search

IsmaelMartinez / teams-for-linux

Unofficial Microsoft Teams for Linux client
GNU General Public License v3.0
2.97k stars 242 forks source link

setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found #1426

Open fredlubrano opened 2 months ago

fredlubrano commented 2 months ago

Describe the bug After the update to version 1.11.0, there are permission issues with chrome-sandbox

To Reproduce Steps to reproduce the behavior:

sudo apt install ./Downloads/teams-for-linux_1.11.0_amd64.deb

Expected behavior ~ teams-for-linux
[83647:0929/152327.695500:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755. [1] 83647 trace trap (core dumped) teams-for-linux

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Debug teams-for-linux --webDebug --logConfig='{}' [84087:0929/153335.703258:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755. [1] 84087 trace trap (core dumped) teams-for-linux --webDebug --logConfig='{}'

IMPORTANT: Ensure that you mask any sensitive information before posting the output.

Additional context Resolv sudo chown root:root /opt/teams-for-linux/chrome-sandbox sudo chmod 4755 /opt/teams-for-linux/chrome-sandbox

fredlubrano commented 2 months ago

It also works with teams-for-linux --no-sandbox

damien-louis commented 2 months ago

Same issue after update to 1.11.0

ondrej-simon commented 2 months ago

Thank you, @fredlubrano , I modified my launcher script by appending the --no-sandbox option, so that I can still launch the application from Desktop icon:

cat /usr/share/applications/teams-for-linux.desktop

[Desktop Entry]
Name=Teams for Linux
Exec=/opt/teams-for-linux/teams-for-linux --no-sandbox %U
Terminal=false
Type=Application
Icon=teams-for-linux
StartupWMClass=teams-for-linux
Comment=Unofficial Microsoft Teams client for Linux using Electron. It uses the Web App and wraps it as a standalone application using Electron.
MimeType=x-scheme-handler/msteams;
Categories=Chat;Network;Office;
huxxer commented 2 months ago

Got the same issue after update to 1.11.0

SergeyKhrystenko commented 2 months ago

Got the same issue after update to 1.11.0

IsmaelMartinez commented 2 months ago

This seems to be a electron issue https://github.com/electron/electron/issues/42510

There are a few workarounds in https://github.com/electron-userland/electron-builder/issues/5371#issuecomment-791771150 and other pages, but I will see if I can understand the issue better rather than just apply the "no-sandbox" for all.

moether commented 2 months ago

Seems to be a pure Ubuntu 24.04 issue where apparmor is rejecting the use of unprivileged user namespaces without a corresponding application configuration in /etc/apparmor.d/ which are used by the sandboxing. Details described here: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts

Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.856:664): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=13074 comm="teams-for-linux" requested="userns_create" target="unprivileged_userns"

Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.857:665): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13079 comm="teams-for-linux" capability=21 capname="sys_admin"

This comment describes how to (temporarily) disable the restriction https://github.com/electron/electron/issues/42510#issuecomment-2171583086

But the correct solution probably is to deploy such an apparmor file for Ubuntu 24.04 and up which explicitly allows for unrestricted user NS for the teams-for-linux binary.

KPS-MWT commented 2 months ago

I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.

teams-for-linux.txt

IsmaelMartinez commented 2 months ago

Reading further, this seems to be an issue with electron-builder, and maybe also electron.

https://github.com/electron-userland/electron-builder/issues/5721 https://github.com/electron-userland/electron-builder/issues/8440 https://github.com/electron/electron/issues/42510

I will keep an eye and see when the fix comes available, but the workaround might be needed for a while.

It does affect pretty much all electron apps, so we I do hope a fix appears soon(ish)

moether commented 1 month ago

I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.

teams-for-linux.txt

Works like a charm. The profile allows user name spaces for the executable /opt/teams-for-linux/teams-for-linux. teams-for-linux starts with sandboxing enabled.

  1. copy content of teams-for-linux.txt to /etc/apparmor.d/teams-for-linux
  2. reload AppArmor: sudo systemctl reload apparmor.service
  3. Enjoy
NaimadTheOne commented 1 month ago

@KPS-MWT, @moether and @IsmaelMartinez thank you for the quick resolution of this issue. I am proud of this community.

burneystarke commented 1 month ago

I ran chmod 4755 /opt/teams-for-linux/chrome-sandbox and I am all set. Before: image After: image

FabioPedretti commented 1 month ago

It would be nice to integrate one of the workarounds in the package, to make the program usable "out of the box" and even after package upgrades. Thanks!

IsmaelMartinez commented 3 weeks ago

As far as I can understand, most of the current workarounds are to disable sandbox, while the "best" option is to create an apparmour profile to only disable it for the app.

I think https://github.com/electron-userland/electron-builder/issues/8635 should fix this for everything but AppImage that is a bit funny.

This seems to be an Ubuntu decision to tie security permissions, and is affecting all electron apps that I know, so should in theory get fixed soon (I hope) by them.

In the meantime create an apparmour profile as mentioned in https://github.com/IsmaelMartinez/teams-for-linux/issues/1426#issuecomment-2384889316 and that should solve your problem.

In the meantime it should be possible to create an apparmour profile like in https://github.com/gravitational/teleport/pull/43595/files#diff-9fa1aae9168524bdd0a97987f55e4a7ca8b77cd8c8cb47b5cfc33eb4e2a75230 and apply it after install, but I can't unfortunately test this.

atommaki commented 2 weeks ago

I ran into the same issue trying to move from the snap package to the deb one.