$SNAP_USER_COMMON empty when getent cannot be found in $PATH

This does not appear to break on 25.04 with snapd 2.66.1+25.04:

$ echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft_2
/home/lengau/snap/charmcraft_2/common/cache/charmcraft

Confirmed in a fresh plucky LXD container (started with oracular, ran `do-release-upgrade -d`) that this issue does not occur, but that it does in oracular. In both cases, the snapd revision is 23258.

$ lxc shell plucky
root@plucky:~# echo 'env|grep SNAP_USER' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft
error: snap "charmcraft" is not installed
root@plucky:~# snap install --classic charmcraft
2024-12-03T16:54:52Z INFO Waiting for automatic snapd restart...
charmcraft 3.2.2 from Canonical✓ installed
root@plucky:~# echo 'env|grep SNAP_USER' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft
SNAP_USER_COMMON=/root/snap/charmcraft/common
SNAP_USER_DATA=/root/snap/charmcraft/5303
root@plucky:~# snap version
snap 2.66.1+25.04
snapd 2.66.1+25.04
series 16
ubuntu 25.04
kernel 6.11.0-9-generic

$ lxc shell oracular
root@oracular:~# echo 'env|grep SNAP_USER' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft
2024/12/03 16:56:00.416539 cmd_run.go:1276: WARNING: cannot create user data directory: cannot get the current user: getent could not be executed: exec: "getent": executable file not found in $PATH
2024/12/03 16:56:00.416623 cmd_run.go:1281: WARNING: cannot copy user Xauthority file: cannot get the current user: getentcould not be executed: exec: "getent": executable file not found in $PATH
root@oracular:~# snap version
snap 2.66.1
snapd 2.66.1
series 16
ubuntu 24.10
kernel 6.11.0-9-generic

[1]
The observed behaviour happens anywhere where the snapd snap >= 2.66.1 runs.
As per above examples, the version "snap 2.66.1+25.04" indicates snapd deb is active.

Another way to confirm this is: `SNAPD_DEBUG=1 snap version`
output: `logger.go:99: DEBUG: snap (at "/snap/snapd/current") is older ("2.66.1") than distribution package ("2.66.1+25.04")`

[2]
This change in behavior was introduced into snapd 2.66.1 here: https://github.com/canonical/snapd/pull/13776
The snapd snap is build with tag: `snapdusergo` which picks `osutil/user/user_from_snap.go` (the getent based user lookup) instead of `osutil/user/user.go` (the LDAP based user lookup).

[3]
Execution path for error cmd_run.go:1276: WARNING: cannot create user data directory: cannot get the current user: getent could not be executed: exec: "getent": executable file not found in $PATH":

https://github.com/canonical/snapd/blob/master/cmd/snap/cmd_run.go#L1275 ->
https://github.com/canonical/snapd/blob/master/cmd/snap/cmd_run.go#L394 ->
https://github.com/canonical/snapd/blob/master/osutil/user/user_from_snap.go#L42 ->
https://github.com/canonical/snapd/blob/master/osutil/user/getent.go#L179 ->
https://github.com/canonical/snapd/blob/master/osutil/user/getent.go#L61 ->
https://github.com/canonical/snapd/blob/master/osutil/user/getent.go#L33 ->
https://cs.opensource.google/go/go/+/master:src/os/exec/lp_unix.go;l=81?q=%22executable%20file%20not%20found%20in%22&ss=go%2Fgo

This happens in the snap run context, BEFORE snap calls snap-confine, and before any interaction with env passed on to snap confine. https://github.com/canonical/snapd/blob/master/cmd/snap/cmd_run.go#L1354

Also, snap-confine, itself will reset $PATH to ensure it is what it should be, and not externally manipulated: https://github.com/canonical/snapd/blob/master/cmd/snap-confine/snap-confine.c#L887

[4]
CONCLUSION:
The problem is that the $PATH provided to `snap run`, `PATH=/snap/bin`, is used by
https://github.com/canonical/snapd/blob/master/cmd/snap/cmd_run.go#L1275 and getent cannot be found by exec.Command() that looks at $PATH

Removing `PATH=` works always:

echo 'env|grep SNAP_USER' | /usr/bin/snap run --shell charmcraft

echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' | /usr/bin/snap run --shell charmcraft

Why specify `PATH=/snap/bin` ??

Thanks for the great additional details Ernest!

