Permission Denied Issue

[bernej]

Hello @assafmo ,

I have been using joincap as a local development tool for merging granular pcap files into larger pcap files. However, when I tried to deploy it onto a linux environment (it was working perfectly on windows locally), I am unable to merge any pcap files. Below is the verbose output, and this is the same output when sudo'd

user@machine:~$ joincap -v -w=output.pcap input.pcap user@machine:~$ sudo joincap -v -w=output.pcap input.pcap

both yield:

2019/04/17 17:09:20 joincap v0.10.1 - https://github.com/assafmo/joincap 2019/04/17 17:09:20 input.pcap: open input.pcap: permission denied (skipping this file) 2019/04/17 17:09:20 merging 0 input files of size 0 B 2019/04/17 17:09:20 cannot open output.pcap for writing: open output.pcap: permission denied

This happens regardless of user and directory permissions (I'm doing this in the home directory of my user, so it follows that I have read/write privileges). Any ideas as to what is going on here? I would love to get this tool working on this environment (ubuntu 16.04). Any help would be extremely appreciated!

Thanks, Jonathan

[assafmo]

Hi @bernej, thanks for your feedback!

This is weird. I'm using joincap on linux a lot, this error shouldn't happen.

Actually sudo isn't necessary here, so I still believe it's a permissions issue.

Does touch x works? Does echo x > output.pcap works? Does joincap -v input.pcap > output.pcap works? Can you paste here your ls -la ~ output? Maybe joincap is running as another user?

[bernej]

@assafmo,

Thank you for the quick response!

Both touch x and echo x > output.pcap work.

joincap -v input.pcap > output.pcap yields:

2019/04/18 10:33:32 joincap v0.10.1 - https://github.com/assafmo/joincap 2019/04/18 10:33:32 input.pcap: open input.pcap: permission denied (skipping this file) 2019/04/18 10:33:32 merging 0 input files of size 0 B 2019/04/18 10:33:32 writing to /dev/stdout

ls -la ~ yields:

-rwxrwxrwx 1 user user 6393 Apr 17 17:08 input.pcap -rwxrwxrwx 1 user user 24 Apr 18 10:33 output.pcap

Even if I assert the command to run with my user I still get permission denied: sudo runuser -l user -c 'joincap -v -w=output.pcap input.pcap'

2019/04/18 10:43:31 joincap v0.10.1 - https://github.com/assafmo/joincap 2019/04/18 10:43:31 input.pcap: open input.pcap: permission denied (skipping this file) 2019/04/18 10:43:31 merging 0 input files of size 0 B 2019/04/18 10:43:31 cannot open output.pcap for writing: open output.pcap: permission denied

The file permissions are 777 for both, so even if joincap was running as another user it should still work, no?

[assafmo]

I see that redirecting stdout to output.pcap created an "empty" pcap file, which is a good start. (empty pcap means a global header of 24 bytes and no packets)

What are the permissions on the joincap executable? And what are the permissions on the directory from which you are trying to read input.pcap?

[bernej]

whereis joincap

joincap: /snap/bin/joincap

stat /snap/bin/joincap yields:

File: '/snap/bin/joincap' -> '/usr/bin/snap' Size: 13 Blocks: 0 IO Block: 4096 symbolic link Device: 801h/2049d Inode: 4354547 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-04-17 16:26:37.434181373 -0700 Modify: 2019-04-17 16:26:28.990156238 -0700 Change: 2019-04-17 16:26:28.990156238 -0700 Birth: -

stat ~ yields 755 permissions

[assafmo]

I see this is a known issue with snap store installs - https://askubuntu.com/questions/930437/permission-denied-error-when-running-apps-installed-as-snap-packages-ubuntu-17

I am able to reproduce your situation. This has worked for me in the past. Weird.

In the meantime you can use the precompiled binary from the releases page - https://github.com/assafmo/joincap/releases.
Just copy it to /usr/local/bin and do sudo chmod +x /usr/local/bin/joincap.
Please tell me when it works.

I'll try to find a workaround for the snap store installation problem.

[assafmo]

Seems like I need to make the snap package classic instead of strict - https://docs.snapcraft.io/snap-confinement/6233.

It might take some time because it requires a manual approval by the snap store team.
@bernej, use the precompiled binary while I apply for classic snap confinement.

[bernej]

@assafmo

That worked like a charm! Thank you so much for tracking down this issue. I extremely appreciate your help!

[assafmo]

https://forum.snapcraft.io/t/classic-confinement-request-joincap/10983

[anonymouse64]

Instead of requesting classic confinement, you could try adding the home and removable-media plugs to your app in the snapcraft.yaml. When connected, those allow your snap to access files in the user's $HOME directory as well as files in /media, etc. for USB drives and such.

[assafmo]

Thanks @anonymouse64, I didn't know this.

I still believe classic confinement is better. I don't see why deny the user from reading and writing to pcap files outside of $HOME and /media.

Anyway joincap will ignore reading non-pcap files and linux permissions will prevent writing in places the user cannot access.

[anonymouse64]

Note that classic confinement turns off all snap confinement and effectively grants your snap device control. Additionally, classic snaps are not supported on Ubuntu Core at all, so users won't be able to use your snap on that OS.

Additionally, I'm curious is it a common use case to have users of joincap read files from system directories? I would imagine that most pcap files would be user-generated and thus live in their $HOME directory or some removable media like a USB drive.

[assafmo]

Additionally, I'm curious is it a common use case to have users of joincap read files from system directories? I would imagine that most pcap files would be user-generated and thus live in their $HOME directory or some removable media like a USB drive.

Probably not. I use it with NFS and CIFS devices which can be mounted anywhere. Probably in /mnt or $HOME, but I wouldn't want to impose this restriction on the user.