Bug: chrome-sandbox owner and mode

heyman / heynote

A dedicated scratchpad for developers

https://heynote.com

Other

3.76k stars 183 forks source link

Bug: chrome-sandbox owner and mode #231

Open truemoroz opened 2 months ago

truemoroz commented 2 months ago

Describe the bug Cannot run Heynote on Kubuntu 24.04

To Reproduce Steps to reproduce the behavior:

~/dist/Heynote_1.7.0_x86_64.appimage
[19821:0529/124154.856511:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_HeynotNXMb1x/chrome-sandbox is owned by root and has mode 4755.

Expected behavior To be able to start app

OS: Kubuntu
Version 24.04

Additional context Here's how you can run the AppImage with the --no-sandbox option: Heynote_1.6.0_x86_64.appimage --no-sandbox

Please note that this is a temporary workaround and not a permanent solution. The best course of action would be to contact the maintainers of the AppImage and ask them to fix the issue.

heyman commented 2 months ago

I don't run desktop Linux myself, but some quick googling suggests two workarounds (https://github.com/electron/electron/issues/17972):

Starting the AppImage with --no-sandbox
sysctl kernel.unprivileged_userns_clone=1 (I don't know the impact of this, but it sounds like it might make the system less secure)

If anyone knows how this can be fixed in Heynote, I'd be happy to merge such fix.

heyman commented 2 months ago

Could you try the following build and see if it fixed the problem?

https://github.com/heyman/heynote/actions/runs/9282799617/artifacts/1547452521

heyman commented 2 months ago

Would you mind testing the build I made for you @truemoroz and see if it fixes it (it's this branch: https://github.com/heyman/heynote/tree/suid-sandbox-fix)?

truemoroz commented 2 months ago

./Heynote_1.7.0_x86_64.AppImage        
[217518:0605/114039.689536:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Heynot1MCJ1Q/chrome-sandbox is owned by root and has mode 4755.
[1]    217518 trace trap (core dumped)  ./Heynote_1.7.0_x86_64.AppImage

I have the same error

heyman commented 2 months ago

Okay 🙁, then I would probably need a linux desktop machine where I could reproduce it in order to debug it.

Thanks for checking!

rambit commented 1 month ago

It is a generic issue and not only Heynote. I get the same error with theia-ide.org AppImage. My kernel.unprivileged_userns_clone was already 1 As can be checked with sysctl kernel.unprivileged_userns_clone as mentioned on https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html

The error says: You need to make sure that /tmp/.mount_HeynotNXMb1x/chrome-sandbox is owned by root and has mode 4755. but that mount folder is created when you run the app, so I guess it means that /tmp needs those permissions.

https://askubuntu.com/a/1512419 mentions a solution where you set nosuid on /tmp in fstab. As I was upgrading to Ubuntu 24.04 from 23.10 it makes me wonder if the update forgets to update permissions for /tmp which a fresh install might do when creating it?