[MacOS] permission denied for some parts of mounted home directory

[codekitchen]

MacOS Catalina 10.15.3
multipass  1.0.0+mac
multipassd 1.0.0+mac

I've installed multipass as part of an effort to build a snapcraft package on MacOS, but I'm running into issues with the mount functionality. I can access parts of my mounted home directory, but some directories such as Desktop, Documents and Downloads give me a permission denied error. I also get an error if I try to multipass mount any path under those directories. See console output below.

I do have iCloud Drive enabled to sync my files, which could possibly be related somehow? Though I'd think that would only affect Documents and Desktop since they are the synced folders, Downloads is not synced.

$ multipass restart primary

$ multipass shell
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Feb 25 13:16:52 MST 2020

  System load:  0.62              Processes:             118
  Usage of /:   24.1% of 4.67GB   Users logged in:       0
  Memory usage: 11%               IP address for enp0s2: 192.168.64.16
  Swap usage:   0%

1 package can be updated.
1 update is a security update.

Last login: Tue Feb 25 13:16:14 2020 from 192.168.64.1
ubuntu@primary:~$ ls -l Home
drwx------ 1 ubuntu ubuntu   96 Jan 31  2017  Applications
drwx------ 1 ubuntu ubuntu  128 Feb 24 19:49  Desktop
drwx------ 1 ubuntu ubuntu 1504 Feb 24 20:49  Documents
drwx------ 1 ubuntu ubuntu  192 Feb 25 12:46  Downloads
drwx------ 1 ubuntu ubuntu 2976 Nov 21 18:03  Library
drwx------ 1 ubuntu ubuntu  224 Oct  9 13:44  Movies
drwx------ 1 ubuntu ubuntu  192 Oct  9 13:44  Music
drwx------ 1 ubuntu ubuntu  256 May 31  2019  Pictures
drwxr-xr-x 1 ubuntu ubuntu  160 Jan 20  2017  Public
drwxr-xr-x 1 ubuntu ubuntu   96 Feb 21 10:39 'VirtualBox VMs'
drwxr-xr-x 1 ubuntu ubuntu  480 Feb  3 18:42  miniconda3
ubuntu@primary:~$ ls Home/Music/
Music  iTunes
ubuntu@primary:~$ ls Home/Library/
...lots of output...
ubuntu@primary:~$ ls Home/Desktop/
ls: reading directory 'Home/Desktop/': Permission denied
ubuntu@primary:~$ ls Home/Documents/
ls: reading directory 'Home/Documents/': Permission denied
ubuntu@primary:~$ ls Home/Downloads/
ls: reading directory 'Home/Downloads/': Permission denied
ubuntu@primary:~$ ls Home/Pictures/
 'Photo Booth Library'  'Photos Library.photoslibrary'
ubuntu@primary:~$ logout

# back on MacOS host
$ multipass mount -vvv $HOME/Documents/Programming/pipeline primary:pipeline
[2020-02-25T13:23:53.591] [debug] [mount cmd] ../src/client/cli/cmd/mount.cpp:234 parse_args(): adding default uid/gid mapping
mount failed: source "/Users/brianp/Documents/Programming/pipeline" is not readable

[townsend2010]

Hi @codekitchen,

What are the permissions and ownership of those directories on the host? I just tried it on my Mac and those directories are accessible for me, so it looks to be something on your host.

[codekitchen]

Here's the output of ls -le@ on my host home directory. I'm not entirely sure what some of the extended attributes such as com.apple.macl mean.

