### Bug Description Permissions of source files on the host machine can leak through the snapcraft build process and end up in the built snap. This means that file permissions can be unexpectedly incorrect in the final snap. Source file permissions can easily be different if the host machine's umask is customised. This is a bug because it it's unexpected and undermines the ideal of snapcraft consistently building a snap in an isolated build environment. Permissions being unexpectedly incorrect in the resulting snap can result in unexpected permission-related errors, such as this for the openstack snap: ``` $ openstack.sunbeam -v cluster bootstrap ... PermissionError: [Errno 13] Permission denied: '/snap/openstack/x1/etc/deploy-sunbeam-machine' WARNING An unexpected error has occurred. Please run 'sunbeam inspect' to generate an inspection report. utils.py:290 ERROR Error: [Errno 13] Permission denied: '/snap/openstack/x1/etc/deploy-sunbeam-machine' utils.py:291 ``` ### To Reproduce On a workstation, set a more restrictive umask than the default, clone a snap repository that has files it copies to the snap (files that need to be readable by a non-root user), and build the snap. Then on another machine, install the snap (this is to show the bug lies in the snapcraft build process, not in the installation process). ``` # workstation $ umask 027 $ git clone https://github.com/canonical/snap-openstack Cloning into 'snap-openstack'... remote: Enumerating objects: 5943, done. remote: Counting objects: 100% (5943/5943), done. remote: Compressing objects: 100% (1673/1673), done. remote: Total 5943 (delta 4154), reused 5864 (delta 4103), pack-reused 0 Receiving objects: 100% (5943/5943), 1.44 MiB | 1.15 MiB/s, done. Resolving deltas: 100% (4154/4154), done. $ stat cloud/etc/deploy-sunbeam-machine File: cloud/etc/deploy-sunbeam-machine Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 252,1 Inode: 21245537 Links: 2 Access: (0750/drwxr-x---) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu) Access: 2024-03-13 10:10:05.547611390 +1030 Modify: 2024-03-13 10:09:50.526825834 +1030 Change: 2024-03-13 10:09:50.526825834 +1030 Birth: 2024-03-13 10:09:50.526825834 +1030 $ snapcraft Generated snap metadata Created snap package openstack_2023.2_amd64.snap $ rsync -av openstack_2023.2_amd64.snap serverstack-sunbeam-0: sending incremental file list openstack_2023.2_amd64.snap sent 137,536,414 bytes received 35 bytes 1,211,774.88 bytes/sec total size is 137,502,720 speedup is 1.00 # target machine ubuntu@serverstack-sunbeam-0:~$ sudo snap install --dangerous ./openstack_2023.2_amd64.snap openstack 2023.2 installed ubuntu@serverstack-sunbeam-0:~$ stat /snap/openstack/x1/etc/deploy-sunbeam-machine/ File: /snap/openstack/x1/etc/deploy-sunbeam-machine/ Size: 77 Blocks: 0 IO Block: 1024 directory Device: 704h/1796d Inode: 139 Links: 2 Access: (0750/drwxr-x---) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2024-03-12 23:50:19.000000000 +0000 Modify: 2024-03-12 23:50:19.000000000 +0000 Change: 2024-03-12 23:50:19.000000000 +0000 Birth: - ubuntu@serverstack-sunbeam-0:~$ ls /snap/openstack/x1/etc/deploy-sunbeam-machine/ ls: cannot open directory '/snap/openstack/x1/etc/deploy-sunbeam-machine/': Permission denied ``` Note that the file permissions for etc/deploy-sunbeam-machine have passed through from the host machine. That directory is inaccessible to a non-root user (eg. the default ubuntu user). Compare with repeating the above with the default umask on Ubuntu: ``` # workstation $ umask 002 $ git clone https://github.com/canonical/snap-openstack Cloning into 'snap-openstack'... remote: Enumerating objects: 5943, done. remote: Counting objects: 100% (5943/5943), done. remote: Compressing objects: 100% (1673/1673), done. remote: Total 5943 (delta 4154), reused 5864 (delta 4103), pack-reused 0 Receiving objects: 100% (5943/5943), 1.44 MiB | 1.29 MiB/s, done. Resolving deltas: 100% (4154/4154), done. $ stat cloud/etc/deploy-sunbeam-machine File: cloud/etc/deploy-sunbeam-machine Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 252,1 Inode: 21245537 Links: 2 Access: (0775/drwxrwxr-x) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu) Access: 2024-03-13 10:29:16.866583966 +1030 Modify: 2024-03-13 10:29:16.866583966 +1030 Change: 2024-03-13 10:29:16.866583966 +1030 Birth: 2024-03-13 10:29:16.866583966 +1030 $ snapcraft Generated snap metadata Created snap package openstack_2023.2_amd64.snap $ rsync -av openstack_2023.2_amd64.snap serverstack-sunbeam-0: sending incremental file list openstack_2023.2_amd64.snap sent 37,797,351 bytes received 82,170 bytes 1,097,957.13 bytes/sec total size is 137,502,720 speedup is 3.63 # target machine ubuntu@serverstack-sunbeam-0:~$ sudo snap install --dangerous ./openstack_2023.2_amd64.snap openstack 2023.2 installed ubuntu@serverstack-sunbeam-0:~$ stat /snap/openstack/x1/etc/deploy-sunbeam-machine/ File: /snap/openstack/x1/etc/deploy-sunbeam-machine/ Size: 77 Blocks: 0 IO Block: 1024 directory Device: 706h/1798d Inode: 139 Links: 2 Access: (0775/drwxrwxr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2024-03-13 00:10:45.000000000 +0000 Modify: 2024-03-13 00:10:45.000000000 +0000 Change: 2024-03-13 00:10:45.000000000 +0000 Birth: - ubuntu@serverstack-sunbeam-0:~$ ls /snap/openstack/x1/etc/deploy-sunbeam-machine/ main.tf variables.tf ``` Also compare with installing from the snap store: ``` ubuntu@serverstack-sunbeam-0:~$ sudo snap install openstack --channel 2023.2/edge openstack (2023.2/edge) 2023.2 from Canonical✓ installed ubuntu@serverstack-sunbeam-0:~$ stat /snap/openstack/437/etc/deploy-sunbeam-machine/ File: /snap/openstack/437/etc/deploy-sunbeam-machine/ Size: 77 Blocks: 0 IO Block: 1024 directory Device: 704h/1796d Inode: 139 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2024-03-11 08:54:40.000000000 +0000 Modify: 2024-03-11 08:54:40.000000000 +0000 Change: 2024-03-11 08:54:40.000000000 +0000 Birth: - ubuntu@serverstack-sunbeam-0:~$ ls /snap/openstack/437/etc/deploy-sunbeam-machine/ main.tf variables.tf ``` ### Environment NA ### snapcraft.yaml ```shell NA ``` ### Relevant log output ```shell NA ``` ### Additional context _No response_