ACL for /var/snap/lxd/common/lxd/unix.socket

SeubertE · April 10, 2022, 7:55pm

I’m having issues with the unix.socket of my lxd install. When I run lxc list I get:

seuberte@rainier:~$ lxc list
Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied

I think it might be related to my attempt to back up my LXD to iDrive, I set the ACL of /var/ so that the idrive group on my machine can read the directory.

After restarting the lxd through snap, this is what the file permissions look like:

seuberte@rainier:~$ sudo snap stop lxd
Stopped.
seuberte@rainier:~$ sudo snap start lxd
Started.
seuberte@rainier:~$ sudo ls /var/snap/lxd/common/lxd -lah
total 76K
drwx--x--x+ 17 root root 4.0K Apr 10 12:47 .
drwxr-xr-x+  9 root root 4.0K Apr 10 12:47 ..
drwx------+  4 root root 4.0K Aug  7  2021 backups
drwx------+  4 root root 4.0K Sep 16  2021 cache
drwx--x--x+  2 root root 4.0K Feb  2 02:58 containers
drwx------+  4 root root 4.0K Apr 10 12:47 database
drwx--x--x+  3 root root 4.0K Apr 10 12:47 devices
drwxr-xr-x+  2 root root 4.0K Aug  7  2021 devlxd
drwx------+  2 root root 4.0K Aug  7  2021 disks
drwx------+  2 root root 4.0K Sep 30  2021 images
drwx------+  3 root root 4.0K Apr 10 12:47 logs
drwx--x--x+  3 root root 4.0K Sep 23  2021 networks
srwx------+  1 root root    0 Apr 10 12:47 seccomp.socket
drwx------+  4 root root 4.0K Aug  7  2021 security
-rw-r--r--+  1 root root  765 Aug  7  2021 server.crt
-rw-------+  1 root root  288 Aug  7  2021 server.key
lrwxrwxrwx   1 root root   39 Apr 10 12:12 shmounts -> /var/snap/lxd/common/shmounts/instances
drwx------+  2 root root 4.0K Aug  7  2021 snapshots
drwx--x--x+  3 root root 4.0K Aug  8  2021 storage-pools
srw-r-----+  1 root lxd     0 Apr 10 12:47 unix.socket
drwx--x--x+  2 root root 4.0K Aug 15  2021 virtual-machines
drwx------+  2 root root 4.0K Aug  7  2021 virtual-machines-snapshots
seuberte@rainier:~$ sudo getfacl /var/snap/lxd/common/lxd/unix.socket
getfacl: Removing leading '/' from absolute path names
# file: var/snap/lxd/common/lxd/unix.socket
# owner: root
# group: lxd
user::rw-
group::r-x                      #effective:r--
group:idrive:r-x                #effective:r--
mask::r--
other::---

I’ve tried setting the mask on the ACL to r-x, but after restarting lxd, it reverts to this.

Am I missing something/do something wrong with ACLs? Has anybody got any advice?

Thanks in advanced!