AppRun sets up permissions for interpreters in /tmp in a way that only one user can use a given AppImage bundle

[marcinsulikowski]

Summary

After an AppImage bundle that uses AppRun is executed by some user (e.g., root), other users cannot execute it until the machine is rebooted due to permissions for ELF interpreters in /tmp/appimage-* (typically, /tmp/appimage-*-ld-linux-x86-64.so.2).

Steps to reproduce

Run an AppImage bundle as root:

user@machine:~$ sudo ./SomeApp.AppImage

Then run the same bundle again as a regular user:

user@machine:~$ ./SomeApp.AppImage

Expect behavior

It runs

Actual behavior

user@machine:~$ ./SomeApp.AppImage
APPRUN_ERROR: Permission denied

EACCES comes from execv which fails due to lack of permissions to read /tmp/appimage-<UUID>-ld-linux-x86-64.so.2.

Notes

AppRun stores ELF interpreters in /tmp with 0770 permissions:

https://github.com/AppImageCrafters/AppRun/blob/04338c189d179777ed55c9d7c9c7c4f50d6b20fb/src/apprun/runtime_interpreter.c#L237

These files are not removed unless the machine is rebooted (which typically clears /tmp). As a result, only one user can use a given AppImage bundle on a given machine.

If there's no security risk in allowing all users to read the interpreters, the permissions should more open (like 0755). If we believe that the files should be readable only by the user who creates them, then things are a bit more difficult...

[azubieta]

Please test using the binaries from the latest continuous build. Feel free to re-open if the issue persist.

[marcinsulikowski]

After adding the following to my recipe:

  runtime:
    version: "continuous"

to use the latest runtime, the created AppImage bundle works as expected. Thank you!