[1]: Thanks for the explanation - switching to the beta channel (2.67) let me reproduce this on plucky.
[2]: That makes sense, though the loss of SNAP_USER_COMMON is surprising to users of snapd
[3]: Perhaps that PATH could be used as a fallback if getent can't be found on the provided PATH?
[4]:
In answer to your question about why specify PATH, the example of `PATH=/snap/bin` is just to illustrate a PATH that won't contain getent. The original place where this was found (https://github.com/canonical/operator-workflows/issues/496) was resetting the environment and leaving PATH unset, which results in no SNAP_USER_COMMON environment variable.

I'm uncertain about correctness guarantees of SNAP_USER_COMMON before the PR #13776, but in snapd 2.63 at least, SNAP_USER_COMMON is set to a user-writable directory. After this PR, SNAP_USER_COMMON is unset, causing unexpected behaviour with the given apps definition in charmcraft's snap.yaml (irrelevant parts excluded):

apps:
  charmcraft:
    command: bin/python3 -u $SNAP/bin/charmcraft
    environment:
      XDG_CACHE_HOME: $SNAP_USER_COMMON/cache

Here Charmcraft is detecting the cache directory in a snap-agnostic manner (specifically using the platformdirs package for Python, which looks up the XDG_CACHE_HOME environment variable if it is set). Because snap doesn't set SNAP_USER_COMMON, when setting up the app this configuration also causes it to set XDG_CACHE_HOME to /cache before launching the application.

The documentation (https://snapcraft.io/docs/environment-variables#heading--snap-user-common) implies that SNAP_USER_COMMON will always be available. Even changing charmcraft's snap.yaml as follows:

apps:
  charmcraft:
    command: bin/python3 -u $SNAP/bin/charmcraft
    environment:
      XDG_CACHE_HOME: ${SNAP_USER_COMMON:-$HOME/snap/charmcraft/common}/cache
      BOOP: ${BOOPITY_BOOP:-default}

results the same XDG_CACHE_HOME and an empty BOOP environment variable, so we also don't (AFAIK) have a way to have XDG_CACHE_HOME fall back to a safe default.

A simpler reproducer (though with a strictly confined snap rather than classic - not that I think that's relevant to this bug) is:

echo 'echo $SNAP_USER_COMMON' | PATH= /usr/bin/snap run --shell hello

[4] Understood thanks.

We are working/thinking on solution avoid a bad PATH affecting snap run in any way, should be pretty simple.

What I further take from your point, is the we should also reconsider if it is correct, in principle, to only log a warning if user directories cannot be created as we currently do: https://github.com/canonical/snapd/blob/master/cmd/snap/cmd_run.go#L1276

Please confirm that this issue can be worked around by avoiding empty $PATH in the test where the issue was original discovered?

Fixed here: https://github.com/canonical/snapd/pull/14792

We plan to release this fix as part of snapd 2.67.1

Merged https://github.com/canonical/snapd/pull/14792

Confirmed this is working in 2.67.1 on the beta channel. Thanks!

Hello Alex, or anyone else affected,

Accepted snapd into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.67.1+24.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Alex, or anyone else affected,

Accepted snapd into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.67.1+24.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Alex, or anyone else affected,

Accepted snapd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.67.1+22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Alex, or anyone else affected,

Accepted snapd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.67.1+20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi Andreas,

In this case the issue is specific to snapd installed as a snap, so it shouldn't be relevant to the proposed versions. However, I just checked in both jammy and noble containers and the deb-installed version from proposed still behaves as expected so there was no reversion in the behaviour.

Thanks,

Alex

root@maximum-bonefish:~# snap --version
snap 2.67.1+22.04
snapd 2.67.1+22.04
series 16
ubuntu 22.04
kernel 6.12.0-15-generic
root@maximum-bonefish:~# snap install charmcraft --channel=2.x --classic
2025-02-13T00:18:52Z INFO Waiting for automatic snapd restart...
charmcraft (2.x/stable) 2.7.3 from Canonical✓ installed
root@maximum-bonefish:~# echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' |PATH=/snap/bin /usr/bin/snap run --shell charmcraft
/root/snap/charmcraft/common/cache/charmcraft
root@maximum-bonefish:~#

root@diverse-hog:~# snap install --classic charmcraft --channel=2.x
2025-02-13T00:24:04Z INFO Waiting for automatic snapd restart...
charmcraft (2.x/stable) 2.7.3 from Canonical✓ installed
root@diverse-hog:~# snap --version
snap 2.67.1+24.04
snapd 2.67.1+24.04
series 16
ubuntu 24.04
kernel 6.12.0-15-generic
root@diverse-hog:~# echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft
/root/snap/charmcraft/common/cache/charmcraft
root@diverse-hog:~#

All autopkgtests for the newly accepted snapd (2.67.1+22.04) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/26.1.3-0ubuntu1~22.04.1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.67.1+20.04) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

samba/2:4.15.13+dfsg-0ubuntu0.20.04.8 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.67.1+24.04) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

samba/2:4.19.5+dfsg-4ubuntu9 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

autopkgtests are clear on focal, jammy, noble, oracular.

