### Bug Description Snap applications, such as certbot, fail when executed in privileged environments where the `NoNewPriv` bit is set. The error is a PermissionError during system-level file operations like os.chown(). Do you manage `NoNewPriv` feature? (is it even possible to manage it within snap?) ### To Reproduce 1. Install RootAsRole `dosr` tool (Rust) : https://github.com/LeChatP/RootAsRole?tab=readme-ov-file#install-steps It should configure a Role with a task that perform a setuid/gid to root, activate NoNewPriv bit, give every capabilities except CAP_LINUX_IMMUTABLE (this is to prevent people from editing the security policy). 1. Install certbot snap 1. Try to renew a certificate I think it is quite overkill steps with the certbot snap, you could replace it with a software that perform a chown operation or another privileged syscall instead. Otherwise, if you want to test some hardened environments for snaps execution feel free to test them with `dosr` and it's RootAsRole policy 😉 ### Environment I'm on Debian 11 ARM, using the system-distributed package with everything configured by default. ### snapcraft.yaml ```yaml https://github.com/certbot/certbot/blob/main/snap/snapcraft.yaml ``` ### Relevant log output ```shell Failed to renew certificate tamriel.ebilloir.fr with error: [Errno 1] Operation not permitted: '/etc/letsencrypt/archive/<REDACTED>/privkey1.pem' Traceback was: Traceback (most recent call last): File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/_internal/renewal.py", line 639, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/_internal/main.py", line 1535, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/_internal/renewal.py", line 499, in renew_cert lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config) File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/_internal/storage.py", line 1158, in save_successor filesystem.copy_ownership_and_apply_mode( File "/snap/certbot/4738/lib/python3.12/site-packages/certbot/compat/filesystem.py", line 125, in copy_ownership_and_apply_mode os.chown(dst, user_id, group_id) PermissionError: [Errno 1] Operation not permitted: '/etc/letsencrypt/archive/<REDACTED>/privkey1.pem' The most important here is the os.chown()... ``` ### Additional context Maybe it's specific to `certbot`. but I really doubt as long I don't see anything about any privilege management stuff in their source code.