$ ls -le@
total 0
drwx------@  3 brianp  staff    96 Jan 31  2017 Applications
    com.apple.quarantine      28
drwx------@  4 brianp  staff   128 Feb 24 19:49 Desktop
    com.apple.icloud.desktop       8
    com.apple.macl    72
 0: group:everyone deny delete
drwx------@ 47 brianp  staff  1504 Feb 24 20:49 Documents
    com.apple.icloud.desktop       8
 0: group:everyone deny delete
drwx------@  6 brianp  staff   192 Feb 25 12:46 Downloads
    com.apple.macl   144
 0: group:everyone deny delete
drwx------@ 93 brianp  staff  2976 Nov 21 18:03 Library
    com.apple.FinderInfo      32
 0: group:everyone deny delete
drwx------+  7 brianp  staff   224 Oct  9 13:44 Movies
 0: group:everyone deny delete
drwx------+  6 brianp  staff   192 Oct  9 13:44 Music
 0: group:everyone deny delete
drwx------+  8 brianp  staff   256 May 31  2019 Pictures
 0: group:everyone deny delete
drwxr-xr-x+  5 brianp  staff   160 Jan 20  2017 Public
 0: group:everyone deny delete
drwxr-xr-x   3 brianp  staff    96 Feb 21 10:39 VirtualBox VMs
drwxr-xr-x  15 brianp  staff   480 Feb  3 18:42 miniconda3

Thinking about it a bit further, the Documents, Desktop and Downloads directories are also the same directories that have the new protections in Catalina, where MacOS asks for confirmation whenever a new app wants to access them for the first time. I don't get any sort of prompt dialog from MacOS when multipass tries to access them.

[townsend2010]

There are a number of articles describing what that is. Here is one I found: https://lapcatsoftware.com/articles/macl.html

So it's definitely the problem on your machine. I'm running Catalina as well and don't have that issue, but it's entirely possible that I granted permission for all sorts of things in the past :grin:

[codekitchen]

Hm I'm not sure that's the issue. That article seems to be saying that the com.apple.macl attribute actually grants implicit read permissions to files/folders with that attribute, so I don't see how that'd prevent multipass from reading those folders. Am I reading this wrong?

[codekitchen]

Although related to that article, I started digging around into the Security & Privacy preferences pane and I see that multipassd is listed on the list of apps for "Full Disk Access", but it is unchecked, without me having done anything. I'm not sure why it would show up on this list.

If I check that box, multipass can now access all these directories, snapcraft can mount the folder inside Documents, everything seems to be working.

Is it possible that something in the multipass install process didn't work correctly, and it was intended that this box would get checked? Or am I reading too much into the fact that multipassd appeared on this list without me doing anything.

[townsend2010]

Hmm, I really don't know how multipassd ended up on that list, nor why it isn't checked. I certainly don't see that at all on my machine and you're the first to report this issue as far as I know. The good news is that you got it working. I'm going to leave this open for now in case this is some brand new behavior and more folks run into this.

[SylvainLasnier]

Same problem. I set manually a full disk access to multipassd with "Security & Privacy" tool to solve this. Apple seems add some ACL properties. https://lapcatsoftware.com/articles/macl.html So multipass install have to evolve a bit. amho.

[ghazlewood]

I was trying to mount a directory to my host (Mac) with:

$ multipass mount /Users/george.hazlewood/Desktop/test/ k3s:/home/ubuntu/test/

and was getting:

mount failed: source "/Users/george.hazlewood/Desktop/test" is not readable

After enabling Full Disk Access in Security & Pricavy System Preferences for multipassd the problem went away. Thanks @SylvainLasnier and @codekitchen for the tip!

[ziang-info]

Or move the project workspace out of Document directory, such as ~/.

[jrochkind]

(For what it's worth, granting Multipass "full disk access" in the settings panel per https://github.com/canonical/multipass/issues/1389#issuecomment-591074740 resolved the issue for me; obviously there could be some security implications)

[sindastra]

@codekitchen @townsend2010 I should add that applications cannot check themselves in those settings. That's for security reasons. The end-user must make that choice. If applications could exempt themselves from restrictions, there would no longer be a point to those restrictions being there, and the security would be broken.

[0neCigarettes]

Although related to that article, I started digging around into the Security & Privacy preferences pane and I see that multipassd is listed on the list of apps for "Full Disk Access", but it is unchecked, without me having done anything. I'm not sure why it would show up on this list.

If I check that box, multipass can now access all these directories, snapcraft can mount the folder inside Documents, everything seems to be working.

