search

AppImageCrafters / appimage-builder

GNU/Linux packaging solution using the AppImage format
MIT License
308 stars 58 forks source link

"Permission denied" on systems with noexec /tmp #302

Closed boidachenkop closed 1 year ago

boidachenkop commented 1 year ago

Hi, AppImage team! Thank you for project.

I'm trying to run AppImage on Centos 7 with /tmp directory mounted with noexec flag but getting this error:

# ./test.AppImage
APPRUN_ERROR: Permission denied

I use TMPDIR=/path/to/appimage workaround so AppImage is mounted in same directory where I do have rights to execute but it doesn't seem to help in this case.

If I extract AppImage and run ./AppRun it fails with same error:

./test.AppImage --appimage-extract
...
# cd squashfs-root/
# ./AppRun
APPRUN_ERROR: Permission denied

What I discovered is that AppImage itself drops interpreter into /tmp directory and tries to run executable that uses it: strace ./test.AppImage output:

...
access("/tmp/appimage-Hx3FYNh-ld-linux-x86-64.so.2", F_OK) = 0
chmod("/tmp/appimage-Hx3FYNh-ld-linux-x86-64.so.2", 0755) = 0
execve("/path/to/appimage/.mount_//executable", ["/path/to/appimage/.mount"...], 0x94b020 /* 66 vars */) = -1 EACCES (Permission denied)
write(2, "APPRUN_ERROR: Permission denied", 31APPRUN_ERROR: Permission denied) = 31
exit_group(1)                           = ?
+++ exited with 1 +++

I can copy interpreter into squashfs-root and use patchelf to make it work:

# cd  squashfs-root
# cp /tmp/appimage-Hx3FYNh-ld-linux-x86-64.so.2 ./
# patchelf --set-interpreter ./appimage-Hx3FYNh-ld-linux-x86-64.so.2 ./executable
# ./AppRun
(it runs normally)

Is there any way to make it run out-of-box for end-user?

boidachenkop commented 1 year ago

I've been using quite old version of appimage-builder with old AppRun installed from pip. Newer version doesn't have this issue.