dropping privs did not work: Invalid argument

Bug #1760416 reported by arky
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Unable to run any snap app on Ubuntu. Running install app results in 'dropping privs did not work' error.

Testcase: VLC app

$ snap install vlc
vlc 3.0.1-4-g14a4897 from 'videolan' installed

$ snap list
Name Version Rev Developer Notes
core 16-2.31.2 4206 canonical core
vlc 3.0.1-4-g14a4897 190 videolan -

$ vlc
dropping privs did not work: Invalid argument

$ which vlc
/snap/bin/vlc

$ df -h
<sniped>
/dev/loop0 82M 82M 0 100% /snap/core/4206
/dev/loop1 181M 181M 0 100% /snap/vlc/190

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: snapd 2.29.4.2+17.10 [modified: usr/share/dbus-1/services/io.snapcraft.Launcher.service]
ProcVersionSignature: Ubuntu 4.13.0-37.42-generic 4.13.13
Uname: Linux 4.13.0-37-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
CurrentDesktop: GNOME
Date: Sun Apr 1 18:28:55 2018
InstallationDate: Installed on 2013-03-22 (1835 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: snapd
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
arky (arky) wrote :
Revision history for this message
arky (arky) wrote :

Adding additional Information missing in the main bug report.

$ snap version
snap 2.31.2
snapd 2.31.2
series 16
ubuntu 17.10
kernel 4.13.0-37-generic

$ snap list
Name Version Rev Developer Notes
core 16-2.31.2 4206 canonical core
vlc 3.0.1-4-g14a4897 190 videolan -

$ snap interfaces
Slot Plug
:account-control -
:alsa -
:autopilot-introspection -
:avahi-control -
:avahi-observe -
:bluetooth-control -
:bluez -
:broadcom-asic-control -
:browser-support -
:camera -
:classic-support -
:core-support core:core-support-plug
:cups-control -
:dcdbas-control -
:desktop vlc
:desktop-legacy vlc
:docker-support -
:firewall-control -
:framebuffer -
:fuse-support -
:gpg-keys -
:gpg-public-keys -
:gpio-memory-control -
:greengrass-support -
:gsettings -
:hardware-observe -
:hardware-random-control -
:hardware-random-observe -
:home vlc
:io-ports-control -
:joystick -
:kernel-module-control -
:kubernetes-support -
:kvm -
:libvirt -
:locale-control -
:log-observe -
:lxd-support -
:modem-manager -
:mount-observe -
:netlink-audit -
:netlink-connector -
:network vlc
:network-bind vlc
:network-control -
:network-manager -
:network-observe -
:network-setup-control -
:network-setup-observe -
:ofono -
:opengl vlc
:openvswitch -
:openvswitch-support -
:optical-drive vlc
:password-manager-service -
:physical-memory-control -
:physical-memory-observe -
:ppp -
:process-control -
:pulseaudio vlc
:raw-usb -
:removable-media vlc
:screen-inhibit-control vlc
:shutdown -
:snapd-control -
:ssh-keys -
:ssh-public-keys -
:system-observe -
:system-trace -
:time-control -
:timeserver-control -
:timezone-control -
:tpm -
:uhid -
:unity7 vlc
:upower-observe -
:wayland -
:x11 vlc
vlc:mpris -
- vlc:camera
- vlc:mount-observe

Zygmunt Krynicki (zyga)
Changed in snapd (Ubuntu):
assignee: nobody → Zygmunt Krynicki (zyga)
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Dear reporter, can you please attach some more information:

ls -ld /usr/lib/snapd/snap-confine

Revision history for this message
arky (arky) wrote :

$ ls -ld /usr/lib/snapd/snap-confine
-rwsr-sr-x 1 root root 88632 Nov 30 23:42 /usr/lib/snapd/snap-confine

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Hmm, this looks correct. I have no idea what happened. When did this start failing? Did you do anything interesting to your system lately?