Is it possible that something in the multipass install process didn't work correctly, and it was intended that this box would get checked? Or am I reading too much into the fact that multipassd appeared on this list without me doing anything.

i got same issue, but i don't found multipassd in list permissions

mac: Sequoia multipass version: 1.15.0-dev.2929.pr661+gc67ef6641.mac (i use this version cause the last LTS version can't run instance after upgrade OS )

[georgeliao]

i got same issue, but i don't found multipassd in list permissions

In this case, you can press the + button, and find /Library/Application Support/com.canonical.multipass/bin/multipassd binary and add it. Note, you may need to use Cmd + Shift + G to bring up the "Go to Folder" box.

[ethanuppal]

Even after doing this, I still get the same error; not sure what's going on here.

[0neCigarettes]

Even after doing this, I still get the same error; not sure what's going on here.

exactly the same on my issue, can anyone help? 🥲

[ethanuppal]

Also, is there a way to pass execute permissions across mounts?

[georgeliao]

Even after doing this, I still get the same error; not sure what's going on here.

That full disk access on multipassd should fix the problem, can you close that full disk access window and restart multipassd by running sudo launchctl unload /Library/LaunchDaemons/com.canonical.multipassd.plist and sudo launchctl load /Library/LaunchDaemons/com.canonical.multipassd.plist to make sure the change takes effect? and try mount again.

[0neCigarettes]

sudo launchctl load /Library/LaunchDaemons/com.canonical.multipassd.plist

after doing step above, i got still error permission chown: changing ownership of 'path/inside/mount': Permission denied

[0neCigarettes]

sudo launchctl load /Library/LaunchDaemons/com.canonical.multipassd.plist

after doing step above, i got still error permission chown: changing ownership of 'path/inside/mount': Permission denied

actually there was no problem before, this appeared after I updated the macOS Sequoia version

[ricab]

Hi @0neCigarettes, since you observe this only with the test package, I wonder if this is caused by the package not being signed. Apps are treated differently and given different permissions depending on their origin on macOS.

If you want to relax those restrictions, you can find instructions online. For instance, this came up on a search. Please let us know if it makes a difference (if you decide to try it out).

We are preparing a proper (signed) release, which will be out soon and should supplant any origin verification issues.

[0neCigarettes]

Hi @0neCigarettes, since you observe this only with the test package, I wonder if this is caused by the package not being signed. Apps are treated differently and given different permissions depending on their origin on macOS.

If you want to relax those restrictions, you can find instructions online. For instance, this came up on a search. Please let us know if it makes a difference (if you decide to try it out).

We are preparing a proper (signed) release, which will be out soon and should supplant any origin verification issues.

@ricab thanks for your response, but this steps was already done when I did the installation

[ricab]

@0neCigarettes, so sudo spctl --master-disable doesn't help? If that is the case, do you have any other tool that could be blocking accesses on your Mac?

[0neCigarettes]

@0neCigarettes, so sudo spctl --master-disable doesn't help? If that is the case, do you have any other tool that could be blocking accesses on your Mac?

it's doesn't help, I have done a reinstall, and it didn't change anything

[0neCigarettes]

Although related to that article, I started digging around into the Security & Privacy preferences pane and I see that multipassd is listed on the list of apps for "Full Disk Access", but it is unchecked, without me having done anything. I'm not sure why it would show up on this list. If I check that box, multipass can now access all these directories, snapcraft can mount the folder inside Documents, everything seems to be working. Is it possible that something in the multipass install process didn't work correctly, and it was intended that this box would get checked? Or am I reading too much into the fact that multipassd appeared on this list without me doing anything.

i got same issue, but i don't found multipassd in list permissions

mac: Sequoia multipass version: 1.15.0-dev.2929.pr661+gc67ef6641.mac (i use this version cause the last LTS version can't run instance after upgrade OS )

does the os version matter? which may have additional security?

[0neCigarettes]

I hope there is a quick solution regarding this, because I feel like there is no such thing as a light vm as multipass

[ricab]

Hi @0neCigarettes I am at a loss as to what is happening there, many other users have reported the test package for them. We are currently waiting for packages to be signed and we'll release as soon as that is done. Hopefully that will work better for you.

[ricab]

Highlighting a couple of comments that may be useful here:

• https://github.com/canonical/multipass/issues/3661#issuecomment-2396641084
• https://github.com/canonical/multipass/issues/3661#issuecomment-2396933827