Public bug reported: Context: I am using PaloAlto Networks Global Protect to connect to a company VPN. https ://www.paloaltonetworks.com/sase/globalprotect. When connecting, it uses SAML-base authentication, and it generates a file in ~/.GlobalProtect/saml.html, and then calls the default browser to view this page. It is an authentication flow similar to the OAuth2 device- flow, and is used when a program lacks the ability to directly interact with a user, but can provide data for the user to authenticate via another device (or in this case, browser).
Expected Results: Firefox will open the link at file http:///home/.../.GlobalProtect/saml.html, allow a login, and then complete authentication. Actual Results: Firefox displays the message “Access to the file was denied”. In order to complete the SAML flow, a non-snap browser is required. Cause of the Issue: Access to files for the Firefox application is controlled by its interface with snap. By default, snap restricts file access to a sandbox directory, but permissions can be expanded using the personal-files interface: https://snapcraft.io/docs/personal-files- interface. This interface permits access to files in the user’s home directory that begin with a .. The list of files accessible is controlled by the plug that is defined for the snap that uses a subset of the data accessible via the snap interface. The plug for the firefox snap, named firefox:dot-mozilla- firefox is defined here: https://github.com/canonical/firefox- snap/blob/stable/snapcraft.yaml#L109. This configuration allows access only to the ~/.mozilla/firefox directory. Because the directory ~/.GlobalProtect is not in this list, access to the file is not permitted, and the SAML authentication flow fails. Suggested Solution: Add one of the following capabilities to snap. 1. Create an interface to define custom plugs for a snap to add to it after it has already been installed. E.g. create a new plug firefox:dot-global-protect with read: [$HOME/.GlobalProtect]. 2. Create an interface to edit existing plugs for a snap. E.g. add a new read entry to the existing plug. 3. In addition to the "personal-files-interface", create a new "user-allowed-files-interface" that users can define, and add a program plug to. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: snapd 2.65.3+22.04 ProcVersionSignature: Ubuntu 5.15.0-125.135-generic 5.15.167 Uname: Linux 5.15.0-125-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: XFCE Date: Thu Jan 30 14:17:05 2025 InstallationDate: Installed on 2012-12-29 (4414 days ago) InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5) ProcEnviron: LANGUAGE=en_US:en PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: snapd UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: snapd (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2097000 Title: Firefox Cannot Access dot-files and Access Cannot Be Altered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2097000/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
