search

AppImageCrafters / AppRun

AppDir runtime components
MIT License
26 stars 10 forks source link

Unable to execute binaries with sudo inside AppImage #64

Open spvkgn opened 4 months ago

spvkgn commented 4 months ago

Use this simple AppImageBuilder.yml to build the AppImage with appimage-builder:

version: 1

AppDir:
  path: ./AppDir

  app_info:
    id: org.gnu.bash
    name: bash
    icon: utilities-terminal
    version: 5.0.16
    exec: bin/bash
    exec_args: $@

  apt:
    arch: amd64
    allow_unauthenticated: true
    sources:
      - sourceline: 'deb [arch=amd64] http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse'

    include:
      - bash
      - coreutils
    exclude:
      - libpcre3

AppImage:
  arch: x86_64
  comp: gzip

Check the AppImage is working - OK:

$ ./bash-5.0.16-x86_64.AppImage --version | head -n1
GNU bash, версия 5.0.16(1)-release (x86_64-pc-linux-gnu)

Run the AppImage and execute any binary inside AppImage - OK:

$ $APPDIR/usr/bin/head -n1 /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"

Execute any binary inside AppImage with sudo, for instance, reading /etc/sudoers contents - it fails with error "command not found":

$ $APPDIR/usr/bin/head -n1 /etc/sudoers
/tmp/.mount_bash-582FuSk/usr/bin/head: cannot open '/etc/sudoers' for reading: Permission denied

$ sudo $APPDIR/usr/bin/head -n1 /etc/sudoers
[sudo] password for pavel: 
sudo: /tmp/.mount_bash-582FuSk/usr/bin/head: command not found
probonopd commented 4 months ago

I think it is not possible to use sudo inside AppImages due to how FUSE works; but you can launch the AppImage with sudo.

spvkgn commented 4 months ago

@probonopd I could extract the AppImage via extract-and-run feature to avoid FUSE limitations, but with this unable to use sudo as well:

$ APPIMAGE_EXTRACT_AND_RUN=1 ./bash-5.0.16-x86_64.AppImage
$ sudo $APPDIR/usr/bin/head -n1 /etc/sudoers
sudo: unable to execute /tmp/appimage_extracted_dd6d72343c6dc5f80fba20c2a94f5db5/usr/bin/head: No such file or directory
spvkgn commented 4 months ago

Looks like this bug comes from here - any binary which is outside of AppImage can't run another binary inside the AppImage:

> $APPDIR/bin/bash -c '$APPDIR/usr/bin/head -n1 /etc/os-release'
PRETTY_NAME="Ubuntu 22.04.2 LTS"

> /bin/bash -c '$APPDIR/usr/bin/head -n1 /etc/os-release'
/bin/bash: line 1: /tmp/appimage_extracted_dd6d72343c6dc5f80fba20c2a94f5db5/usr/bin/head: No such file or directory
probonopd commented 4 months ago

I don't think it's a good idea for binaries outside of the AppImage to try to launch binaries inside the mounted AppImage.