SUID sandbox helper breaks packages in Single User Installation

[rkoe]

Describe the bug When using Nix as "Single User Installation", the SUID sandbox helpers break packages, e.g. Chromium.

SUID sanbox helpers do not make any sense when using Nix as "Single User Installation", and should be fixed/ignored there.

Example:

$ chromium
...:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/jp4jzpbnbsyb748vrqqxablf9sgspr5q-chromium-90.0.4430.93-sandbox/bin/__chromium-suid-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

To Reproduce Steps to reproduce the behavior:

1. Install Nix as "Single User Installation"
2. Install Chromium (nix-env -iA nixpkgs.chromium)
3. Try to start Chromium

Notify maintainers @primeos @thefloweringash @bendlas

Metadata

• system: "x86_64-linux"
• multi-user?: no
• sandbox: no
• version: nix-env (Nix) 2.3.10
• channels(user): "nixpkgs-21.05pre286914.3cc34f9e559"
• nixpkgs: /home/user/.nix-defexpr/channels/nixpkgs

[primeos]

Huh, that's strange. IIRC it should only be used as a fallback so I assume you're on a system with user namespaces disabled (on Debian based system there's sysctl kernel.unprivileged_userns_clone).

Personally I'd like to drop the legacy/deprecated SUID sandbox helper binary entirely but AFAIK it would still break some NixOS setups (e.g. for users of a hardened kernel).

Anyway, there are probably three options but all come with security implications:

• sysctl -w kernel.unprivileged_userns_clone=1
• Setting CHROME_DEVEL_SANDBOX (needs changes in Nixpkgs, s. below)
• Using --no-sandbox - But I wouldn't recommend that... :D

The sandboxing can be verified via chrome://sandbox/.

As for the Nixpkgs packaging: We should likely remove the following two lines:

https://github.com/NixOS/nixpkgs/blob/2b76957b3954318904d1cacd0bff9d16bba9169c/pkgs/applications/networking/browsers/chromium/default.nix#L180-L181

That always refers to a Nix store path so I think this fallback should never actually work.

[giggio]

I'm getting the same error. See #308128. It also affects youtube-music. Also, it seems related, ping, which fails with ping: Lacking privilege for icmp socket, unless I change its permission bits.

My kernel.unprivileged_userns_clone flag is already set to 1.

I'm running Ubuntu with home-manager.

In all these cases, if I set the permission bits to 4555 (with chmod 4555 <file>) they all work. They are initially set to 0555.

Any suggestions on how I could work around these problems?

[camperboy1000]

Another standalone home-manager user here. I just updated my Ubuntu box from 23.10 -> 24.04 and am now running into this issue for Chromium and Slack (probably anything chromium or electron based). kernel.unprivileged_userns_clone is also already set to 1. Setting the permission of the SUID sandbox binary to 4555 does workaround this for now.

I didn't have any issues when on Ubuntu 23.10, this only started happening after the upgrade to 24.04.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.0-31-generic, Ubuntu, 24.04 LTS (Noble Numbat), nobuild`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.21.2`
 - nixpkgs: `/nix/store/7sn1rdxkdszc3mmqk61fhf3vmvakqnhb-source`

[giggio]

@camperboy1000 I'm also on 24.04.

[mcpeanutbutter]

I'm getting the same error. See #308128. It also affects youtube-music. Also, it seems related, ping, which fails with ping: Lacking privilege for icmp socket, unless I change its permission bits.

My kernel.unprivileged_userns_clone flag is already set to 1.

I'm running Ubuntu with home-manager.

In all these cases, if I set the permission bits to 4555 (with chmod 4555 <file>) they all work. They are initially set to 0555.

Any suggestions on how I could work around these problems?

I'm experiencing the same issues. Affected programs are the Brave browser and Obsidian. I'm running a fresh system with Kubuntu 24.04 (haven't tried 23.10). kernel.unprivileged_userns_clone is 1, which was the default value.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.0-31-generic, Ubuntu, 24.04 LTS (Noble Numbat), nobuild`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.21.2`
 - nixpkgs: `/nix/store/fjs1x9gz2n1dvjqcyyl6qsw110qxc2zn-source`

[giggio]

It looks like this is related to apparmor being enabled by default on Ubuntu 24.04.

Workaround: for one session, do:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

This works until the next reboot, I have tried it and it fixes the problems we are having.

They mention a permanent way to disable it, which is how it was before 24.04:

Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents: kernel.apparmor_restrict_unprivileged_userns=0

Read more: https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

[giggio]

I'm back. I just updated my Ubuntu 24.04 and I'm having the problems again. My settings did not change, as we have discussed in the issue, but the problem is happening again. If anyone has a way to fix it this time, please let us know.

[buzmeg]

Can confirm that I am seeing the same thing after updating to Ubuntu 24.04. For me the failing program is codium.

$ codium --verbose
[39172:0924/234538.836078:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/abha8v0h5rj1gjx0pr9g3y85s50rrnj3-vscodium-1.93.1.24256/lib/vscode/chrome-sandbox is owned by root and has mode 4755.