I figured this out, but it took me about 2 hours to think of it. I hope that by writing this, you will not need 2 hours to figure it out.

The Symptom

I installed a snap package. I tried to run it. I saw this:

File permission error. Fine!

Try again… and Permission denied again.

I checked the ownership and permissions of every directory in the path of this file. The correct user owned them all; they all allowed read, write, and execute. (Of course, I kept track of all the directories and files for which I did this, because I wanted to undo all that once I figured out what was happening!)

The Problem

I had to give the snap package explicit authority to touch the files on my removable media devices, because…

  • I have two physical drives in my laptop: one for booting and the other for extra storage.
  • I have symbolic links from my boot drive (where /home is located) to most of my data (on /mnt/extra-space), including the files that this snap package was trying to operate on.
  • I installed the tool in question as a snap instead of as a conventional Linux package (or whatever one correctly calls a “non-snap” package).

Even though all the file permissions looked correct on zsh/bash, the snap was not allowed to touch those files, and the resulting Permission denied error looks the same in both cases. Great!

The Solution

I read this as “Please allow the snap named $SNAP_NAME to talk to removable-media”. I consider the word “connect” as out of place here. If I’d known the technical terms involved, then I’d have had better keywords to search for and I’d have spent less than 2 hours figuring all this out.

Why sudo?

This is because you need to prove you have system snap modification rights on your machine. You can put your user in the ultra restricted circle of snap administrators on your system by logging in.

For this, just create a snap account if you don’t have one already on https://login.ubuntu.com/. Take the time to do this, we’ll wait!

“Advanced snap usage”, a tutorial from Ubuntu.

No, thanks. This feels weird to me: authenticating with some server outside my machine in order to establish that I have permission to do something on my machine. Surely I should be able to give myself the necessary authorization without creating an account on some web site somewhere!

devmode! I wouldn’t.

You could install the snap in devmode and move on with your life, but it always makes me nervous when I give a tool more permission than it needs, particularly when I don’t really know what I’m doing. Unintended consequences and all that.

An Explanation

By default, snap confines its packages to only touch your $HOME directory. The snap packages operate by default in a sandbox environment designed to limit damage to your system. I really like this! Since I want this particular snap to write to a directory on my secondary drive, which is mounted somewhere on /mnt, I need to give that snap explicit permission to connect to the removable-media slot.

If you’re not sure which permissions/connections your snap has, then list them this way:

The snap environment connects to some slots automatically, then marks as manual the connections that you create yourself. Clear enough.

I hope this helps you get past your immediate obstacle.

References

Read more at https://ubuntu.com/blog/a-guide-to-snap-permissions-and-interfaces if you have the combination of interest and energy. This guide is slightly out of date already (interfaces have been renamed as connections), but I understood enough.

I found a tutorial that explains more about connections at https://tutorials.ubuntu.com/tutorial/advanced-snap-usage, which I’m reading now. I seem to understand what it tries to explain to me, which makes me feel encouraged. Sadly, this tutorial also refers to interfaces rather than the modern name connections, but the information seems accurate, at least as far as I can tell as a novice.