> However, I just checked in both jammy and noble containers and the deb-installed version from proposed
> still behaves as expected so there was no reversion in the behaviour.

I understand it only affects the snap snapd, but since you did the above check, could you please also do it for focal and oracular? If all looks good, feel free to flip the verification tags to done, as instructed by comment #15. Thanks!

Tested on Focal
---------------

snap version
snap 2.67.1+20.04
snapd 2.67.1+20.04
series 16
ubuntu 20.04
kernel 5.4.0-205-generic

sudo snap install charmcraft --channel=2.x --classic
charmcraft (2.x/stable) 2.7.5 from Canonical✓ installed

ubuntu@electric-oilbird:/etc/apt$ echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' |PATH=/snap/bin /usr/bin/snap run --shell charmcraft
/home/ubuntu/snap/charmcraft/common/cache/charmcraft
ubuntu@electric-oilbird:/etc/apt$

Result: PASS

Tested on Oracular
------------------

snap version
snap 2.67.1+24.10
snapd 2.67.1+24.10
series 16
ubuntu 24.10
kernel 6.11.0-18-generic

sudo snap install charmcraft --channel=2.x --classic
2025-02-28T07:21:10Z INFO Waiting for automatic snapd restart...
charmcraft (2.x/stable) 2.7.5 from Canonical✓ installed

ubuntu@versed-agama:~$ echo '$SNAP/bin/python -c "from charmcraft import env; print(env.get_host_shared_cache_path())"' | PATH=/snap/bin /usr/bin/snap run --shell charmcraft
/home/ubuntu/snap/charmcraft/common/cache/charmcraft
ubuntu@versed-agama:~$

Result: PASS

This bug was fixed in the package snapd - 2.67.1+24.10

---------------
snapd (2.67.1+24.10) oracular; urgency=medium

  * New upstream release, LP: #2089691
    - Fix apparmor permissions to allow snaps access to kernel modules
      and firmware on UC24, which also fixes the kernel-modules-control
      interface on UC24
    - AppArmor prompting (experimental): disallow /./ and /../ in path
      patterns
    - LP: #2090938 Fix 'snap run' getent based user lookup in case of bad PATH
    - Fix snapd using the incorrect AppArmor version during undo of an
      refresh for regenerating snap profiles
    - Add new syscalls to base templates
    - hardware-observe interface: allow riscv_hwprobe syscall
    - mount-observe interface: allow listmount and statmount syscalls

snapd (2.67+24.10) oracular; urgency=medium

    - AppArmor prompting (experimental): allow overlapping rules
    - Registry view (experimental): Changes to registry data (from both
      users and snaps) can be validated and saved by custodian snaps
    - Registry view (experimental): Support 'snapctl get --pristine' to
      read the registry data excluding staged transaction changes
    - Registry view (experimental): Put registry commands behind
      experimental feature flag
    - Components: Make modules shipped/created by kernel-modules
      components available right after reboot
    - Components: Add tab completion for local component files
    - Components: Allow installing snaps and components from local files
      jointly on the CLI
    - Components: Allow 'snapctl model' command for gadget and kernel
      snaps
    - Components: Add 'snap components' command
    - Components: Bug fixes
    - eMMC gadget updates (WIP): add syntax support in gadget.yaml for
      eMMC schema
    - Support for ephemeral recovery mode on hybrid systems
    - Support for dm-verity options in snap-bootstrap
    - Support for overlayfs options and allow empty what argument for
      tmpfs
    - Enable ubuntu-image to determine the size of the disk image to
      create
    - Expose 'snap debug' commands 'validate-seed' and 'seeding'
    - Add debug API option to use dedicated snap socket /run/snapd-
      snap.socket
    - Hide experimental features that are no longer required
      (accepted/rejected)
    - Mount ubuntu-save partition with no{exec,dev,suid} at install, run
      and factory-reset
    - Improve memory controller support with cgroup v2
    - Support ssh socket activation configurations (used by ubuntu
      22.10+)
    - Fix generation of AppArmor profile with incorrect revision during
      multi snap refresh
    - LP: #2084730 Fix refresh app awareness related deadlock edge case
    - Fix not caching delta updated snap download
    - Fix passing non root uid, guid to initial tmpfs mount
    - Fix ignoring snaps in try mode when amending
    - LP: #2083961 Fix reloading of service activation units to avoid systemd errors
    - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS
      updates PPA
    - Make killing of snap apps best effort to avoid possibility of
      malicious failure loop
    - Alleviate impact of auto-refresh failure loop with progress...

