How to allow snap applications to access /tmp folder?

permissions tmp snap tmpfs

Usually I'm avoiding snap-based applications, but sometime I need them.

For example - Markdown Lint Tool is shipped only as Snap named mdl.

It works great when files are in home folder -

$ echo "# header" > ~/test.md
$ /snap/bin/mdl ~/test.md ; echo $?
0

but it fails when file is located in /tmp directory:

$ echo "# header" > /tmp/test.md
$ cat /tmp/test.md
# header
$ /snap/bin/mdl /tmp/test.md
/snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/lib/mdl/doc.rb:57:in `read': No such file or directory @ rb_sysopen - /tmp/test.md (Errno::ENOENT)
    from /snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/lib/mdl/doc.rb:57:in `new_from_file'
    from /snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/lib/mdl.rb:75:in `block in run'
    from /snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/lib/mdl.rb:73:in `each'
    from /snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/lib/mdl.rb:73:in `run'
    from /snap/mdl/140/lib/ruby/gems/2.4.0/gems/mdl-0.9.0/bin/mdl:10:in `<top (required)>'
    from /snap/mdl/140/bin/mdl:23:in `load'
    from /snap/mdl/140/bin/mdl:23:in `<main>'

For this particular application there are no options for snap connect:

$ snap connections | grep mdl
home                      mdl:home                             :home                                 -

Also I can't install it as classic:

$ snap install mdl --classic 
Warning: flag --classic ignored for strictly confined snap mdl

mdl 0.9.0 from Snapcrafters installed

What should I do to give Snap application full access to the /tmp folder?
Does it happen by Snap design or not?


It seems you may be looking for the "proper" way to solve the issue caused with snaps...

but if you were looking for a workaround so you can use your tmp directory, you could:

mkdir /home/you/tmp
sudo mount --bind /tmp /home/you/tmp/

mdl will have full access to the /tmp directory via the /home/you/tmp mountpoint:

echo "# header" > /home/you/tmp/test.md
mdl /home/you/tmp/test.md

To make it permanent you can add this line to the /etc/fstab:

 # <file system> <mount point>   <type>  <options>       <dump>  <pass>
/tmp        /home/you/tmp   auto    bind    0   3

and rebuild the initrd with sudo update-initramfs -u -k all .


Using "alternative" temp dirs doesn't solve the problem that the path "/tmp/foo" can not be resolved by e.g. chromium browser.

This fatally breaks other apps which store something in /tmp and then use e.g. gnome-open to run the user's browser to view it -- if the user's browser is a snapped chromium. The path given to the browser is /tmp/whatever and the browser can not access that path (it will look in /tmp/snap.xxx/tmp/whatever instead).

Basically the snap sandboxing totally breaks integration of tools which use /tmp by default to pass files around.

IN SUMMARY: We need a way to configure snapped apps to not use a private /tmp (yes, less secure, but necessary for normal work to get done).

Related

Python: "TypeError: __str__ returned non-string" but still prints to output?
where can i find "pwdAccountLockedTime" in Apache-DS LDAP?
How to reduce the white space beside the drawer icon in Flutter?
Local NoSQL database for desktop application
How can I apply pruning on a BERT model?
How can support Object.entries being called on an instance of my class - javascript / nodejs?
SonarQube 8.9 doesn’t start, it’s blocked in loading page after login
ReferenceError: Chart is not defined - chartjs
httpd.conf on Windows: can't locate API model structure `php8_module`
NestJS create new project failed on MacOS [duplicate]
How to add a value of a variable in a sqlite database existing column?
set git configuration in gitlab CI for default branch to prevent hint message