ipfs add cannot add files owned by other users

[jl6]

Version information:

go-ipfs version: 0.7.0-ea77213e3
Repo version: 10
System version: amd64/linux
Golang version: go1.14.9

Description:

$ ipfs add ptest.pdf 
Error: open ptest.pdf: permission denied

ptest.pdf is a file with -rw-rw-r-- permissions, but owned by a different user than the user executing the command.

ptest.pdf can definitely be read by the current user - tested by using sha256sum to hash it.

The command succeeds with a copy of the file in the same directory that has identical permissions but is owned by the user executing the command.

I believe the ownership of the file should not be a barrier to adding it to ipfs, provided the file can be read by the current user, although I'm happy to have this belief corrected if there is somewhere in the documentation that explains why.

[welcome]

Thank you for submitting your first issue to this repository! A maintainer will be here shortly to triage and review.
In the meantime, please double-check that you have provided all the necessary information to make this process easy! Any information that can help save additional round trips is useful! We currently aim to give initial feedback within two business days. If this does not happen, feel free to leave a comment.
Please keep an eye on how this issue will be labeled, as labels give an overview of priorities, assignments and additional actions requested by the maintainers:

• "Priority" labels will show how urgent this is for the team.
• "Status" labels will show if this is ready to be worked on, blocked, or in progress.
• "Need" labels will indicate if additional input or analysis is required.

Finally, remember to use https://discuss.ipfs.io if you just need general support.

[gammazero]

@jl6 ipfs should not have this restriction. Is it possible that you are running SELinux and this is a result of a security policy? To check the status of SELinux, run: sestatus. If SELinux is enabled, you can temporarily disable it by running: setenforce 0. Then, see if that resolves the problem with adding the file to ipfs.

Another thing you can try is to read the file from stdin:

ipfs add < ptest.pdf

[jl6]

@gammazero I'm not running selinux:

$ sestatus

Command 'sestatus' not found, but can be installed with:

apt install policycoreutils
Please ask your administrator.

Feeding the file to ipfs on stdin, as you suggest, works.

I can get a different error if I try adding a file which isn't owned by the current user and additionally is in a directory which isn't owned by the current user:

$ ipfs add /var/www/html/favicon.ico 
Error: lstat /var/www/html/favicon.ico: no such file or directory

That file is still readable by other programs:

$ ll /var/www/html/favicon.ico 
-rw-rw-r-- 1 ubuntu ubuntu 210 Jan 10 11:01 /var/www/html/favicon.ico

$ sha256sum /var/www/html/favicon.ico 
8edaf7438d423d347533065676390e8f778c1f7f8ecc24b06f8a200a993821f1  /var/www/html/favicon.ico

[gammazero]

Does the ipfs executable have setuid permission bit set? If so, and the owner of ipfs does not have execute permission for the directory that the data file is in, this could happen. Check the permissions of ipfs:

ls -l $(which ipfs)
-rwsrwxr-x 2 user1 user1 59795936 Jan 18 11:51 /usr/local/bin/ipfs*

-rwsrwxr-x
___ ↑
If you see s in the permissions, then setuid is set. You can remove setuid, or adjust directory permissions to fix.

[jl6]

Sadly not:

$ ls -l $(which ipfs)
lrwxrwxrwx 1 root root 13 Jan 20 10:51 /snap/bin/ipfs -> /usr/bin/snap
$ ls -l /usr/bin/snap
-rwxr-xr-x 1 root root 19399272 Nov 19 16:51 /usr/bin/snap

[gammazero]

@jl6 OK, I see the problem. You installed ipfs using snap.

Snap packages have "confinement" which is either "strict" or "classic". You installed ipfs as a snap which was packaged as "strict". Strictly confined snaps run in complete isolation, up to a minimal access level that’s deemed always safe. Consequently, strictly confined snaps can not access your files, network, processes or any other system resource without requesting specific access via an interface,

You have a few choices here:

• Work around your issue by reading data from stdin
• Configure a snap interface to allow access
• Uninstall ipfs and reinstall the snap passing the --classic flag
• Uninstall ipfs snap and install ipfs without package manager

[jl6]

That's it - thanks @gammazero