The verification of the Stable Release Update for snapd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package snapd - 2.67.1+24.04

---------------
snapd (2.67.1+24.04) noble; urgency=medium

  * New upstream release, LP: #2089691
    - Fix apparmor permissions to allow snaps access to kernel modules
      and firmware on UC24, which also fixes the kernel-modules-control
      interface on UC24
    - AppArmor prompting (experimental): disallow /./ and /../ in path
      patterns
    - LP: #2090938 Fix 'snap run' getent based user lookup in case of bad PATH
    - Fix snapd using the incorrect AppArmor version during undo of an
      refresh for regenerating snap profiles
    - Add new syscalls to base templates
    - hardware-observe interface: allow riscv_hwprobe syscall
    - mount-observe interface: allow listmount and statmount syscalls

snapd (2.67+24.04) noble; urgency=medium

    - AppArmor prompting (experimental): allow overlapping rules
    - Registry view (experimental): Changes to registry data (from both
      users and snaps) can be validated and saved by custodian snaps
    - Registry view (experimental): Support 'snapctl get --pristine' to
      read the registry data excluding staged transaction changes
    - Registry view (experimental): Put registry commands behind
      experimental feature flag
    - Components: Make modules shipped/created by kernel-modules
      components available right after reboot
    - Components: Add tab completion for local component files
    - Components: Allow installing snaps and components from local files
      jointly on the CLI
    - Components: Allow 'snapctl model' command for gadget and kernel
      snaps
    - Components: Add 'snap components' command
    - Components: Bug fixes
    - eMMC gadget updates (WIP): add syntax support in gadget.yaml for
      eMMC schema
    - Support for ephemeral recovery mode on hybrid systems
    - Support for dm-verity options in snap-bootstrap
    - Support for overlayfs options and allow empty what argument for
      tmpfs
    - Enable ubuntu-image to determine the size of the disk image to
      create
    - Expose 'snap debug' commands 'validate-seed' and 'seeding'
    - Add debug API option to use dedicated snap socket /run/snapd-
      snap.socket
    - Hide experimental features that are no longer required
      (accepted/rejected)
    - Mount ubuntu-save partition with no{exec,dev,suid} at install, run
      and factory-reset
    - Improve memory controller support with cgroup v2
    - Support ssh socket activation configurations (used by ubuntu
      22.10+)
    - Fix generation of AppArmor profile with incorrect revision during
      multi snap refresh
    - LP: #2084730 Fix refresh app awareness related deadlock edge case
    - Fix not caching delta updated snap download
    - Fix passing non root uid, guid to initial tmpfs mount
    - Fix ignoring snaps in try mode when amending
    - LP: #2083961 Fix reloading of service activation units to avoid systemd errors
    - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS
      updates PPA
    - Make killing of snap apps best effort to avoid possibility of
      malicious failure loop
    - Alleviate impact of auto-refresh failure loop with progressive
  ...

This bug was fixed in the package snapd - 2.67.1+22.04

---------------
snapd (2.67.1+22.04) jammy; urgency=medium

  * New upstream release, LP: #2089691
    - Fix apparmor permissions to allow snaps access to kernel modules
      and firmware on UC24, which also fixes the kernel-modules-control
      interface on UC24
    - AppArmor prompting (experimental): disallow /./ and /../ in path
      patterns
    - LP: #2090938 Fix 'snap run' getent based user lookup in case of bad PATH
    - Fix snapd using the incorrect AppArmor version during undo of an
      refresh for regenerating snap profiles
    - Add new syscalls to base templates
    - hardware-observe interface: allow riscv_hwprobe syscall
    - mount-observe interface: allow listmount and statmount syscalls

