EACCES error trying to access /var/lib/snapd/void in node snap with classic confinement
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
New
|
Undecided
|
Unassigned |
Bug Description
Running `node init` or `node install` is failing on my system with an EACCES error while trying to access `/var/lib/
I'm posting the logs below, but the important bits from the `SNAP_DEBUG=1` run are:
- There are two execve calls in succession, invoking snap-confine, one for `node.npm install` and the second for `node npm install`
- The first execve call succeeds in restoring the working directory
- The second execve call fails to restore the working directory because it has lost the `/home` prefix from the path it is trying to restore into
```
DEBUG: execv(/
DEBUG: argv[1] = node.npm
DEBUG: argv[2] = install
DEBUG: umask restored to 02
DEBUG: working directory restored to /home/dani/
...
DEBUG: execv(/
DEBUG: argv[1] = node
DEBUG: argv[2] = /snap/node/
DEBUG: argv[3] = install
DEBUG: umask restored to 02
DEBUG: cannot open path of the original working directory /dani/Developme
DEBUG: the process has been placed in the special void directory
```
Logs and info:
```
$ snap version
snap 2.56.2
snapd 2.56.2
series 16
ubuntu 22.04
kernel 5.15.0-40-generic
$ snap info node
name: node
summary: Node.js
publisher: OpenJS Foundation (iojs✓)
store-url: https:/
contact: https:/
license: unset
description: |
A JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven,
non-blocking I/O model that makes it lightweight and efficient. Node.js' package ecosystem, npm,
is the largest ecosystem of open source libraries in the world. https:/
commands:
- node
- node.npm
- node.npx
- node.yarn
- node.yarnpkg
snap-id: MEd4V4HHFkCXBSz
tracking: 18/stable
refresh-date: today at 18:07 BST
channels:
*** snipped ***
installed: 18.6.0 (6512) 32MB classic
```
Running `npm install`:
```
$ npm install
npm ERR! code EACCES
npm ERR! syscall open
npm ERR! path /var/lib/
npm ERR! errno -13
npm ERR! Error: EACCES: permission denied, open '/var/lib/
npm ERR! [Error: EACCES: permission denied, open '/var/lib/
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'open',
npm ERR! path: '/var/lib/
npm ERR! }
npm ERR!
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR!
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/dani/
```
Running with debug:
```
$ SNAPD_DEBUG=1 snap run node.npm install
2022/07/15 19:18:43.137670 tool_linux.go:204: DEBUG: restarting into "/snap/
2022/07/15 19:18:43.298296 cmd_run.go:1035: DEBUG: executing snap-confine from /snap/snapd/
2022/07/15 19:18:43.299937 cmd_run.go:438: DEBUG: SELinux not enabled
2022/07/15 19:18:43.300051 tracking.go:46: DEBUG: creating transient scope snap.node.npm
2022/07/15 19:18:43.300875 tracking.go:186: DEBUG: using session bus
2022/07/15 19:18:43.302107 tracking.go:319: DEBUG: create transient scope job: /org/freedeskto
2022/07/15 19:18:43.302867 tracking.go:419: DEBUG: job result is "done"
2022/07/15 19:18:43.302880 tracking.go:426: DEBUG: transient scope snap.node.
2022/07/15 19:18:43.303110 tracking.go:146: DEBUG: waited 2.147245ms for tracking
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.node.npm
DEBUG: executable: /snap/snapd/
DEBUG: confinement: classic
DEBUG: base snap: core20
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_
DEBUG: opening lock file: /run/snapd/
DEBUG: set_effective_
DEBUG: set_effective_
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_
DEBUG: set_effective_
DEBUG: (experimental) ensuring snap mount and data directories are mount points
DEBUG: releasing lock 5
DEBUG: preparing classic execution environment
DEBUG: (experimental) unsharing the mount namespace (per-classic-snap)
DEBUG: set_effective_
DEBUG: creating user data directory: /home/dani/
DEBUG: requesting changing of apparmor profile on next exec to snap.node.npm
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.node.npm
DEBUG: read 14 bytes from /var/lib/
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/
DEBUG: argv[1] = node.npm
DEBUG: argv[2] = install
DEBUG: umask restored to 02
DEBUG: working directory restored to /home/dani/
2022/07/15 19:18:43.452950 tool_linux.go:204: DEBUG: restarting into "/snap/
2022/07/15 19:18:43.465268 cmd_run.go:1035: DEBUG: executing snap-confine from /snap/snapd/
2022/07/15 19:18:43.466442 cmd_run.go:438: DEBUG: SELinux not enabled
2022/07/15 19:18:43.466515 tracking.go:46: DEBUG: creating transient scope snap.node.node
2022/07/15 19:18:43.467222 tracking.go:186: DEBUG: using session bus
2022/07/15 19:18:43.468140 tracking.go:319: DEBUG: create transient scope job: /org/freedeskto
2022/07/15 19:18:43.468717 tracking.go:419: DEBUG: job result is "done"
2022/07/15 19:18:43.468727 tracking.go:426: DEBUG: transient scope snap.node.
2022/07/15 19:18:43.468996 tracking.go:146: DEBUG: waited 1.72604ms for tracking
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.node.node
DEBUG: executable: /snap/snapd/
DEBUG: confinement: classic
DEBUG: base snap: core20
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/
DEBUG: apparmor mode is: enforce
DEBUG: moving to mount namespace of pid 1
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_
DEBUG: opening lock file: /run/snapd/
DEBUG: set_effective_
DEBUG: set_effective_
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_
DEBUG: set_effective_
DEBUG: (experimental) ensuring snap mount and data directories are mount points
DEBUG: releasing lock 5
DEBUG: preparing classic execution environment
DEBUG: (experimental) unsharing the mount namespace (per-classic-snap)
DEBUG: set_effective_
DEBUG: creating user data directory: /home/dani/
DEBUG: requesting changing of apparmor profile on next exec to snap.node.node
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.node.node
DEBUG: read 14 bytes from /var/lib/
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/
DEBUG: argv[1] = node
DEBUG: argv[2] = /snap/node/
DEBUG: argv[3] = install
DEBUG: umask restored to 02
DEBUG: cannot open path of the original working directory /dani/Developme
DEBUG: the process has been placed in the special void directory
```
I had the same problem while using node (any of the 16/stable, 18/sable, 20/sable). I started having this issue after enabling snap parallel instances (running more than one version of a package). After I've disable the option everything was working as expected. Note that you might need to remove the parallel versions of packages that you have already installed.
Check if this option is enabled on your end:
``` parallel- instances
sudo snap get system experimental.
```
and disable it:
``` parallel- instances= false
sudo snap set system experimental.
```