I have now stumbled across this bug again. In addition to the “root_squash” option for nfs, as long as NFSv4 with sec=krb5 is not enabled, we were able to start it successfully by setting the home folder to g+x. We don't understand why, but similar to the previous speaker and +rx by other, we consider this solution unacceptable.
We find it incomprehensible that a system that appears to place such a high priority on security requires the use of unacceptable, insecure permissions in order to run in production environments. Especially since it is being forced upon us. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1973321 Title: snaps don't start when current working directory is on a remote FS (sshfs, NFS) Status in snapd: Triaged Status in firefox package in Ubuntu: Confirmed Status in thunderbird package in Ubuntu: Confirmed Bug description: All snaps fail to start when the current working directory is under a sshfs tree: /tmp/test$ hello-world cannot open path of the current working directory: Permission denied The reason is that sshfs by default disallows the root user (or any user other than the one who created the mount) from accessing the mounted file system, and snap-confine is a setuid program which before dropping its privileges tries to open the current working directory and terminates if that operation fails: In sc_preserve_and_sanitize_process_state(): proc_state->orig_cwd_fd = openat(AT_FDCWD, ".", O_PATH | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); if (proc_state->orig_cwd_fd < 0) { die("cannot open path of the current working directory"); } There are workarounds for this situations: one can add the "user_allow_other" option to /etc/fuse.conf and call sshfs with the "-o allow_root" option, and this will allow snaps to start, yet it's a suboptimal experience. Possible solutions: A) Move this part of code a bit later, after having dropping the privileges. B) Drop the privileges before making this call, and restore them afterwards. C) Use get_current_dir_name() to get the directory name if openat() fails, then restore it using chdir(). To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1973321/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