snapd (2.67+22.04) jammy; urgency=medium

    - AppArmor prompting (experimental): allow overlapping rules
    - Registry view (experimental): Changes to registry data (from both
      users and snaps) can be validated and saved by custodian snaps
    - Registry view (experimental): Support 'snapctl get --pristine' to
      read the registry data excluding staged transaction changes
    - Registry view (experimental): Put registry commands behind
      experimental feature flag
    - Components: Make modules shipped/created by kernel-modules
      components available right after reboot
    - Components: Add tab completion for local component files
    - Components: Allow installing snaps and components from local files
      jointly on the CLI
    - Components: Allow 'snapctl model' command for gadget and kernel
      snaps
    - Components: Add 'snap components' command
    - Components: Bug fixes
    - eMMC gadget updates (WIP): add syntax support in gadget.yaml for
      eMMC schema
    - Support for ephemeral recovery mode on hybrid systems
    - Support for dm-verity options in snap-bootstrap
    - Support for overlayfs options and allow empty what argument for
      tmpfs
    - Enable ubuntu-image to determine the size of the disk image to
      create
    - Expose 'snap debug' commands 'validate-seed' and 'seeding'
    - Add debug API option to use dedicated snap socket /run/snapd-
      snap.socket
    - Hide experimental features that are no longer required
      (accepted/rejected)
    - Mount ubuntu-save partition with no{exec,dev,suid} at install, run
      and factory-reset
    - Improve memory controller support with cgroup v2
    - Support ssh socket activation configurations (used by ubuntu
      22.10+)
    - Fix generation of AppArmor profile with incorrect revision during
      multi snap refresh
    - LP: #2084730 Fix refresh app awareness related deadlock edge case
    - Fix not caching delta updated snap download
    - Fix passing non root uid, guid to initial tmpfs mount
    - Fix ignoring snaps in try mode when amending
    - LP: #2083961 Fix reloading of service activation units to avoid systemd errors
    - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS
      updates PPA
    - Make killing of snap apps best effort to avoid possibility of
      malicious failure loop
    - Alleviate impact of auto-refresh failure loop with progressive
  ...

This bug was fixed in the package snapd - 2.67.1+20.04

---------------
snapd (2.67.1+20.04) focal; urgency=medium

  * New upstream release, LP: #2089691
    - Fix apparmor permissions to allow snaps access to kernel modules
      and firmware on UC24, which also fixes the kernel-modules-control
      interface on UC24
    - AppArmor prompting (experimental): disallow /./ and /../ in path
      patterns
    - LP: #2090938 Fix 'snap run' getent based user lookup in case of bad PATH
    - Fix snapd using the incorrect AppArmor version during undo of an
      refresh for regenerating snap profiles
    - Add new syscalls to base templates
    - hardware-observe interface: allow riscv_hwprobe syscall
    - mount-observe interface: allow listmount and statmount syscalls

snapd (2.67+20.04) focal; urgency=medium

    - AppArmor prompting (experimental): allow overlapping rules
    - Registry view (experimental): Changes to registry data (from both
      users and snaps) can be validated and saved by custodian snaps
    - Registry view (experimental): Support 'snapctl get --pristine' to
      read the registry data excluding staged transaction changes
    - Registry view (experimental): Put registry commands behind
      experimental feature flag
    - Components: Make modules shipped/created by kernel-modules
      components available right after reboot
    - Components: Add tab completion for local component files
    - Components: Allow installing snaps and components from local files
      jointly on the CLI
    - Components: Allow 'snapctl model' command for gadget and kernel
      snaps
    - Components: Add 'snap components' command
    - Components: Bug fixes
    - eMMC gadget updates (WIP): add syntax support in gadget.yaml for
      eMMC schema
    - Support for ephemeral recovery mode on hybrid systems
    - Support for dm-verity options in snap-bootstrap
    - Support for overlayfs options and allow empty what argument for
      tmpfs
    - Enable ubuntu-image to determine the size of the disk image to
      create
    - Expose 'snap debug' commands 'validate-seed' and 'seeding'
    - Add debug API option to use dedicated snap socket /run/snapd-
      snap.socket
    - Hide experimental features that are no longer required
      (accepted/rejected)
    - Mount ubuntu-save partition with no{exec,dev,suid} at install, run
      and factory-reset
    - Improve memory controller support with cgroup v2
    - Support ssh socket activation configurations (used by ubuntu
      22.10+)
    - Fix generation of AppArmor profile with incorrect revision during
      multi snap refresh
    - LP: #2084730 Fix refresh app awareness related deadlock edge case
    - Fix not caching delta updated snap download
    - Fix passing non root uid, guid to initial tmpfs mount
    - Fix ignoring snaps in try mode when amending
    - LP: #2083961 Fix reloading of service activation units to avoid systemd errors
    - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS
      updates PPA
    - Make killing of snap apps best effort to avoid possibility of
      malicious failure loop
    - Alleviate impact of auto-refresh failure loop with progressive
  ...