubuntu1 series 16 ubuntu 22.04 kernel 5.15.0-41-generic -- $ snap list | grep chrom chromium 104.0.5112.79 2051 latest/stable canonical** - -- $ namei -l /home/walter/Junk/rode_muur_root.jpg f: /home/walter/Junk/rode_muur_root.jpg drwxr-xr-x root root / drwxr-xr-x root root home drwx------ walter walter walter drwxr-xr-x walter walter Junk -rw-rw-r-- root root rode_muur_root.jpg -- I don't think I have anything exotic here. My homedir is 0700, but changing that to 0755 did not change anything. The files are all on the same / ext4 filesystem (encrypted lvm). -- Firefox in Snap appears to suffer from the same problem: -- $ snap run --shell firefox -- [snap]$ cmp Junk/rode_muur.jpg Junk/rode_muur_root.jpg cmp: rode_muur_root.jpg: Permission denied -- Let me know if I can get you any other info. I have 0 clue how the confinement rules are configured in snap, so I don't know how to list that. Walter -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1987945 Title: [snap] chromium does not read root-owned files, but reports useless errors Status in chromium-browser package in Ubuntu: Incomplete Bug description: Today, I literally spent hours trying to figure out why I cound't upload a large file. Of course I thought the problem was the size of the file. It wasn't. The problem was that Chromium in Snap for some reason is confined so that it can SEE file-owned-by-root.zip, but NOT READ file- owned-by-root.zip. I tried to upload the big file onto a PsiTransfer webpage. And it simply stalled. The apache2 backend reported 400-errors and I got no useful info out of that. Chromium itself reported this in the Networking tab: PATCH https://PSITRANSFER_HOST/path net::ERR_FAILED Which is totally useless. In no way could I expect that the ultimate cause was that the local file was not owned by me. _If I can see the file, and I have read-permissions on it, I expect that I can upload the file._ Another example: $ ls -l ~/Junk/rode_muur* -rw-rw-r-- 1 walter walter 64773 aug 27 18:08 /home/walter/Junk/rode_muur.jpg -rw-rw-r-- 1 root root 64773 aug 27 18:08 /home/walter/Junk/rode_muur_root.jpg Trying to upload rode_muur_root.jpg to e.g. https://www.filestack.com/fileschool/html/html-file-upload-tutorial- example/ yields this error-page: This site can’t be reached The webpage at https://www.filestack.com/fileschool/html/html-file-upload-tutorial-example/fileupload.php might be temporarily down or it may have moved permanently to a new web address. ERR_ACCESS_DENIED That does not tell me that there is a problem with the local file. That looks like a remote problem, am I right? What would be the fix? - Either don't show the file, if you're not letting me access it; - or let me access the file; - or, if that isn't possible, give me a reasonable error message. Having to look in journalctl [1] as root to find out why a client application is misbehaving is just not acceptable. [1] # journalctl -t audit -n1 -o cat AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/walter/Junk/rode_muur_root.jpg" pid=768825 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 (I know that I'll be complaining to deaf ears. You have your reasons for putting all the browsers in snap. But from a user's perspective, this whole snap thing has been One Giant Disappointment. I'm actually considering moving to alternative distros after more than 10 perfectly satisfactory years on Ubuntu.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1987945/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp