search

LizardByte / Sunshine

Self-hosted game stream host for Moonlight.
http://app.lizardbyte.dev/Sunshine/
GNU General Public License v3.0
20.14k stars 966 forks source link

Appimage release: '--install' fails to set caps due to fuse-mount permissions #3252

Open v-evets opened 1 month ago

v-evets commented 1 month ago

Is there an existing issue for this?

Is your issue described in the documentation?

Is your issue present in the latest beta/pre-release?

This issue is present in the latest pre-release

Describe the Bug

Following the documentation WRT the latest prerelease appimage:

$ ./sunshine.AppImage --install Password: KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess" KERNEL=="uhid", TAG+="uaccess" Failed to set capabilities on file '/tmp/.mount_sunshiH3L3t0/usr/bin/sunshine-v2024.930.214046': Permission denied

Appimage fuse mounts do not allow other users by default, and that includes root.

$ sudo ./sunshine.AppImage --install KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess" KERNEL=="uhid", TAG+="uaccess" Failed to set capabilities on file '/tmp/.mount_sunshiCkDmP5/usr/bin/sunshine-v2024.930.214046': Read-only file system

Appimage fuse mounts are read-only, because appimage is a squashfs. Nobody actually tested any of this, did they?

Expected Behavior

Installation steps in the documentation work as described for the appimage release. (./sunshine.AppImage --install, sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))

Additional Context

Bonus bug, while filing out this report: '/tmp/.mount_sunshivHk1IP/usr/bin/sunshine-v2024.930.214046 --help' says: '--version | print the version of sunshine'

'/tmp/.mount_sunshivHk1IP/usr/bin/sunshine-v2024.930.214046 --version' says: ...Several things, none of which is the version number.

Host Operating System

Linux

Operating System Version

Gentoo Linux 2.15

Architecture

64 bit

Sunshine commit or version

2024.930.214046

Package

Linux - AppImage

GPU Type

AMD

GPU Model

RX 6700 XT

GPU Driver/Mesa Version

24.1.7

Capture Method

KMX (Linux)

Config

fps = [10,30,60,75]
resolutions = [
    352x240,
    480x360,
    858x480,
    1280x720,
    1920x1080
]
capture = kms
channels = 2
back_button_timeout = 1000
min_log_level = 3
origin_web_ui_allowed = pc
encoder = vaapi

Apps

No response

Relevant log output

Irrelevant, issue pertains to installation.
ReenigneArcher commented 1 month ago

This is a known issue, although I don't think it was in our bug tracker. Thanks for reporting.

Unfortunately I don't know how to fix. This was one idea, but I don't think it's the right approach. https://github.com/LizardByte/Sunshine/pull/2300

v-evets commented 1 month ago

AFAICT the only "right" approaches are a: Don't use appimage or b: Don't use funky permissions. i.e. AppImageKit/issues/881 Much the same applies regarding flatpak, e.g. flatpak/issues/3858

You're trying to evade fairly sensible security restrictions, with both packaging formats and the use of cap_sys_admin in general. This is going to keep causing problems.

ReenigneArcher commented 1 month ago

Would be nice to not have to use setcap, but our current wayland implementation requires it (X11 doesn't). You're welcome to submit a PR migrating wayland to the new flavor of desktop capture. https://github.com/LizardByte/Sunshine/issues/2955#issuecomment-2285259062