Revision history for this message
arky (arky) wrote :

@zyga, As a snap newbie, I used 'sudo snap install'. Perhaps that must have screwed up the snapd setup.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

No, that's all fine. It should not cause any issues.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Are security policy denials? Please paste the output of after trying to run a snap:
$ sudo journalctl | grep audit

What is the output of:
$ set|grep 'USER.*=' ; id

What is the output of (it should return nothing):
$ getcap /usr/lib/snapd/snap-confine

Revision history for this message
arky (arky) wrote :

$ snap install vlc
vlc 3.0.1-4-g14a4897 from 'videolan' installed

$ vlc
dropping privs did not work: Invalid argument

$ sudo journalctl | grep audit > errors.txt
<snip>
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.004:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper" pid=549 comm="apparmor_parser"
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.004:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium" pid=549 comm="apparmor_parser"
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.006:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4110/usr/lib/snapd/snap-confine" pid=555 comm="apparmor_parser"
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.006:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4110/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=555 comm="apparmor_parser"
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.006:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4110/usr/lib/snapd/snap-confine//snap_update_ns" pid=555 comm="apparmor_parser"
Mar 30 19:02:53 think kernel: audit: type=1400 audit(1522411373.008:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=550 comm="apparmor_parser"
Mar 30 19:02:53 think audit[545]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="content-hub-clipboard" pid=545 comm="apparmor_parser"
Mar 30 19:02:53 think audit[546]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="content-hub-peer-picker" pid=546 comm="apparmor_parser"
Mar 30 19:02:53 think audit[547]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=547 comm="apparmor_parser"
Mar 30 19:02:53 think audit[549]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper" pid=549 comm="apparmor_parser"
Mar 30 19:02:53 think audit[549]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium" pid=549 comm="apparmor_parser"
Mar 30 19:02:53 think audit[555]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4110/usr/lib/snapd/snap-confine" pid=555 comm="apparmor_parser"
Mar 30 19:02:53 think audit[555]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4110/usr/lib/snapd/snap-confine

Full pastebin here -> https://paste.ubuntu.com/p/C3VgRY4BPB/

$ set|grep 'USER.*=' ; id
USER=arky
USERNAME=arky
uid=1000(arky) gid=0(root) groups=0(root)

Revision history for this message
Daan W. (dwynen) wrote :

for me this happened when I was running the example commands from [1] as root:

mkdir test-snapcraft
cd test-snapcraft
snapcraft init
snapcraft cleanbuild

[1] https://docs.snapcraft.io/build-snaps/get-started-snapcraft

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@arky and @zyga:

Notice: uid=1000(arky) gid=0(root) groups=0(root)

It seems at the time you are running a snap command that you are not a regular user. Please also give the output of:

$ id ; id -ru ; id -rg ; id -rG

Revision history for this message
arky (arky) wrote :

This is only account on this laptop. It was created such a long time back. What is the best way to de-escalate the permissions.

$ id ; id -ru ; id -rg ; id -rG
uid=1000(arky) gid=0(root) groups=0(root)
1000
0
0

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@arky, you should take a look at /etc/passwd and /etc/group. Typically your regular account will have its own group. Eg:

In /etc/passwd, a typical user will have:
$ grep ubuntu /etc/passwd
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

$ grep 1000 /etc/group
ubuntu:x:1000:

You should verify that /etc/group has:
arky:x:1000:

If it doesn't, then do:
$ sudo addgroup --gid 1000 arky

I suspect that /etc/passwd has:
ubuntu:x:1000:0:<something>:/home/arky:/bin/bash

Adjust that to be:
ubuntu:x:1000:1000:<something>:/home/arky:/bin/bash

(where '<something>' you just leave alone).

You can now try to login via a tty to make sure it works (eg, ctrl+alt+F3). If it does, then you should:

$ sudo chgrp -R arky /home/arky

Then logout and back in. Good luck!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Daan your issue is different and specific to snapcraft. I suggest you file a bug at https://bugs.launchpad.net/snapcraft/+filebug

Changed in snapd (Ubuntu):
assignee: Zygmunt Krynicki (zyga) → nobody
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

"I suspect that /etc/passwd has:
ubuntu:x:1000:0:<something>:/home/arky:/bin/bash

Adjust that to be:
ubuntu:x:1000:1000:<something>:/home/arky:/bin/bash"

That should've read:

I suspect that /etc/passwd has:
arky:x:1000:0:<something>:/home/arky:/bin/bash

Adjust that to be:
arky:x:1000:1000:<something>:/home/arky:/bin/bash

Revision history for this message
arky (arky) wrote :

Thank you @jdstrand @zyga for all your help in resolving this persky problem. Kudos!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.