[snap] Access to file denied if not owner but in correct group
Categories
(Firefox Build System :: Third Party Packaging, defect, P3)
Tracking
(firefox126 affected)
Tracking | Status | |
---|---|---|
firefox126 | --- | affected |
People
(Reporter: mathieualbi33, Assigned: bandali)
References
(Blocks 2 open bugs)
Details
(Keywords: snap)
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Steps to reproduce:
- Using firefox 126.0.1 snap on Ubuntu 22.04
- Create a file in user home directory
- Change owner of the file but keep the group untouched
- Open the file with firefox
echo "test" > ~/test.txt
sudo chown root ~/test.txt
firefox ~/test.txt
Real world scenario is opening a PDF file I do not own but I'm part of the file group that as read access. Actual workaround is to not use firefox to open such PDF.
Actual results:
Firefox display an error message:
"Access to the file was denied
The file at /home/user/test.txt is not readable.
It may have been removed, moved, or file permissions may be preventing access.
"
Expected results:
user is part of the group of the same name, it should have access to the file even if he is not the owner. The access should be according to the read access for group as ls -l ~/test.txt
gives -rw-rw-r-- 1 root user 5 mai 30 10:40 test.txt
. Opening the file with nano, gedit for example works as expected.
Comment 1•4 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•4 months ago
|
||
I can confirm that a snap installed Firefox v126.0.1 will not open a text file created in user's home directory and with a changed owner of the file but the group is kept untouched. The steps in comment 0 were used to reproduce in Ubuntu 22.
Thank you for your report!
Comment 3•4 months ago
|
||
This looks like a snap problem to me; either way it's not a Firefox frontend issue that the OS wrappers from XPCOM claim we cannot access the file.
Comment 4•4 months ago
|
||
Can you confirm you are having the issue with firefox ~/test.txt
? I'm wondering if it has anything to do with ownership at all, it more sounds like a limitation of the sandbox of snap that prevents us to open files passed on the CLI ? See bug 1800350
You could try to open via the portal, I think if you File
-> Open
it should bring you the XDG Document Portal
Comment 5•4 months ago
|
||
Hm not only i reproduce, but it's not the same as bug 1800350 ;
I can see that in logs:
juin 07 14:32:44 portable-alex kernel: audit: type=1400 audit(1717763564.993:20553): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/alex/test.txt" pid=3407849 comm=53747265616D5472616E73202331 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
juin 07 14:32:44 portable-alex kernel: audit: type=1400 audit(1717763564.994:20554): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/alex/test.txt" pid=3407849 comm="FSBroker3408064" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Definitively blocked by AppArmor
Ownership:
$ id
uid=1000(alex) gid=1000(alex) groupes=1000(alex),[...]
$ ls -haln test.txt
-rw-r--r-- 1 0 1000 233 mars 23 2008 test.txt
Updated•4 months ago
|
Comment 6•4 months ago
|
||
Amin, can you check if it's a regression or a known issue of AppArmor? Or if we should file a bug upstream ?
Updated•4 months ago
|
Updated•4 months ago
|
Assignee | ||
Comment 7•4 months ago
|
||
According to the Canonical folks who got back to me about this, this is indeed the expected behaviour of the current AppArmor rules for Firefox in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox
and I believe isn't a regression. I've asked if it would make sense to amend things to allow this use-case of also checking read permissions for files in the user's home directory via group membership when the owner is different, and will provide updates here when I hear back.
Comment 8•3 months ago
|
||
The severity field is not set for this bug.
:gerard-majax, could you have a look please?
For more information, please visit BugBot documentation.
Updated•3 months ago
|
Comment 9•3 months ago
|
||
Amin have you got news ? Do you have an upstream bug to link maybe ?
Updated•3 months ago
|
Updated•3 months ago
|
Comment 10•3 months ago
|
||
Updated•3 months ago
|
Description
•